Introduction

This Security Alert addresses CVE-2021-44228, a remote code execution vulnerability in Apache Log4j. It is remotely exploitable without authentication, i.e. may be exploited over a network without the need for a username and password. 

Please note that the Octopus Authentication Server is not using this package nor directly affected by this vulnerability but log4j is installed as part of the Elasticsearch engine, in the MC, only.

 

Affected Products

Log4j 2 is an open-source Java logging library developed by the Apache Foundation. Specifically, products using Apache Log4j2 <=2.14.1 JNDI version will be affected. 

The Octopus solution is not directly affected by this vulnerability but log4j is installed as part of the Elasticsearch engine in the Management Console (MC).

The Elasticsearch engine is typically only accessible internally as part of the Octopus Management Console and therefore, less vulnerable to external attack.

 

Mitigation and Remediation

Secret Double Octopus Patch 9012 is a prevention patch that implements the market-recommended solution for mitigating the recently discovered Log4j vulnerability CVE-2021-44228.


The patch is for all Octopus Management Console server versions between 4.6.4 to 5.0.4.

The patch should be installed on Management Console Servers only. No need to install it on the Octopus Authentication Server or Octopus Authentication Server DMZ.


For more information please this blog here on our website.


The patch and release notes can be directly downloaded from the below attachment or from HERE.


Note: If you're running Linux 8.0, please install the zip package by running the following command: "yum install zip"


Note: Removing Log4j from Octopus Authentication Servers and DMZ Servers

The Octopus Authentication Server does not use Log4j, and this library is not installed by the

Octopus installer. If Log4j is installed, it can be removed from the Octopus Authentication 

Server and Octopus Authentication Server on the DMZ without any impact on the operation of the

Octopus solution.


To check if Log4j is installed on the server, run the following command:

find / -name log4j* -print


To remove Log4j, run the following command:

sudo rpm -e logstash elasticsearch