Return to site
Return to site

Intellij Idea License Server

broken image


CVSS Meta Temp ScoreCurrent Exploit Price (≈)CTI Interest Score
7.4$0-$5k0.09

A vulnerability classified as problematic was found in JetBrains IntelliJ IDEA. Affected by this vulnerability is an unknown code block of the component License Server. The manipulation with an unknown input leads to a weak authentication vulnerability. The CWE definition for the vulnerability is CWE-290. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

In JetBrains IntelliJ IDEA before 2020.1, the license server could be resolved to an untrusted host in some cases.

The weakness was presented 04/22/2020 (Website). It is possible to read the advisory at blog.jetbrains.com. This vulnerability is known as CVE-2020-11690 since 04/10/2020. The exploitation appears to be difficult. The attack can be launched remotely. The exploitation doesn't need any form of authentication. The technical details are unknown and an exploit is not publicly available.

The last version of IntelliJ IDEA 2019 was released. I heard that the running speed has been greatly optimized. I actually measured that the starting speed is much faster than before, so I rushed to schedule a cracking tutorial for the new version of IDEA. System environment: Win10 LTSC(1809) 64 bit Software Version: IntelliJ IDEA 2019.3.3. IntelliJ IDEA detects the system proxy URL during initial startup and uses it for connecting to. IntelliJ IDEA supports a large variety of frameworks: both server-side and front-end. Ultimate Edition. For web and enterprise development. Android (includes the Android Studio's functionality) Swing (incl. UI Designer) JavaFX. Spring (Spring MVC, Spring Boot, Spring Integration, Spring Security and more) Spring Cloud. With IntelliJ IDEA, all I had to do was copy the license file to bin/idea.license of the IntelliJ installation directory, and it picked up the license without each user having to have a license file installed in his/her home directory.

Upgrading to version 2020.1 eliminates this vulnerability.

See 154233, 154238, 154239 and 154240 for similar entries.

Product

Vendor

Name

CPE 2.3

CPE 2.2

CVSSv3

VulDB Meta Base Score: 7.7
VulDB Meta Temp Score

Intellij Idea License Server Crack

: 7.4
VulDB Base Score: 5.6
VulDB Temp Score: 5.4
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 9.8
NVD Vector: 🔍

CVSSv2

AVACAuCIA
🔍🔍🔍🔍🔍🔍
🔍🔍🔍🔍🔍🔍
🔍🔍🔍🔍🔍🔍
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
unlockunlockunlockunlockunlockunlock
unlockunlockunlockunlockunlockunlock
unlockunlockunlockunlockunlockunlock

VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍

Exploiting

Class: Weak authentication
CWE: CWE-290
ATT&CK: Unknown
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
Price Prediction: 🔍
Current Price Estimation: 🔍

0-Dayunlockunlockunlockunlock
Todayunlockunlockunlockunlock

Threat Intelligence

Interest: 🔍
Active Actors: 🔍
Active APT Groups: 🔍

Countermeasures

Recommended: Upgrade
Status: 🔍

Intellij Idea License Server Key


0-Day Time: 🔍
Upgrade: IntelliJ IDEA 2020.1

Timeline

04/10/2020🔍
04/22/2020+12 days🔍
04/23/2020+1 days🔍
10/11/2020+171 days🔍

Sources

Intellij
Advisory: blog.jetbrains.com
Status: Not defined
Confirmation: 🔍
CVE: CVE-2020-11690 (🔍)
See also: 🔍

Entry

Created: 04/23/2020 10:30 AM
Updated: 10/11/2020 05:49 PM
Changes: (1) advisory_confirm_url
Complete: 🔍
Key
Advisory: blog.jetbrains.com
Status: Not defined
Confirmation: 🔍
CVE: CVE-2020-11690 (🔍)
See also: 🔍

Entry

Created: 04/23/2020 10:30 AM
Updated: 10/11/2020 05:49 PM
Changes: (1) advisory_confirm_url
Complete: 🔍

Download it now for free!

Skip to end of metadataGo to start of metadata
  • Introduction
    • System Requirements
  • Installing and Configuring License Server
    • Extending License Server to Use Custom Verification
  • Logging In
  • License Server Settings
  • Product-Specific Control Panel

About JetBrains License Server

JetBrains License Server is a web application that enables license administration across a single network.
License Server serves as a central point for distribution of licenses among multiple users and client machines in a network environment. It supports the following JetBrains products:

  • IntelliJ IDEA 7.0 or higher (only Commercial licenses). (A License Server-compatible build of IntelliJ IDEA 6.0 is available upon request.)
  • ReSharper 3.1 or higher (only Commercial licenses).
  • ReSharper Cpp 1.0 or higher
  • dotTrace 5.5 or higher (only Commercial licenses). (Floating licenses are supported starting from dotTrace 3.1).
  • dotMemory 4.0 or higher (only Commercial licenses).
  • dotCover 1.0 or higher.
  • RubyMine 1.0 or higher.
  • PyCharm 1.0 or higher.
  • WebStorm 1.0 or higher
  • PhpStorm 1.0 or higher
  • AppCode 1.0 or higher
  • CLion 1.0 or higher

License Server issues and revokes license tickets to/from network clients based on the license keys that are provided by JetBrains after purchase. The License Server allows for single-user keys to be used as concurrent licenses. The License Server will allow for the exact number of concurrent instances as purchased commercial licenses imported into the License Server.

That said, each license key provides one ticket. A single ticket grants permission to use a single copy of a product. License Server receives requests for license tickets from client applications and issues tickets to them upon verification, eliminating the need to configure clients individually.
There are two kinds of license tickets:

  • Floating tickets are issued for a limited period of time and prolonged on a regular basis.
  • Permanent tickets are issued without a specific time limit. They are released manually by a client application or server administrator.

System Requirements

Hardware

  • 256 MB RAM

Software

  • Java SE Runtime Environment (JRE)/Java SE Development Kit (JDK) 5 or higher installed in any of the following operating systems:
    • Windows® (2000, NT 4.0 or higher).
    • Linux/UNIX-based OS.
    • Macintosh OS X TM.
  • Apache Tomcat 6.0.
  • Mozilla Firefox 2.0+, Internet Explorer 7.0+, or Safari 3.0+ for accessing the License Server control panel.

Distribution Options

License Server is supplied in two distribution options:

  • As a standalone WAR file for deploying in an application server.
  • As a package that includes Apache Tomcat.

Installing License Server

To install and configure License Server bundled with Apache Tomcat:

  1. Install JRE or JDK:
    1. Download and install Java SE Runtime Environment (JRE) 5 or later.
    2. Create an environment variable JAVA_HOME and assign it to JRE installation home using forward slashes in the path (for example, c:/Program Files/Java/jre1.6.0_03 or /usr/local/java/jre):
      • To define JAVA_HOME environment variable under Windows XP:
        1. Select Start | Settings | Control Panel | System | Advanced | Environment Variables.
        2. In the User environment variables for area, click Create.
        3. In the Variable name field of the New System Variable dialog box, enter JAVA_HOME.
        4. In the Variable value field, enter the path to JRE installation home.
        5. Click OK.
      • To define JAVA_HOME environment variable under UNIX/Linux, execute the following command:
        env JAVA_HOME=path
        where path should reference JRE installation home.
  2. Start bundled Apache Tomcat.
    To start Apache Tomcat distribution bundled with License Server and deploy licenseServer.war package, execute one of the following scripts:
    • binstartup.bat (Windows).
    • /bin/startup.sh (UNIX/Linux/MacOS).
      License Server will start listening on port 8080 with licenseServer path prefix.
  3. Start License Server by typing http://:8080/licenseServer in the address bar of your web browser.

To deploy License Server standalone WAR file under Apache Tomcat:

  1. Сopy licenseServer.war from /apache-tomcat-/webapps/ into /webapps subdirectory.
  2. Restart Apache Tomcat.
  3. Start License Server by typing http://:/licenseServer in the address bar of your web browser.
  4. Proceed with setting up your License Server.

For either License Server distribution, you can optionally do any of the following:

Configuring log files location

By default license server's log files are written into /logs/jetbrains-license-server directory.
The logs location can be changed using jetbrains.license.server.logs Java property.
For Tomcat it can be done via the JAVA_OPTS environment variable. Add a new system environment variable JAVA_OPTS with the value like this:
-Djetbrains.license.server.logs=c:/custom/logs/folder

Note that system reboot may be necessary for the environment variables to take effect.

Configuring Automatic Server Discovery

To configure automatic License Server discovery:
Add a DNS TXT record url= for the following name:
_jetbrains-license-server.

To verify the record in a Unix environment:
Run the following command:
dig _jetbrains-license-server. TXT
A valid response should look like this:

Configuring License Server to Use an External Database

License Server comes with embedded Apache Derby database. However, you can configure License Server to work with an external database. The following databases are supported:

  • MySQL 5
  • Sybase Adaptive Server Enterprise (ASE) 15

To migrate to an external database, make the following modifications to licenseServer.war/WEB-INF/classes/META-INF/modelContext.xml:

  1. In org.apache.commons.dbcp.BasicDataSource bean properties, comment out driverClassName property referencing the embedded database, and uncomment driverClassName property corresponding to the external database of your choice.
  2. In com.jetbrains.licenseServer.model.impl.LSTopLinkJpaVendorAdapter bean properties, comment out databasePlatform property that references oracle.toplink.essentials.platform.database.DerbyPlatform SQL dialect, and uncomment the databasePlatform property corresponding to the external database of your choice.
  3. Replace default values for url, username, and password properties of dataSource bean with production values. Make sure to set necessary database connection settings using the url property.

Extending License Server to Use Custom Verification

You can extend License Server to verify clients in one or more ways before they can obtain tickets. When you add one or more custom verifications, the following rules apply:

  • If a user requesting a license passes all verifications, he or she receives a license ticket.
  • If a user fails to pass at least one verification, his/her ticket request is rejected.

You can add as many verifications as required by your corporate policy. All your verifications are executed one by one during request processing.

License Server doesn't execute custom verifications in a particular order. It is your responsibility to develop verification rules the way that doesn't depend on the order in which they are executed.

License Server doesn't cache verification results, meaning that a client is verified for each request it sends.

How to Provide Custom Verification

To apply a custom verification procedure, you should create a JavaBean implementing ClientVerifier public interface:

If isAuthorized method in anyClientVerifier implementation returns false, the requesting client is considered unauthorized and is not granted a license ticket.

For every implementation of ClientVerifier, you should create a separate Spring bean. Every such bean should be added to License Server classpath (/webapps/licenseServer/WEB-INF/classes/) and registered as a standard Spring bean using a bean descriptor in an existing application context file or in a new file named classpath/META-INF/-plugin.xml, such as the following:

To sum it up, a registered License Server verification plug-in consists of:

  1. Plug-in bean definition: licenseServerClasspath/META-INF/-plugin.xml
  2. Actual bean in License Server classpath.

Sample Verification Plug-in

The following is a sample implementation of CustomVerifier interface:

Here's a bean descriptor used to register the sample custom verification plug-in in License Server:

Launching License Server Control Panel

Open your web browser and type http://:8080/licenseServer in the address bar.

Setup Server

When you start License Server in your web browser for the first time, the Setup Server page opens (fig. 1) where you should complete four mandatory fields:

  • Administrator's E-mail (used as admin ID.)
  • Password (min. 6 characters.)
  • Confirmation (confirm password.)
  • SMTP Server (the address of your company's SMTP server.)
  • 'From' address (e-mail address to be used as a sender of any License Server messages.)


Figure 1. TheSetup Serverpage

Login

Every time you open License Server after you have set it up, the Login page displays (fig. 2).


