CVE-2022-2783 In Octopus Server, session cookies could be used as CSRF tokens.

which could allow an attacker to gain access to a system without a cookie being issued. This has been fixed in a security hotfix that was released on October 15th and will be included in all newly installed versions of Octopus Server and Octopus Data Hub.

It was also found that in some cases when upgrading an Octopus Data Hub from an earlier version to a later version, that the upgrade process could leave an older version of the Octopus Data Hub running in the background and exposed to the internet, which could allow attackers to access the older version from the internet. This issue has now been resolved in a security hotfix released on October 15th and will be included in all newly installed versions of Octopus Data Hub.

It was also found that for some customers with a custom domain name, when upgrading Octopus Data Hub between versions, the upgrade process could leave an older version of the Octopus Data Hub running in the background and exposed to the internet, which could allow attackers to access the older version from the internet. This issue has now been resolved in a security hotfix released on October 15th and will be included in all newly installed versions of Octopus Data Hub.

What to do if you are affected?

If you are running a production environment, please ensure that those instances of the older version of Octopus Data Hub are shut down before upgrading to the latest release. If you are not running a production environment, restarting all instances may be sufficient for resolving this issue.

If you have any questions about this or if your environment is affected, please contact support.

What is being done to resolve these issues?

Octopus will be releasing a security hotfix on October 15th, which will address all three of these issues. The release date for the security hotfix is October 15th and it will be included in all newly installed versions of Octopus Server and Octopus Data Hub.

What is Octopus Data Hub?

Octopus Data Hub is a data management platform that provides an API to ingest, transform, manage, and store data from many different sources.

Timeline

Published on: 10/06/2022 18:15:00 UTC
Last modified on: 11/08/2022 19:41:00 UTC

References