In June 2022, the security team at Octopus Deploy disclosed a vulnerability tracked as CVE-2022-2721. This issue affects some versions of Octopus Server, where sensitive target discovery values could be written in plain-text to the logs when verbose logging is enabled. In this long read, we’ll break down how the bug works, walk through what it means for your infrastructure, and show how you can identify if you’re at risk — complete with code snippets and step-by-step testing details.
What is Octopus Server Target Discovery?
Octopus Server helps automate deployment, release management, and operations tasks for your software. When you add new deployment "targets" (like servers, cloud services, or even Kubernetes clusters), Octopus Server tries to "discover" details about those endpoints—credentials, addresses, and other info—to make integration seamless.
Some of these details can be *sensitive*, like API keys or secret tokens.
The Core Problem: Verbose Logging Exposes Secrets
In versions affected by CVE-2022-2721, running Octopus Server with verbose logging turned on causes certain sensitive discovery results to be saved in full, readable text to the application’s log file—even if Octopus’s config marks the values as sensitive.
Sensitive values: This includes passwords, keys, connection strings, and tokens.
- Log files: By default, log files don’t sanitize or redact the values, making them searchable and accessible to attackers or any user with server access.
- Impact: If a bad actor gets access to your log files, they could steal secrets and compromise all connected systems.
Demonstrating the Vulnerability
Let's look at a simplified example based on Octopus’s discovery process and the problematic logging.
Suppose the target discovery code returns details like this in a .NET object
var discoveryResult = new {
Host = "10..2.5",
Username = "testuser",
Password = "SuperSecretPassword123", // Marked as sensitive in the schema
Port = 22
};
When verbose logging is enabled, Octopus may log the full discoveryResult object, even the password:
if (verboseLogging)
{
log.Info($"Discovered target details: {JsonConvert.SerializeObject(discoveryResult)}");
}
What Appears in the Log File:
INFO Discovered target details: {
"Host": "10..2.5",
"Username": "testuser",
"Password": "SuperSecretPassword123",
"Port": 22
}
Testing It Yourself
WARNING: Only test on non-production, non-sensitive environments.
Search for sensitive values:
Look for lines like Discovered target details: and see if your test password/token appears.
Official References and Patch Info
- Original Octopus Advisories
- NVD Entry (CVE-2022-2721)
- GitHub - OctopusDeploy/Issues
Octopus Server 2022.2.822 and newer
UPGRADE ASAP! If you’re running an older version, especially if you ever had verbose logging enabled, your secrets could be in your logs.
Exploit Details: How Real Attacks Might Happen
This bug is not a “remote exploit” — but rather a classic *secondary exposure* in the software supply chain:
Insider threat: Anyone with log file access can scrape and collect passwords and keys.
- Leaked logs: Backups, support packages, or accidentally published logs (to cloud buckets, etc.) can leak secrets to the public.
# Example: Quickly finding secrets in logs
grep -i "password" /path/to/OctopusServer.txt
If you find real creds—rotate them immediately!
Purge old logs — especially if they were generated with verbose logging.
3. Audit for leaked secrets — using tools like truffleHog or gitleaks.
Rotate all exposed credentials that may have been logged.
5. Review logging levels in production — only use verbose logging temporarily and never for normal operations.
Final Thoughts
CVE-2022-2721 is a reminder that “just logs” can be a rich source of security incidents, especially in environments where verbose logging is a default troubleshooting option. If you run Octopus Server and ever enabled verbose logs, you should *immediately* check your logs for secrets, delete any affected files, and upgrade to a fixed release.
References
- NVD: CVE-2022-2721
- Octopus Advisory
- GitHub Issue
Timeline
Published on: 11/25/2022 05:15:00 UTC
Last modified on: 11/29/2022 20:25:00 UTC