We have just released an important update for all IntelliJ-based IDEs. This update addresses critical security vulnerabilities inside the underlying IntelliJ Platform. The vulnerabilities, in various forms, are also present in older versions of the IDEs; therefore, patches for those are also available.
While we have had no reports of any active attacks against these vulnerabilities, we strongly recommend for all users to install the update as soon as possible.
Please read more on the issues and ways to update below.
Built-in web server vulnerabilities
The cross-site request forgery (CSRF) flaw in the IDE’s built-in webserver allowed an attacker to access local file system from a malicious web page without user consent.
Internal RPC vulnerabilities
Over-permissive CORS settings allowed attackers to use a malicious website in order to access various internal API endpoints, gain access to data saved by the IDE, and gather various meta-information like IDE version or open a project.
Our huge thanks go to Jordan Milne for disclosing these issues and working closely with us and to Android Studio team from Google for perfect collaboration while working on the fixes.
What to do
To install the update simply select ‘Check for Updates’ from inside the IDE or visit www.jetbrains.com to download the most recent version. Alternatively, read below for download links to older product versions.
For more details about the security update and in case of additional questions, refer to the FAQ below.
FAQ
Q: What products / versions are updated?
A: All JetBrains products built on IntelliJ Platform are affected. The table below shows the minimum versions for which an update is released. If you are using the listed version or a higher one, then you need to update.
| Product | Updates Available as of Version (build number) |
| AppCode | 2.1 (129.772) |
| CLion | 1.0 (141.353) |
| DataGrip | 1.0 (143.1410.7) |
| IntelliJ IDEA | 12.1 (129.161) |
| MPS | 3.0 (129.350) |
| PhpStorm | 6.0 (129.291) |
| PyCharm | 2.7 (125.57) |
| PyCharm Edu | 1.0 (139.280) |
| Rider | Private EAP builds prior to build 144.5342 |
| RubyMine | 5.4 (129.241) |
| WebStorm | 6.0 (127.68) |
Q: Are earlier versions affected?
A: We are not aware of similar vulnerabilities in older versions. Built-in web server was introduced in December 2012 (branch 129.x), and the above-mentioned and fixed internal RPC vulnerabilities did not exist in older versions. Still, a possibility of vulnerabilities in older versions exists, which is why we recommend upgrading your IDE if it was released more than 3 years ago.
Q: What products are NOT affected?
A: ReSharper, ReSharper C++, dotCover, dotMemory, dotTrace, dotPeek, TeamCity, YouTrack, Upsource and Hub are not affected and do not need this security update.
Q: I need a full download rather than a patch for an earlier version of the IDE. Where can I download it?
A: Check the previous versions page for your product below. All updates published after May 10th contain the security update.
- AppCode
- CLion
- DataGrip — please get the latest version from product website
- IntelliJ IDEA
- MPS
- PhpStorm
- PyCharm
- PyCharm Edu — please get the latest version from product website
- Rider — you should receive an email with a fresh download link
- RubyMine
- WebStorm
Q: I’m unable to update to the latest version. Where can I get help?
A: Please contact us about the problems that prevent you from updating.
Q: I’m building an IDE on IntelliJ Platform. What should I do?
A: Please check out the latest source code from the branch you are currently using and rebuild your product. For more details please contact security@jetbrains.com or the partner team at busdev@jetbrains.com for any questions or concerns.
Q: I’m using an IDE built on IntelliJ Platform but not from JetBrains. What should I do?
A: We have been in contact with our partners building on IntelliJ Platform. Updates for Android Studio 1.5.x and 2.x should be available already. Please contact the vendor of the IDE for an update. If you have other questions, please contact us.
Q: I’m developing a plugin for IDEs built on IntelliJ Platform. Does my plugin need update?
A: No, plugins are not affected.
Q: I’d like to be notified about security vulnerabilities in future.
A: You can subscribe to the security bulletin at www.jetbrains.com/security/subscribe.
JetBrains Team
The Drive to Develop
Was the bug exploitable when you didn’t start any server, e.g. when you only developed an Android/Desktop app?
