An authenticated user with permission to modify deployment processes could upload a maliciously crafted YAML configuration, potentially allowing for remote execution of arbitrary code, running in the same context as the Octopus Server (for self-hosted installations by default, SYSTEM).
If this issue is of concern to you and your team, we strongly recommend upgrading to version 2018.9.1.
In any version affected by this issue, we recommend upgrading to version 2018.9.1.
Workarounds
In situations where upgrade is not possible, running the octopus server built in worker as a service account with limited privileges may help to minimize the potential impact of such an occurrence, however this will not prevent attackers from attempting to chain other attacks against the server.
This thread has been automatically locked since there has not been any recent activity after it was closed. If you think you've found a related issue, please contact our support team so we can triage your issue, and make sure it's handled appropriately.
lockbot
locked as resolved and limited conversation to collaborators
Feb 2, 2019
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
area/securitykind/bugThis issue represents a verified problem we are committed to solving
3 participants
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.
Description
An authenticated user with permission to modify deployment processes could upload a maliciously crafted YAML configuration, potentially allowing for remote execution of arbitrary code, running in the same context as the Octopus Server (for self-hosted installations by default, SYSTEM).
If this issue is of concern to you and your team, we strongly recommend upgrading to version
2018.9.1.CVE-2018-18850
Affected versions
Octopus Server:
versions 2018.8.0-2018.9.0, inclusive.
Mitigation
In any version affected by this issue, we recommend upgrading to version
2018.9.1.Workarounds
In situations where upgrade is not possible, running the octopus server built in worker as a service account with limited privileges may help to minimize the potential impact of such an occurrence, however this will not prevent attackers from attempting to chain other attacks against the server.
https://octopus.com/docs/administration/security/hardening-octopus#prevent-user-provided-scripts-from-doing-harm
https://octopus.com/docs/administration/workers/built-in-worker#running-tasks-on-the-octopus-server-as-a-different-user
The text was updated successfully, but these errors were encountered: