We are in the initial stages of setting up Octopus Deploy in our Dev enviornment and our security team has told us that the Octo Server and each server with the Tentacle software have a vulnerability. Each server has Windows 2012 R2 for OS. I have been told to stop deploying any new Tentacles until this is figured out which is difficult with our aggressive timeline for the project. This is the info I have been given.
- TLS Protocol Session Renegotiation Security Vulnerability
- Qualys classification: potential vulnerability with severity score of 5, QID 38596
- Covered in CVE-2009-3555
- Bugtraq ID 36935
- Addressed in Microsoft Security Bulletin MS10-049 - Critical
- Windows SCHANNEL configuration article which discusses OS-level adjustments
- Octopus describes the security and host/client communication method in this article
a. Tentacles are configured in Listening mode
- Logs were collected but do not provide any substantial value in assessing the merit of the potential vulnerability
Thanks for getting in touch! I’m sorry for the long delay in getting back to you and to hear you are seeing the
TLS Protocol Session Renegotiation Security Vulnerability on your Octopus server and Tentacles.
The vulnerability you describe indicates that you should be perfectly fine if you have installed all of the Microsoft Updates onto your servers.
I also noticed that Windows Server 2012 R2 is not listed as being affected by the vulnerability described in the Microsoft Security Bulletin MS10-049. I’m interested to know if there is a change that Qualys may have triggered a false positive in this case perhaps.
One option which comes to mind could be to disable SSL Protocols and TLS 1.0/TLS 1.1 to be sure, but I believe MS10-049 may be referring to an update to SChannel.
I look forward to hearing if this has been helpful for you.
I cant raise a new topic for whatever reason so I’m hijacking this thread…
We are also failing a Qualys PCI scan due to Web Server Internal IP Address/Internal Network Name Disclosure Vulnerability
Are you able to advise?
Thanks for getting in touch! I’m sorry to hear you weren’t able to raise a new topic in our help forums.
I have done some reading up on the message you described from the Qualys PCI scan, it sounds like your Octopus Server might be disclosing internal IP addressing but I’m not entirely sure how. If possible, Could I please ask if you can send through a detailed report to our email address firstname.lastname@example.org so that I can get a bit more information? Please feel free to attention it to me.