Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Double Octopus Security Mitigation Advisory - CVE-2021-44228

            Modified on Tue, 13 Sep, 2022 at 9:39 PM

            Introduction

            This Security Alert addresses CVE-2021-44228, a remote code execution vulnerability in Apache Log4j. It is remotely exploitable without authentication, i.e. may be exploited over a network without the need for a username and password. 

            Please note that the Octopus Authentication Server is not using this package nor directly affected by this vulnerability but log4j is installed as part of the Elasticsearch engine, in the MC, only.

             

            Affected Products

            Log4j 2 is an open-source Java logging library developed by the Apache Foundation. Specifically, products using Apache Log4j2 <=2.14.1 JNDI version will be affected. 

            The Octopus solution is not directly affected by this vulnerability but log4j is installed as part of the Elasticsearch engine in the Management Console (MC).

            The Elasticsearch engine is typically only accessible internally as part of the Octopus Management Console and therefore, less vulnerable to external attack.

             

            Mitigation and Remediation

            Secret Double Octopus Patch 9012 is a prevention patch that implements the market-recommended solution for mitigating the recently discovered Log4j vulnerability CVE-2021-44228.


            The patch is for all Octopus Management Console server versions between 4.6.4 to 5.0.4.

            The patch should be installed on Management Console Servers only. No need to install it on the Octopus Authentication Server or Octopus Authentication Server DMZ.


            For more information please this blog here on our website.


            The patch and release notes can be directly downloaded from the below attachment or from HERE.


            Note: If you're running Linux 8.0, please install the zip package by running the following command: "yum install zip"


            Note: Removing Log4j from Octopus Authentication Servers and DMZ Servers

            The Octopus Authentication Server does not use Log4j, and this library is not installed by the

            Octopus installer. If Log4j is installed, it can be removed from the Octopus Authentication 

            Server and Octopus Authentication Server on the DMZ without any impact on the operation of the

            Octopus solution.


            To check if Log4j is installed on the server, run the following command:

            find / -name log4j* -print


            To remove Log4j, run the following command:

            sudo rpm -e logstash elasticsearch




            NOTE: Secret Double Octopus included the Log4j fix to all future version from 5.0.8 and above.


            Attachments (1)

            zip

            Patch SSA-91....zip
            824 KB

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article