Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WebSocket polling endpoint can allow untrusted connections #6637

Closed
5 tasks done
adam-mccoy opened this issue Oct 20, 2020 · 1 comment
Closed
5 tasks done

WebSocket polling endpoint can allow untrusted connections #6637

adam-mccoy opened this issue Oct 20, 2020 · 1 comment
Assignees
@adam-mccoy
Labels
area/security kind/bug This issue represents a verified problem we are committed to solving priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible
Milestone
2020.5.0

Comments

@adam-mccoy
Copy link

Prerequisites

  • We are ready to publicly disclose this vulnerability or exploit according to our responsible disclosure process.
  • I have raised a CVE according to our CVE process
  • I have written a descriptive issue title
  • I have linked the original source of this report
  • I have tagged the issue appropriately (area/security, kind/bug, tag/regression?)

Description

If configured, the WebSocket polling endpoint can allow untrusted connections to be made under certain conditions. This endpoint is not enabled by default.

This issue does not affect Octopus Servers running on Linux, as the WebSocket polling endpoint is not available.

Affected versions

Octopus Server: 3.11.13 to 2020.4.5

Mitigation

Upgrade to the latest available supported version of Octopus Server.

Workarounds

Disable WebSocket endpoint

Use the following commands to disable the WebSocket endpoint.

.\Octopus.Server.exe service --instance <INSTANCE NAME> --stop
.\Octopus.Server.exe configure --instance <INSTANCE NAME> --commsListenWebSocket ""
.\Octopus.Server.exe service --instance <INSTANCE NAME> --start

Links

CVE: CVE-2020-27155
Internal Issue: https://github.com/OctopusDeploy/OctopusDeploy/issues/7424
PR: https://github.com/OctopusDeploy/OctopusDeploy/pull/7435
@adam-mccoy adam-mccoy added kind/bug This issue represents a verified problem we are committed to solving priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible area/security labels Oct 20, 2020
@adam-mccoy adam-mccoy added this to the 2020.5.0 milestone Oct 20, 2020
@adam-mccoy adam-mccoy self-assigned this Oct 20, 2020
This was referenced Oct 20, 2020
Closed
Closed
@octoreleasebot
Copy link

Release Note: Fix bug where bash script can reveal sensitive variable values - CVE: CVE-2020-25825

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adam-mccoy adam-mccoy

Labels
area/security kind/bug This issue represents a verified problem we are committed to solving priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible
Projects
None yet
Milestone
2020.5.0
Development

No branches or pull requests
2 participants
@adam-mccoy @octoreleasebot