CVE-2021-37544 – CVE-2021-37544 is an insecure deserialization v... (How to Fix)

Q: What is the severity of CVE-2021-37544?

CVE-2021-37544 has a CVSS score of 9.8 (CRITICAL). CVE-2021-37544 is an insecure deserialization vulnerability in JetBrains TeamCity that allows remote attackers to execute arbitrary code on affected servers. This affects TeamCity installations before version 2020.2.4. Organizations using vulnerable TeamCity versions for CI/CD pipelines are at risk.

📋 TL;DR

CVE-2021-37544 is an insecure deserialization vulnerability in JetBrains TeamCity that allows remote attackers to execute arbitrary code on affected servers. This affects TeamCity installations before version 2020.2.4. Organizations using vulnerable TeamCity versions for CI/CD pipelines are at risk.

💻 Affected Systems

Products:

JetBrains TeamCity

Versions: All versions before 2020.2.4

Operating Systems: All supported platforms (Windows, Linux, macOS)

Default Config Vulnerable: ⚠️ Yes

Notes: All TeamCity installations before the patched version are vulnerable regardless of configuration.

📦 What is this software?

Teamcity by Jetbrains

View all CVEs affecting Teamcity →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the TeamCity server leading to full system takeover, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Remote code execution allowing attackers to steal credentials, modify build processes, inject malicious code into software artifacts, or disrupt CI/CD operations.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege access, and monitoring are in place, though the vulnerability still presents significant risk.

🌐 Internet-Facing: HIGH - TeamCity servers exposed to the internet are highly vulnerable to exploitation attempts.

🏢 Internal Only: HIGH - Even internally accessible servers are at significant risk from compromised internal accounts or lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication but is relatively straightforward once access is obtained. The vulnerability is in the deserialization process of certain data structures.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2020.2.4 or later

Vendor Advisory: https://blog.jetbrains.com/blog/2021/08/05/jetbrains-security-bulletin-q2-2021/

Restart Required: Yes

Instructions:

1. Backup TeamCity configuration and data. 2. Download TeamCity 2020.2.4 or later from JetBrains. 3. Stop TeamCity service. 4. Install the new version following JetBrains upgrade documentation. 5. Restart TeamCity service. 6. Verify functionality.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to TeamCity servers to only trusted IP addresses and networks.

Use firewall rules to limit inbound connections to TeamCity ports (default 8111)

Authentication Hardening

all

Implement strong authentication controls and monitor for suspicious login attempts.

Enable MFA, enforce strong password policies, implement account lockout policies

🧯 If You Can't Patch

Isolate TeamCity servers in a dedicated network segment with strict access controls
Implement application-level monitoring and alerting for suspicious deserialization activities

🔍 How to Verify

Check if Vulnerable:

Check TeamCity version in Administration → Server Administration → Server Health → Version

Check Version:

On TeamCity server: cat /opt/teamcity/version.txt (Linux) or check TeamCity web interface

Verify Fix Applied:

Verify version is 2020.2.4 or later and test deserialization-related functionality

📡 Detection & Monitoring

Log Indicators:

Unusual deserialization errors in TeamCity logs
Suspicious Java serialization payloads in request logs
Unexpected process execution from TeamCity service account

Network Indicators:

Unusual outbound connections from TeamCity server
Large serialized data transfers to/from TeamCity

SIEM Query:

source="teamcity.log" AND ("deserialization" OR "serialization" OR "java.io") AND (error OR exception OR warning)

📊 Metadata

CVE ID: CVE-2021-37544

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: August 6, 2021

Last Updated: November 21, 2024

🔗 References

https://blog.jetbrains.com/blog/2021/08/05/jetbrains-security-bulletin-q2-2021/ Vendor Advisory
https://blog.jetbrains.com/blog/2021/08/05/jetbrains-security-bulletin-q2-2021/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37544, you might also want to check these: