Hi,
our security scanning tool, just found and Apache struts vulnerability on some deployment targets in an older version of tentacle/calamari, on the port exposed by tentacle/calamari- what version do we need to upgrade to remedy that?
To better understand the issue you are facing please would you be able to provide the current version of tentacle you are running on your deployment targets.
Also just to confirm is the vulnerability you are describing the CVE-2017-5638?
Thanks for your response, speaking with other members of the team we cant find that vulnerability listed for tentacles, we have a list of vulnerabilities listed here.
Are all your tentacles the same version and if so are you only seeing this vulnerability on a select number of them.
Also on your deployment targets do you have anything installed like Apache that could be flagging this?
Lets use another server as an example - i actually just looked at the port and thought it had to be octopus tentacle.
server#2:
the vulnerability was there when the tentacle version was the one deployed with this server version:
2021.2.7462+Branch.release-2021.2
it has some version of: Apache.NMS.ActiveMQ
CVE-2016-4438
After upgrade to the newest tentacle: 6.1.1320, it was gone.
it still has some version of: Apache.NMS.ActiveMQ
okay, just wondering how the vulnerability are exposed on that port - if it has nothing to do with octopus software, and it was fixed after a tentacle upgrade.
The Octopus security team have got back to me, but have some more questions about the issue.
Would you be able to let us know which vulnerability scanner you are using so we can test this on our test environment.
We have the suspicion that this could be to do with ciphers that the tentacle uses on that version and the scanner is picking it up as an incorrect vulnerability.
Also what port number did the scanner identify the vulnerability was on?