Using Administration/Updates for fixing security findings in TeamCity still shows vulnerabilities

We installed TeamCity Server back in 2017, Version 2017.2.2 (build 50909), and have run updates on the Administrator/Update screen to update to the current version, 2023.05.4 (build 129421), which we are running now.  I know that there are some files that are not updated by running the update through the TeamCity server.

When the patch for CVE-2023-42793 was released we ran the TeamCity Server update as we've always done and thought that we had fixed the vulnerability.

https://blog.jetbrains.com/teamcity/2023/10/cve-2023-42793-vulnerability-in-teamcity-update/

Lately our security office through their scanning has notified us that we still have a vulnerable version of the TeamCity software. This is the finding that we were sent.

Is there a way to fix this security problem?

0
1 comment

Hi,

This is a false positive, due to auto-upgrade does not update those records at the moment. We already have a bug entry on our tracker: https://youtrack.jetbrains.com/issue/TW-67253. For now, kindly update both records to reflect the information from 2023.05.4 (build 129421) and specifically use the build number 129421. And this adjustment will help prevent any potential false positives. I apologize for any inconvenience this may have caused.
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\JetBrains TeamCity
DisplayVersion = 2023.05.4 (build 129421)
and
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JetBrains\TeamCity\Server
Version = 129421
We also had an influx of upgrades recently with this new CVE, and the priority of this issue has been bumped up - the target version is currently set as 2023.11, so hopefully the fix will be made soon.

0

Please sign in to leave a comment.