Log4j vulnerability

Hi Team,

We are hosting Octopus server v2019.6.8 LTS in our environment on Windows server 2012. Please let me know if there are any log4j files used in this installation and do we need to replace any files affected by this log4j vulnerability.

Thanks!

Good morning @Sharjil,

Thankyou for contacting Octopus Support,

Thankfully Octopus Server, Octopus Cloud and Octopus Tentacle are not affected by the Log4j Vunerability.

However we have two external integrations that are impacted -

Octopus TeamCity Plugin
Octopus Java SDK Integration

If you use TeamCity as your package repository you will want to upgrade to the latest plugin as per the linked assessment.

Unfortunately, there is nothing built into Octopus itself for you to be able to check if you have been affected by the vulnerability with regards to the Java SDK.

If you have written a custom integration to the Octopus API in Java, using the Java SDK 1, then you will want to update your integration to use the latest version of the module.

The Java custom integration was only released in September of this year so unless you have developed a custom integration with that then you won’t be affected by this vulnerability from an Octopus perspective.

I hope that answers your question but please reach out if you need any more details.

Kind Regards,

Clare Martin