Octopusdeploy/octopusdeploy:2022.1.3375 has critical CVE-2022-2068

For compliance reasons, I need to get a copy of the octopusdeploy server into a private AWS ECR repository as I am unable to access hub.docker.com from our PCI environment. As part of that trivial build and push, I am able to scan for vulnerabilities and this is reporting 1 critical and several high vulnerabilities:

Critical
CVE-2022-2068

High:
CVE-2019-8457
CVE-2022-23218
CVE-2022-23219
CVE-2021-33574
CVE-2019-25013
CVE-2021-3737
CVE-2015-20107

(also multiple “Medium” CVEs)

Is there any chance you can look into addressing the Critical CVE at least?

Sincerely
Pete

Good afternoon @peter_m_mcevoy,

Thank you for contacting Octopus Support and great question on CVE’s. We have an advisory page here which details the CVE’s that apply to Octopus and our recommendations to fix the issues we have found.

I cannot see any of the CVE’s you have posted up on there so I am going to get this ticket in front of our security team who will be able to review the CVE’s you have posted up and make sure they do not apply to us, if they do they can get an advisory out but we do monitor CVEs that come in and respond to them on our advisory page if they do apply to Octopus.

I will keep you updated on their findings, reach out in the meantime if you have any further questions.

Kind Regards,
Clare

Hey @peter_m_mcevoy,

Just as a side note I noticed you are using Octopus 2022.1.3375, this is not longer supported I am afraid as per our LTS roadmap.

So, if our security team do find we need to address one of these we would patch that into 2022.2 and above so you would need to upgrade to at least a 2022.2 version in order to get the fix.

Are you planning on upgrading as part of the migration at all?

Just something to be aware of if our security team do say something needs actioning.

Kind Regards,
Clare

Ah that’s interesting! I’ve no affinity to 2022.1.x - I simply picked the newest tag from this page:

https://hub.docker.com/r/octopusdeploy/octopusdeploy/tags

(TBH, the tag ordering on that page is a bit of disaster…)

I’ve rebuilt and pushed based of 2022.3.10873 which I think is the latest 2022.3 image (I can’t see a 2022.4). However that image appears to have 3 critical and 8 high CVEs based on the AWS ECR basic scanning.

Going with your suggeston, I have rebuilt and pushed to ECR with 2022.2.8585 - however scans of that image have 1 critical and 7 high:

critical:
CVE-2022-2068

high:
CVE-2019-8457
CVE-2022-23219
CVE-2019-25013
CVE-2021-33574
CVE-2022-23218
CVE-2021-3737
CVE-2015-20107

FYI, my Dockerfile looks like this:

FROM octopusdeploy/octopusdeploy:2022.2.8585
ENV ACCEPT_EULA=Y

My docker compose (my private ECR has been changed)

version: "3"

services:
  octopus:
    build: 
      dockerfile: Dockerfile
      context: ./
    image: "987654321.dkr.ecr.eu-west-1.amazonaws.com/octopus-server"

Sincerely
Pete

Hey @peter_m_mcevoy,

Great news you are past 2022.1, you should be able to use the :latest tag which should get you the latest version we have on there (which will be 2022.3.10863) you can see a list of each version we have here. You can also see the latest tag information in docker here.

At the moment 2022.4 is only available for our Cloud offering so you will not be able to grab that from docker.

You will be well aware of our documentation surrounding hosting Octopus in docker but for others benefit I have linked it here.

The document you will be interested in is for Docker Compose here. In there you will see it mentions to use OCTOPUS_SERVER_TAG=latest which should pull the latest version from docker if you want to always have the most up to date version, it is also fine to specify a version too if you wanted to like you have above.

As for the CVEs they look to be the same as you posted in your initial response, I have sent that list to our Security team who will review each one and see if they apply to Octopus or not.

I will keep you posted once they have had chance to review and reply.

I hope my above suggestions helped,
Kind Regards,
Clare

Hey @peter_m_mcevoy,

A quick update for you on the CVE query you have, our lead engineer has done some work on this and found that our docker images for Server are based on the image here http://mcr.microsoft.com/dotnet/runtime-deps:5.0. This has not been updated since netcore 5 was EOL’ed in June this year, resulting in our base image shipping with linux packages which are flagging on security scans.

We have sent this to our engineering team who will look at updating our dockerfiles for Server to have the 6.0 tag instead of the 5.0 one.

It looks like our Octopus Cloud instances and Octopus Tentacle docker images already use the 6.0 tag so they are not affected.

I wanted to thank you for bringing this to our attention, as soon as our engineers update the .net base image we work from I will let you know and you can re-run your docker file and pickup that latest image.

Kind Regards,
Clare

Thanks Clare,
Once again, I’m stunned by the professional support that Octopus provide for your customers. It’s a pleasure to deal with your organization.

Thanks for the update. I’d logged a similar issue regarding the tentacle image a month or so back and your team was very quick to fix it. Although vulnerability scanning is an on going process and images that are clean one day can become tainted overnight.

I wonder if you can leave this ticket open until the updated image is published so that I know when to refresh?

Sincerely
Pete

Hey @peter_m_mcevoy,

Thank you so much for your kind words, I will pass those onto our lead Support engineer as he is the one that did all the work for this so I will let him take the credit and praise for this one!

As for keeping the ticket open, of course I will do that, I would not have closed the ticket until it was solved anyway but forum posts do auto close after (I think) 28 days of inactivity and I doubt it will take the engineers that long to get the image updated, looks like its just changing a tag (they will test the change of course).

I will let you know as soon as the image has been updated, I wouldn’t want to have you guessing once its updated and having to run constant scans on every new docker image you pull to see if we have/have not updated it yet!

I am not sure if this will get done before the end of the Christmas break if there are extensive tests to run but I will be notified in our Slack channel once the engineers have updated the image so I will make sure to let you know.

Have a wonderful Christmas break if I don’t get back to you before then,

Kind Regards,
Clare

1 Like

Hi Clare
I had a look at the latest tags on docker hub and don’t see any update since early decmber. I presume that it was not trivial to update the base image.

I’ll continue to keep an eye on them for update and just dropping this reply to keep this thread alive

Sincerely
Pete

Hey @peter_m_mcevoy,

Thanks for the check in on this, I just had a look at the engineers shortcut story for this issue and they have a private github issue in for this with a pull request to get the latest Microsoft base image but that request is currently blocked as it needs one more engineer as a reviewer to approve it.

I have gone ahead and requested an update on the approval of that so hopefully once the reviewer has a chance to take a look and approve it that should go live.

I will keep you up to date but it looks like we are almost there.

Kind Regards,
Clare

Hey @peter_m_mcevoy,

Just wanted to keep you in the loop as I know you are keen to get the dockerfile.

Our engineer has merged the PR but it wont get published to docker until the release of 2023.1 so he is just in the process of backporting it to LTS (which would mean our Server customers can get it).

I will continue to keep you updated on this and will let you know when its available for you to grab.

Kind Regards,
Clare

Thanks for the update, Clare!

Sincerely
Pete

2 Likes