in regards to recent discovery: A critical unauthenticated remote code execution (RCE) vulnerability (CVE-2021-44228) has been reported in Log4j, an open source logging library.
I need information whether Octopus is affected be given vulnerability. Information about mitigation is highly appreciated.
I can confirm Octopus Cloud, Octopus Tentacle and Octopus Server are not affected, it is just the two plugins /integrations we have listed in the Vulnerability Advisories link in the above post (the Teamcity Pluggin and the Octopus Java SDK).
I would advise you to read the Octopus Vulnerability Advisories for this particular vulnerability to ensure your Octopus Cloud Instance does not have any of these Integrations linked to your instance.
We will be providing more information to all customers via email and publishing a blog post in the next few days.
I hope that clears up any confusion with my first post.
If you need any further help or information please reach out!
Just jumping in for Clare here, as sheâs finished up for the day as a member of our UK-based team.
Theyâre external integrations, and nothing is built into Octopus itself, so if youâre using TeamCity as your build server, you will want to check and update the plugin version there.
If you have written a custom integration to the Octopus API in Java, using the Java SDK , then you will want to update your integration to use the latest version of the module.
If youâre not using either, then you should not be impacted by this.
We note your mitigation comment to update environment variable: LOG4J_FORMAT_MSG_NO_LOOKUPS to âtrueâ.
Could you clarify how this would apply to a Windows Server running TeamCity? Does this refer to standard Windows Environment variables or to a configuration file within TeamCity?
Thanks
I am using version 3.3.6+1 of the Octopus Deploy integration plugin in TeamCity Enterprise 2018.2.2 (build 61245), to kickoff a deployment from TeamCity to Octopus Deploy
Can you confirm if this version of the plugin is effected by the log4j vulnerability?
Hi again, I noticed that you supply a new version of the integration plugin, version 6.1.7, will this work ok with the version of TeamCity we are using. Also is it ok to migrate from 3.3.6+1 to 6.1.7?
I can confirm that ALL versions of the TeamCity Plugin on 6.1.5 and earlier are affected, so your version is affected by the vulnerability. Our recommendation is to upgrade to 6.1.7 or higher as those versions are not affected.
As for upgrading from 3.3.6+1 to 6.17 of the TeamCity Plugin I cannot confirm for sure that the Octopus 6.1.7 Plugin would be compatible with your version of TeamCity but it is generally very backwards compatible and so you should not run into any issues if you want to upgrade to the latest version.
The website for the versions is located here so if you wanted you could upgrade to an earlier version, say a version 5 and then go to 6.17.
Fantastic news good to hear you are now safe from the vulnerability, this topic will probably stay open for Paul Garden in case he needs to ask any more questions.
But for yourself, if there is anything else in future please get in touch!
Unfortunately, it looks like the versions you may have updated your integrations to are now vulnerable to a slightly newer Log4j threat so we have now issued two new Advisories which involve upgrading the integrations again.
Are you able to view the latest advisories and action accordingly please, that way you are once again protected.
Sorry for the inconvenience this has caused but we want to ensure our customers have the latest information available.
Weâre good here. Thanks for assistance. Uploaded latest version of plugin and had some issues with a new node in teamcity-plugin.xml as our version of TeamCity is in need of an update and didnât validate the xml correctly. But once the âdeploymentâ node was removed it runs fine for now until we can get TeamCity updated to latest version.