Sensitive variables can be written in clear-text when using Offline Drop targets

[michaelnoonan]

Issue

See private issue for more details: https://github.com/OctopusDeploy/OctopusDeploy/issues/1378

CVE-2017-15610

Sensitive variable value is written to variable file as clear text.

Offline drop deployments generate two variable JSON files: one for normal variables which are written in clear-text, and one for sensitive variables which is encrypted using the Offline Drop Target's encryption password.

If any variable is sensitive, Octopus requires any Offline Drop Target to specify a valid encryption password, and any sensitive values will be encrypted into that file.

If your project uses complex nested bindings, the resulting values can be treated as non-sensitive and written to the clear-text variables file.

If an attacker can gain access to these offline drop files, they can gain the sensitive data without needing to decrypt it.

Affected versions

This affects Octopus 3.2.5 up to 3.17.6, and is fixed in Octopus 3.17.7.

Implemented solution

We now use the configuration of the Offline Drop Target as the switch. If the user has configured an encryption password, they have opted-in to have all their variables encrypted, regardless of whether there are any sensitive values or not.

Fixed by https://github.com/OctopusDeploy/OctopusDeploy/pull/1382

[michaelnoonan]

Release Note: When an offline drop target has defined the Encryption password all variables will now be encrypted into the sensitive variables

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. If you think you've found a related issue, please contact our support team so we can triage your issue, and make sure it's handled appropriately.