Hi,
our security scanning tool, just found and Apache struts vulnerability on some deployment targets in an older version of tentacle/calamari, on the port exposed by tentacle/calamari- what version do we need to upgrade to remedy that?
regards
Morten
Welcome and thanks for reaching out to us today.
To better understand the issue you are facing please would you be able to provide the current version of tentacle you are running on your deployment targets.
Also just to confirm is the vulnerability you are describing the CVE-2017-5638?
Kind Regards,
Dom.
Tentacle version: 6.1.938
CVE-2018-11776
Apache Struts CVE-2018-11776 Results With No Namespace Remote Code Execution (S2-057)
Solution
Upgrade to Apache Struts version 2.3.35 / 2.5.17 or later.
Thanks for your response, speaking with other members of the team we cant find that vulnerability listed for tentacles, we have a list of vulnerabilities listed here.
Are all your tentacles the same version and if so are you only seeing this vulnerability on a select number of them.
Also on your deployment targets do you have anything installed like Apache that could be flagging this?
Kind Regards,
Dom.
Lets use another server as an example - i actually just looked at the port and thought it had to be octopus tentacle.
server#2:
the vulnerability was there when the tentacle version was the one deployed with this server version:
2021.2.7462+Branch.release-2021.2
it has some version of: Apache.NMS.ActiveMQ
CVE-2016-4438
After upgrade to the newest tentacle: 6.1.1320, it was gone.
it still has some version of: Apache.NMS.ActiveMQ
Thanks for your response, from your last message upgrading to the latest version of tentacle fixed the vulnerability.
But as far as we are aware Apache Struts is not part of Octopus Software, I will speak with our security team just to clarify.
To be able to get a clearer picture of your environment what operating system is running on your deployment targets?
Kind Regards,
Dom.
server#2 = windows server 2016
okay, just wondering how the vulnerability are exposed on that port - if it has nothing to do with octopus software, and it was fixed after a tentacle upgrade.
Thanks for the additional information, I have asked our security team to have a look at this issue to see if they can give some insight.
I will keep you updated when we hear back from them.
Kind Regards,
Dom.
The Octopus security team have got back to me, but have some more questions about the issue.
Would you be able to let us know which vulnerability scanner you are using so we can test this on our test environment.
We have the suspicion that this could be to do with ciphers that the tentacle uses on that version and the scanner is picking it up as an incorrect vulnerability.
Also what port number did the scanner identify the vulnerability was on?
Kind Regards,
Dom.
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.