JetBrains vulnerability exploitation highlights debate over 'silent patching'

Czech software giant JetBrains harshly criticized security company Rapid7 this week following a dispute over two recently-discovered vulnerabilities.

In a blog post published Monday, JetBrains attributed the compromise of several customers’ servers to Rapid7’s decision to release detailed information on the vulnerabilities. “After the full disclosure was made, we started hearing from some customers who were noticing that their servers had been compromised,” the company said, providing four anonymous examples of customers who had been attacked.

“This was due to the immediate availability of publicly documented exploit examples published by Rapid7, which meant attackers of any skill level had all the resources they needed to quickly exploit the vulnerabilities in the wild.”

Two of the victims described in the blog had files encrypted by ransomware, JetBrains said.

Concern about the JetBrains vulnerabilities grew last week when the top cybersecurity agency in the U.S. warned that it was being exploited and gave federal civilian agencies until March 28 to patch it.

A JetBrains spokesperson said they could not confirm that the victims named in the blog were attacked after Rapid7 released the proof-of-concept code for the vulnerabilities, but said the victims contacted them after the details were released.

JetBrains said the attackers did not have a pattern of attack and simply targeted customers that had servers exposed over the internet.

“Hackers had different goals, from ransomware attacks to expanding their botnets,” a spokesperson said.

When contacted by Recorded Future News, Rapid7 would only say it strictly abides by its vulnerability disclosure policies and would not comment further. The multibillion-dollar firm employs about 2,200 people globally and has been a publicly-traded company for nearly a decade.

The dispute between the two companies began when Rapid7 researcher Stephen Fewer discovered and reported CVE-2024-27198 and CVE-2024-27199 to JetBrains in February.

JetBrains wanted to release patches privately before public disclosure, which Rapid7 objected to. JetBrains effectively stopped answering Rapid7’s messages before releasing a fixed version of the software on March 3 without notifying Rapid7 that fixes had been implemented and were generally available.

In line with their policy against the practice of silent patching — where companies quietly patch reported vulnerabilities without notifying customers — Rapid7 released the technical details of the vulnerabilities shortly after JetBrains made its fixes available to customers.

Rapid7 and many other cybersecurity experts say cybercriminals and other attackers can reverse-engineer patches to find ways around them. Experts also say that patches are often poorly done and need to be checked, typically by the researchers who discovered the bugs in the first place.

In its blog on Monday, JetBrains said that while it fully supports the disclosure of vulnerability details when a fix is released, they “provide only the necessary details for customers to understand the vulnerability’s scope and severity, enabling them to take the appropriate actions, but without disclosing so much information that it facilitates straightforward exploitation.”

JetBrains argued that for CVE-2024-27198 and CVE-2024-27199, they took steps to make the patch analysis harder for attackers through techniques such as obfuscation, which “would have usually allowed more time for many customers to patch their environment.”

“However, the full disclosure by Rapid7 removed that time gap without adding any value to our customers and users,” they said.

Recorded Future News spoke with several cybersecurity incident responders and researchers who disagreed with JetBrains assessment of the situation.

Cybersecurity expert John Bambenek said it is naïve to think that simply because a security company hasn’t released details of a vulnerability, that the vulnerability is not already known to criminal or nation-state actors.

“As soon as a patch is released, many attackers immediately begin reverse-engineering that patch to develop an exploit for those who don’t patch quickly,” he said. “The finger-pointing distracts from the real issues, and that is organizations needing to be better about immediately patching high-severity vulnerabilities in a way that doesn’t impact product.”

Bob Huber, chief security officer and head of research at Tenable, added that JetBrains created more work for its customers by sharing limited details on the vulnerabilities and dismissing coordination efforts with the researchers.

The practice sent their customers “on a wild goose chase trying to understand where they are vulnerable,” Huber explained, noting that their actions only delayed the inevitable reverse-engineering that hackers do anyway.

Full transparency, he said, enables cybersecurity defenders to quickly investigate and resolve the issue before cyberattackers occur.

“I strongly believe that in order to effectively manage risk and communicate risk posture, risk leaders, such as myself, need to have the full picture. When a vendor silently issues patches, security leaders are left in the dark about their exposure to risk, which can lead to breaches and data theft,” Huber said.

“It is also naive to think that the vulnerabilities were heretofore unknown, and that no one had been exploiting them previously. Cybersecurity researchers are looking at JetBrains for vulnerabilities because adversaries are looking to exploit vulnerabilities in JetBrains software.”