We are in the initial stages of setting up Octopus Deploy in our Dev enviornment and our security team has told us that the Octo Server and each server with the Tentacle software have a vulnerability. Each server has Windows 2012 R2 for OS. I have been told to stop deploying any new Tentacles until this is figured out which is difficult with our aggressive timeline for the project. This is the info I have been given.
Hi Shawn,
Thanks for getting in touch! I’m sorry for the long delay in getting back to you and to hear you are seeing the TLS Protocol Session Renegotiation Security Vulnerability on your Octopus server and Tentacles.
The vulnerability you describe indicates that you should be perfectly fine if you have installed all of the Microsoft Updates onto your servers.
I also noticed that Windows Server 2012 R2 is not listed as being affected by the vulnerability described in the Microsoft Security Bulletin MS10-049. I’m interested to know if there is a change that Qualys may have triggered a false positive in this case perhaps.
One option which comes to mind could be to disable SSL Protocols and TLS 1.0/TLS 1.1 to be sure, but I believe MS10-049 may be referring to an update to SChannel.
I look forward to hearing if this has been helpful for you.
Hi Matt,
Thanks for getting in touch! I’m sorry to hear you weren’t able to raise a new topic in our help forums.
I have done some reading up on the message you described from the Qualys PCI scan, it sounds like your Octopus Server might be disclosing internal IP addressing but I’m not entirely sure how. If possible, Could I please ask if you can send through a detailed report to our email address support@octopus.com so that I can get a bit more information? Please feel free to attention it to me.