Figure 2. TheLoginpage

Enter the credentials that you specified during server setup in the E-mail and Password fields.
Click Remember me so that License Server recognizes you at any time, unless the system is rebooted. You can open other web resources or close the browser window in the meantime.
You can subsequently log out by clicking the Logout link in the top right corner of any License Server page.

After you have successfully logged in, the JetBrains License Server home page displays (fig. 3).
It consists of two tabs, Status and Settings.


Figure 3.JetBrains License Server | Status

Settings

The Settings page (fig. 4) contains a number of essential server settings that can be modified when necessary:

  • Administrator's E-mail: the e-mail address that you entered during server setup and used to log in.
  • Password: administrator's password.
  • Confirmation: password confirmation.
  • SMTP Server: the address of your SMTP server that is used to issue permanent licenses (specifically, to send and receive activation codes.)
  • 'From' address: e-mail address to be used as a sender of any License Server messages.


Figure 4.JetBrains License Server | Settings

Status

The Status page (see fig. 3) contains a table designed to track ticket allocation statistics server-wide, across all supported products.
You can open a detailed product-specific control panel by clicking the name of the corresponding product (for example, IntelliJ IDEA) in this table.

A product-specific control panel (for example, IntelliJ IDEA) includes seven tabs:

  • General
  • License Keys
  • Permanent Tickets
  • Floating Tickets
  • Report
  • Settings
  • Log

General

The General tab (fig. 5) contains a product-specific statistics table with four rows:

  • License Keys: number of license keys that you have registered with the server.
  • Total Tickets: total number of tickets provided by registered keys.
  • Free Tickets: number of tickets available for issuing.
  • Issued Tickets: number of issued tickets.


Figure 5.Product-Specific Control Panel | General

If you have added an unlimited license key, Total Tickets and Free Tickets rows are not assigned a numerical value because you can issue as many tickets as you wish.
This table is only populated with non-zero values after you have added at least one license key.

License Keys

This tab contains the Add Keys From Purchase E-mail link. Click it to open a pop-up window (fig. 6), and paste the entire body of the e-mail message with license keys provided to you by a JetBrains representative.


Figure 6.Product-Specific Control Panel | License Keys | Add License Keys From Purchase E-Mail

After you click Add, this window closes and the number of keys that were processed and saved displays in the yellow box at the top of the License Keys tab (fig. 7).


Figure 7. The message that displays after processing and saving license keys

If no keys were processed and saved after you've copied the message into the pop-up window, make sure you've pasted the entire message body.

If the controls in Add License Keys From Purchase E-mail are grayed out, try upgrading your browser to Internet Explorer 7.0 or Mozilla Firefox.

After you have added at least one key, the Keys In System table displays in the License Keys tab (fig. 8).


Figure 8.Product-Specific Control Panel | License Keys | Keys In System

This table contains the following columns:

  • Key: one or more license keys provided by JetBrains.
  • Expiration date: expiration date of the license key.
  • Generation date: date of key generation.
  • Issued for version: product version that a key was generated for.
  • Licensed to: the licensee's name.
  • Suits to version: version of the product that this license key makes available.
  • : allows deleting a previously added key.

Any license key provided for a certain version of a product makes available not only this version, but all of its preceding versions. For example, a license key generated for IntelliJ IDEA 7.0 allows you to use IDEA 7.0, IDEA 6, and all other legacy versions of IDEA.

License keys and server settings are stored in an encrypted database located at /db/. You can migrate to an external database if required.

Permanent Tickets

This tab displays only if the Enable Permanent Tickets check box is selected in a product-specific Settings tab.
It contains a table that identifies clients who have requested and received permanent tickets.

To obtain a permanent ticket for a copy of IntelliJ IDEA

Icon
  1. Choose Help | Obtain Permanent License in IntelliJ IDEA menu bar.
  2. When the Enter E-Mail Address dialog box opens, enter a valid e-mail address to which a temporary activation code will be sent.
  3. Click OK.
  4. When the Enter Activation Code dialog box displays, paste the activation code from the e-mail message that License Server sends to the e-mail address you specified. If the activation code is successfully validated, this will be confirmed by the Permanent Ticket Received dialog box.