The web server is active as soon as you start the IDE, so as such it is vulnerable. The updates will address this problem.
But what if I don’t want the IDE to start a webserver? How do I stop that?
My WebStorm 2016 on Mac become a brick
Rolling back…
No, can’t roll back – you don’t have a 2016 versions in Previous WebStorm Releases. Need to roll further on 11
Why a brick? What’s the issue?
We would really appreciate if you provide a bit more details about the problem. Can you please send us the content of your IDE log folder (menu Help – Show log) on https://youtrack.jetbrains.com/issues/WEB.
Thank you!
Seems like I have the same issue here. Right after the update, IDE just won’t start.
PhpStorm quit unexpectedlythe alert says.Just crashes on start. Here is the issue with logs https://youtrack.jetbrains.com/issue/WEB-21586
Thanks for reporting it. Sorry for the inconvenience.
Trying to download OS X version, got this:
AccessDeniedAccess Denied
206A530861DFFBA2
ijfXc1Wn128We6HEdyPzWY1zgutm0lsNlJo3HZZPoJ2vUjmFYRn6+uWtiRkIT7PW52lvT8m/EVY=
Really sorry for the inconvenience. But please specify more details. What product and version is it? Thank you
Never mind, it is working now.
It was IntelliJ IDEA 15.0.6 for OS X.
When trying to update an older version of Webstorm (10.0), I receive the following error:
Failed to download patch file:
Cannot download ‘http://download-cf.jetbrains.com/webstorm/WS-141.1550-141.3058-patch-win.jar’: Server returned HTTP response code: 403 for URL: http://download-cf.jetbrains.com/webstorm/WS-141.1550-141.3058-patch-win.jar
, response: 403 Forbidden
Thanks for report! We’re investigating. Will let you know. In the meanwhile, you can make a fresh install – here you can find a link: https://confluence.jetbrains.com/display/WI/Previous+WebStorm+Releases
Sorry about that. Pinged the team. They’re looking into it.
Oh, actually already found the issue and re-uploaded the patch update. Please try in an hour or so. Sorry for the inconvenience.
If I’m using the PHPStorm 2016.1.1 EAP, is that sufficient?
Yes, you need to update from 145.969 to 145.970 (from EAP to 2016.1.1).
Can you please document what exactly has been changed? What does IntelliJ now expect requests to include in order to be allowed?
I was relying on this server in my development environment. I had it integrated with a reverse proxy. That is all completely broken and I can’t fix it because there is zero useful information that I can find.
When trying to install the patch (11.0.4) for Webstorm 11.0.3 on Windows 10, Windows Defender removes some of the files due to containing a virus:
C:\Users\user\AppData\Local\Temp\idea.updater.files.tmp.0\temp.tmp.2
PhpStorm constantly crashing on opening @ Mac OS X 10.10.5
Rolled it back to 2016.1, thank Odin I have a copy
Same with Intellij IDEA on mac os x 10.10.5. I opened a ticket – https://youtrack.jetbrains.com/issue/IDEA-155856
Thanks for reporting it. Sorry for the inconvenience.
What about Project Rider? I checked for updates and it said I had the most up to date version
If your current version is 144.5342 or higher you are up-to-date.
Ok, Thank you
Sorry guys, you have so many bugs in your recent updates, I’d like to wait before install the most recent one.
Am getting a “java.io.IOException: Couldn’t create PTY” when trying to open a git terminal in PHPStorm. Used to work before the update
This most likely isn’t related to this fix. Is it possible to log a bug?
Well it was working fine this morning and not working anymore after I applied the patch.
Hi Alex, could you please file a bug to https://youtrack.jetbrains.com/issues/IDEA
Please attach your logs there.
Fixed it – I had to update the settings/tools/Terminal to use quotes like: “C:\Program Files\Git\bin\sh.exe” -login -i
Before it was setup without quotes but that stopped working after the update.
Thanks for the help
Thank you for the update.
