I have been working with our internal Cybersecurity team around a false positive CVE being reported for EC2 instances on which I have installed the Octopus Tentacle.
This has brought to light the fact that the version of the Octopus Tentacle displayed in Windows Apps & Features is 1.0.0.0 regardless of the actual installed version.
The vulnerability scanner that my company is using is partially basing it’s false positive on the fact that it is pulling this version number from the registry (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{D129CFF7-D3CA-4303-89D4-DC3B266F0B75}) and deciding that the installed version is seriously out of date.
The screenshot below shows that Tentacle 6.1.1304 is installed while Apps & Features reports 1.0.0.0.
While the false positive is not an issue for Octopus to resolve, it seems to me that it would be useful for this version discrepancy to be resolved anyway.
Thanks for posting your question to the Octopus community forum!
It looks like you’re probably running into a known issue with your version of tentacle here: Issue 7298
We’ve fixed this in Tentacle versions 6.1.1320+, and you’re likely on the version of tentacle that shipped with your Octopus server (6.1.1304), so a quick fix here would be to upgrade your tentacle to a later version.
If you’d like to upgrade your tentacle, I would recommend testing this against a Target you have local access to before trying this across multiple at the same time. You can visit our Tentacle download page and either use an MSI, or we also show a convenient way to install via Chocolatey if you prefer:
choco install octopusdeploy.tentacle
Once the Tentacle upgrade has completed, you can confirm it was successful via a Health Check in the Octopus UI.
One note to help avoid confusion - you might wonder why the Octopus portal doesn’t show your tentacle as outdated when a new version is available for download, and this is simply due to the server checking if the tentacle version is at least the one released with your server version (6.1.1304 in your case). Anything at that version or above doesn’t get flagged as needing to be upgraded in the portal.
I hope that’s helpful, but let me know what you think!
Yes, I’ve got a custom Chocolatey package already for installing tentacles, so I’ll go ahead and update that with the latest version of the tentacle MSI, and push it out.
