Teamscale was affected by the widely discussed log4shell (CVE-2021-44228) security vulnerability. We are now supplying updates to all recent versions.

Teamscale Updates Released

We just released upgrades for all current Teamscale major versions which will fix the log4shell security vulnerability.

You can find the new releases here: 

• Download: https://docs.teamscale.com/changelog/
• Docker Image: https://hub.docker.com/r/cqse/teamscale/tags

We have fixed the security issue with the following versions of Teamscale:

• 7.5.2 and newer
• 7.4.9 and newer 
• 7.3.12 and newer
• 7.2.12 and newer

We urge you to upgrade to a version of Teamscale that includes the security fix as soon as possible. If you are on an even older version, please use the JVM flag to fix the security problem as outlined below.

Please note:

If the JVM flag is applied correctly, an upgrade is not necessary to fix the security vulnerability anymore, but we still recommend it just to double check that everything is secure. 

Teamscale IDE Plugins

In case you are using the Teamscale IDE Plugins for Eclipse, IntelliJ or Netbeans, please upgrade these to the newest versions, as they are also affected by the security vulnerability. They are much harder to exploit than server side installations, but we strongly advise that you upgrade your installations as soon as possible.

We have pushed the updates to the relevant market places. The IntelliJ Marketplace might take a few hours to sign-off on the release. Therefore we have added a manual download link, if you want to upgrade right away.

• Eclipse: https://marketplace.eclipse.org/content/teamscale-eclipse-plugin (7.2.12, 7.3.12, 7.4.9 and 7.5.2 and newer)

• Netbeans: (7.2.12, 7.3.12, 7.4.9 and 7.5.2 and newer)
• IntelliJ: https://plugins.jetbrains.com/plugin/9431-teamscale-integration (7.5.2 and newer, Manual Download Link)

Action Required: Older Versions & Instances that cannot be updated today

If you are running version 7.1.x or older OR you cannot update your Teamscale instance today, please apply the following JVM flag, to secure your installation:

The log4shell security vulnerability can quickly be fixed in current deployments by adding a JVM flag to the jvm.properties file in the config/ folder of your Teamscale installation. Add the following to the JVM_EXTRA_ARGS line:

-Dlog4j2.formatMsgNoLookups=true

After adding the JVM flag, restart Teamscale. After the restart, Teamscale is now no longer vulnerable to the log4shell vulnerability.

CQSE Operated Instances

We have secured all CQSE operated instances. Additionally, we will also apply the just released updates soon. We will let you know as soon as your instance has been secured.

Questions

In case of questions, please contact our support at support@teamscale.com.