I tried installing it a couple of times but did not work, kept showing that the release was till 2016.1.1 and I need to update again.
I am using Ubuntu 15.10
Here, I’ve got another problem. Now, when I run my project (in chromium) Webstorm asks for each of my ressources (webp, webm, png) to “copy authorization URL to clipboard” for validation. My projects contains dozens of resources, that’s not possible to validate each of theses one per one.
When I try to apply the update on Linux (debian jessie/Gnome3) I get DataGrip restarting, but it just says there’s an update again each time it starts back up. Is this a known issue?
Seems the datagrip patch is 403:
[ 18865] ERROR – plication.impl.ApplicationImpl – Connection failed with HTTP code 403
com.intellij.util.io.HttpRequests$HttpStatusException: Connection failed with HTTP code 403. Status=403, Url=https://download.jetbrains.com/datagrip/DB-145.862-145.863-patch-unix.jar
PyCharm and WebStorm both updated fine on the same machine.
Hello!
It is a known issue, we hope to fix it in several hours.
Thanks!
I have a question about patching older releases, we are on 14.1.x currently.
Above in the blog post, it says that, “The vulnerabilities, in various forms, are also present in older versions of the IDEs; therefore, patches for those are also available.” Later it says regarding older versions to, “Check the previous versions page for your product below. All updates published after May 10th contain the security update. ”
After downloading IntelliJ 14.1.7 from the previous IntelliJ releases page, it shows a build date of April 29th, 2016. This seems to indicate that it does not have the fix.
https://confluence.jetbrains.com/display/IntelliJIDEA/Previous+IntelliJ+IDEA+Releases
1. Is there a fix for 14.1.x?
2. Can the older releases that are patched with the fix be listed by version number in the blog post, or somewhere else?
3. Are IntelliJ licenses entitled to free updates and upgrades until a particular date eligible for bugfixes with the security fix (so long as they remain on the same major.minor release)?
Philip, yes 14.1.7 contains the fix. We built it earlier and it was being tested internally.
We’ve actually published it today so, it is later than May 10. But I see the confusion, will see how the text can be improved.
Thank you!
So, all answers:
1. Yes, there is
2. All versions of IntelliJ IDEA starting from 12.1.x that are published on https://confluence.jetbrains.com/display/IntelliJIDEA/Previous+IntelliJ+IDEA+Releases include the fix.
3. These updates are free, so whatever version is available to you can be updated using a corresponding bugfix update, considering it is 12.1 or newer.
Is there a CVE?
Unfortunately not yet. We’re in the process of receiving one.
Is the community version also affected?
Yes, it is. The updates for Community editions are available as well
WebStorm 2016 1.2 (the one with the security fix) crashes for me on MacOS after updating (tried applying the patch and doing a fresh install using the distribution file from the website). In the old version, no WebStorm 2016 can be found. What am I supposed to do? Is rolling back to Webstorm 11 the only option?
Please see this for workaround https://intellij-support.jetbrains.com/hc/en-us/articles/208516145
I updated to PHPStorm 10 and it didn’t apply half of my exported settings that I imported from v8, and now that JetBrains releases a new *MAJOR* version every 3 months, I don’t want to have to reinstall that often, I’d prefer to just get updates.
The Major updates need to slow down to allow security patches like this to happen more easily rather than making us reinstall the entire program and risk losing a lot of configuration often.
Nice update, lose all settings, all configuration in all projects and all the local history. Epic win guys, epic win… This + lots of troubles recently (many crashes), I’m tired of this… where is the time when everything just work properly ? One year ago ?
You are going too fast, you’re losing it
You shouldn’t have lost anything. Could you maybe provide us with some more information of your settings?
(quote)
The cross-site request forgery (CSRF) flaw in the IDE’s built-in webserver allowed an attacker to access local file system from a malicious web page without user consent.
(end_of_quote)
It would mean that I need to display a malicious website from within the IDE?
If I never display web content inside the IDE I am safe?
Am I getting this right?
Oliver, no not from within the IDE. A page can be open in the browser.