in regards to recent discovery: A critical unauthenticated remote code execution (RCE) vulnerability (CVE-2021-44228) has been reported in Log4j, an open source logging library.
I need information whether Octopus is affected be given vulnerability. Information about mitigation is highly appreciated.
Good afternoon @maciej.bednarczyk
Thank you for contacting Octopus Support weâre glad youâre looking to be cautious in light of this vulnerability.
Weâve released two advisories for areas/integrations that may be affected by this, which you can find here: Octopus Vulnerability Advisories.
These advisories detail the affected areas, the severity, the fix weâve created and mitigation recommendations.
If you have any further questions or concerns, please donât hesitate to reach out, and weâll do our best to assist further.
Kind Regards,
Clare Martin
Thank you for update.
The question is: is Octopus Cloud, integrations and remaining plugins free of CVE-2021-44228 or vulnerability is still under your assessment.
Afternoon @maciej.bednarczyk,
I can confirm Octopus Cloud, Octopus Tentacle and Octopus Server are not affected, it is just the two plugins /integrations we have listed in the Vulnerability Advisories link in the above post (the Teamcity Pluggin and the Octopus Java SDK).
I would advise you to read the Octopus Vulnerability Advisories for this particular vulnerability to ensure your Octopus Cloud Instance does not have any of these Integrations linked to your instance.
We will be providing more information to all customers via email and publishing a blog post in the next few days.
I hope that clears up any confusion with my first post.
If you need any further help or information please reach out!
Kind Regards,
Clare Martin
Hi Clare, thanks for your update
Just wanted to ask, how do I know if I have these the two plugins /integrations you have listed in the Vulnerability Advisories link?
I have an older on premise version of Octopus (3.3.11), I canât see anything that specifies any integrations, where do I look for this?
Thanks
Hi @Dave_Guest,
Just jumping in for Clare here, as sheâs finished up for the day as a member of our UK-based team.
Theyâre external integrations, and nothing is built into Octopus itself, so if youâre using TeamCity as your build server, you will want to check and update the plugin version there.
If you have written a custom integration to the Octopus API in Java, using the Java SDK , then you will want to update your integration to use the latest version of the module.
If youâre not using either, then you should not be impacted by this.
We note your mitigation comment to update environment variable: LOG4J_FORMAT_MSG_NO_LOOKUPS to âtrueâ.
Could you clarify how this would apply to a Windows Server running TeamCity? Does this refer to standard Windows Environment variables or to a configuration file within TeamCity?
Thanks
Thanks Justin
I am using version 3.3.6+1 of the Octopus Deploy integration plugin in TeamCity Enterprise 2018.2.2 (build 61245), to kickoff a deployment from TeamCity to Octopus Deploy
Can you confirm if this version of the plugin is effected by the log4j vulnerability?
Thanks
Hi again, I noticed that you supply a new version of the integration plugin, version 6.1.7, will this work ok with the version of TeamCity we are using. Also is it ok to migrate from 3.3.6+1 to 6.1.7?
Thanks again
Good afternoon @paul_garden ,
Thankyou for your reply. The mitigations reported in our Vunerability Advisories have come from the Microsoftâs Response to CVE-2021-44228 Apache Log4j 2 article which mentions changing the environmental variable.
I hope this helps, please reach out if you need any more information.
Kind Regards,
Clare Martin
Hi @Dave_Guest,
I can confirm that ALL versions of the TeamCity Plugin on 6.1.5 and earlier are affected, so your version is affected by the vulnerability. Our recommendation is to upgrade to 6.1.7 or higher as those versions are not affected.
As for upgrading from 3.3.6+1 to 6.17 of the TeamCity Plugin I cannot confirm for sure that the Octopus 6.1.7 Plugin would be compatible with your version of TeamCity but it is generally very backwards compatible and so you should not run into any issues if you want to upgrade to the latest version.
The website for the versions is located here so if you wanted you could upgrade to an earlier version, say a version 5 and then go to 6.17.
Alternatively, if you do not want to risk upgrading you can implement the workarounds provided by Microsoft in their Microsoftâs Response to CVE-2021-44228 Apache Log4j 2 article as mentioned in the above forum post.
I hope that answers your question but please feel free to reach out if you need anything else!
Kind Regards,
Clare Martin
Thanks Clare
We have applied version 6.1.7 successfully to TeamCity and all is working as before
Many thanks for your prompt replies on this matter, much appreciated
Dave
Afternoon @Dave_Guest,
Fantastic news good to hear you are now safe from the vulnerability, this topic will probably stay open for Paul Garden in case he needs to ask any more questions.
But for yourself, if there is anything else in future please get in touch!
Kind Regards,
Clare Martin
Good morning @Dave_Guest and @paul_garden,
I have some updated news on the Log4j issue.
Unfortunately, it looks like the versions you may have updated your integrations to are now vulnerable to a slightly newer Log4j threat so we have now issued two new Advisories which involve upgrading the integrations again.
Are you able to view the latest advisories and action accordingly please, that way you are once again protected.
Sorry for the inconvenience this has caused but we want to ensure our customers have the latest information available.
Kind Regards,
Clare Martin
Weâre good here. Thanks for assistance. Uploaded latest version of plugin and had some issues with a new node in teamcity-plugin.xml as our version of TeamCity is in need of an update and didnât validate the xml correctly. But once the âdeploymentâ node was removed it runs fine for now until we can get TeamCity updated to latest version.
Good afternoon @paul_garden ,
Thank you for keeping us up to date on where you are with updating your environments.
We are happy you are now protected against the vulnerability.
If there is anything else you need to know please get in touch again and we will endeavour to help you out!
Kind Regards,
Clare Martin
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.
