Octopus deploy vulnerabilities in image

Hi Team,

I am one of the potential licence user and using version 2022.3.10692 image, which is having 259 vulnerabilities. Can you please provide the valid justifications for critical and high severity, so that we can proceed further.

Thanks,
Prabhjot

Hi Prabhjot,
Thanks for the query around vulnerabilities in the recent version of Octopus.

Firstly I would point you to our CVE site where we generate and maintain all vulnerabilities in our Octopus products:

We are very proactive with any security issues in our product so if you can send us a report from your scanning software we can definitely take a look and see if we need to take any action.

For more recent issues we have dealt with see this site we maintain for our customers:
https://octopus.com/docs/security/cve

As for certification and secure practices in our product we have various certifications in place:
https://octopus.com/company/trust

Let us know if we can help further.

Kind regards,
Paraic

Hi Paraic,

Thanks for the reply. Can you please share the email id where I can reach out with my report from my professional id.

Thanks,
Prabhjot

Hey @prabhjotkour.91,

I noticed you put up this forum post and you have the one here too where you are asking about base images we use for our Octopus releases. I hope you don’t mind but I put two and two together and I hope my answer in that post answers your question here.

Please feel free to take a look at that post (also for anyone else asking this question head over to that post for the answer) and see what you think.

You can always email support@octopus.com to send us any files you want or you can request a link to our secure file share where you can upload the files to and we can get the link sent to you on this forum post.

I will note though that other post goes into detail about the fact we do not backport OS patches to earlier Octopus versions so you would need to either have a regular upgrade cadence to get the latest OS patches or have your own custom Octopus container based off of our image and run some bash commands to keep that container updated.

We are unable to backport any OS updates to earlier versions I am afraid so those are your only options when it comes to making sure you stay up to date with any vulnerabilities.

Kind Regards,
Clare