When a client obtains a permanent ticket, its floating ticket is released.
When at least one permanent ticket has been issued, a table displays in the Permanent Tickets tab specifying e-mails to which activation codes were sent, as well as versions of client applications that received permanent tickets (fig. 9).


Figure 9.Product-Specific Control Panel | Permanent Tickets

To revoke a permanent ticket issued to a specific client, click the revoke link in the third table column next to this client's credentials. When the Remove Permanent Ticket? pop-up window opens, confirm or cancel the revocation.

Floating Tickets

This tab (fig. 10) contains a table with a list of clients that have received floating tickets, consisting of three columns:

  • User Name: name of a user who is provided with a floating ticket.
  • Licensee ID: a unique identifier of a product family installed on a specific client system.
  • Version: product version.


Figure 10.Product-Specific Control Panel | Floating Tickets

To obtain a floating ticket for a copy of IntelliJ IDEA

Icon
  1. Choose Help | Register in IntelliJ IDEA menu bar.
  2. Click Enter license server address and paste the URL or your license server in the corresponding text field.
  3. Click OK.

To obtain a floating ticket for a copy of ReSharper

Icon
  1. Choose ReSharper | License Information in Visual Studio.
  2. Select Obtain from License Server.
  3. Click Specify License server and paste the URL of your license server in the corresponding text field.
  4. Click OK.

Report

This tab helps you generate reports on the usage of tickets within any time span. To specify the time span, use Start date and End date links. Click Generate to display a report table (fig. 11) with the following columns:

  • Date: dates within the specified period when tickets were issued.
  • (for example, 7.0): one or several columns indicating the number of tickets issued for a specific product version.
  • Day Total: the total number of tickets issued for all product versions day by day.


Figure 11.Product-Specific Control Panel | Report

The Total Max row displays the maximum daily number of tickets issued to individual versions as well as to all versions of the product within the specified period of time.
Full XML Report and Short XML Report links in the bottom part of the tab create signed XML files with reports previously generated in this tab. A short XML report contains product version names and the number of tickets issued to each of them. A full XML report adds the total number of tickets issued every day.

Settings

Two user controls are available in this tab (fig.12):

  • Ticket Revocation Period (s): every client with a floating ticket must send a prolongation message to the server after a certain period of time has passed. You can specify that period in seconds in this field. If the client does not prolong its ticket within the revocation period (e.g. due to power outage or unexpected crash), the ticket will be revoked by the server and added to the pool of free tickets. The client that held the ticket, will have to re-obtain the new ticket. If the server is offline at the time the client attempts to prolong the ticket, it is up to the client how to handle this situation. All current clients usually tolerate server absence for some time (48 hours). If server is still offline after 48 hours, the client will ask for a license again.
  • Enable Permanent Tickets: select this check box to allow receiving requests for permanent tickets from clients. Keep in mind that the Permanent Tickets tab remains hidden unless you select this check box.


Figure 12.Product-Specific Control Panel | Settings

Clicking OK saves your settings.

Log

This tab (fig. 13) displays the contents of the log file maintained by License Server. The log file includes all ticket issue/release events along with additional data. Log records are generated with the following format:
Date Time [event severity] Action UserID, ticketID
For example:
2007-10-09 16:06:16,274 [INFO] Prolonged ticket for User.Name@unit-059.Int.YourCompany.Com, ticketId=5


Figure 13.Product-Specific Control Panel | Log

Note that only 10 Kb of the log's most recent records are displayed in this tab. You can view the entire log by opening it from the Tomcat root directory. Note that for every product managed by License Server, a separate log is maintained under the name .log where ProductID is the unique product family identifier that can also be found in the URL of the corresponding product-specific control panel in License Server.

You can generate custom reports that match your specific needs by retrieving specific data from the log files using awk scripts.
You can learn more about awk scripts at http://www.esmerel.com/wagons/rob/awkwords.html.





broken image
PreviousNext
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save