Is the latest Octopus Server vulnerable to the spring4shell ZD RCE

Hello,
Is the latest Octopus Server vulnerable to the spring4shell ZD RCE ?
Spring4Shell Details and Exploit Analysis - Cyber Kendra

If so how do I handle this.

Hi @yuriy.rogach

Thank you for contacting Octopus Support.

Thankfully, Octopus Cloud, Octopus Tentacle, and Octopus Server are not affected by this vulnerability, but we do have some external integrations that do call spring-core from their upstream product. Our team has analyzed these integrations and found that they DO NOT meet the criteria for this vulnerability to be applicable.

The details of this are as follows:

Octopus’ Bamboo Integration is NOT vulnerable to this exploit.

  • Uses an affected version of spring-core.
  • Compile target is 1.7, not 9, which is required for the vulnerability.
  • No @RequestMapping @RequestParam usage, which is required for the vulnerability.

Octopus’ Jenkins Integration is NOT vulnerable to this exploit.

  • Uses an affected version of spring-core
  • Compile target is 8, not 9, which is required for the vulnerability.
  • No @RequestMapping @RequestParam usage, which is required for the vulnerability.

Octopus’ TeamCity Integration is NOT vulnerable to this exploit.

  • Does NOT use spring-core
  • Compile target is 8, not 9, which is required for the vulnerability.
  • No @RequestMapping @RequestParam usage, which is required for the vulnerability.

Octopus’ Java SDK is NOT vulnerable to this exploit.

  • Does NOT use an affected version of spring-core
  • Compile target is 8, not 9, which is required for the vulnerability.
  • No @RequestMapping @RequestParam usages, which is required for the vulnerability.

If you have any further questions or concerns, please don’t hesitate to reach out, and we’ll do our best to assist further.

Regards,
Paul

Hello @paul.calvert
Thank you for the quick answer.

1 Like

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.