Octopus Server Flaw Let Attackers Escalate Privilege

Octopus Server, a popular automation tool for deployment, operations runbooks, and development tasks, has identified a critical security flaw.

The vulnerability tracked as CVE-2024-2975 could allow attackers to escalate privileges due to a race condition in the software.

Summary of the Vulnerability – CVE-2024-2975

The race condition vulnerability was discovered on February 20, 2024, and a patch was released on March 21, 2024.

Octopus Deploy issued an advisory on April 2, 2024, detailing the high-severity flaw that affects both Linux and Microsoft Windows operating systems.

Affected Versions

The affected versions span across several years of Octopus Server releases:

  • All 0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x versions
  • All 2018.x.x, 2019.x.x, 2020.x.x, 2021.x.x, 2022.x.x versions
  • All 2023.1.x, 2023.2.x, 2023.3.x versions
  • All 2023.4.x versions before 2022.4.8432
  • All 2024.1.x versions before 2024.1.12087
  • All 2024.2.x versions before 2024.2.2075

Customers using any of these versions are urged to upgrade immediately to mitigate the risk posed by this vulnerability.

Document
Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

The Fix and Mitigation

Octopus Deploy has not identified any known mitigations for CVE-2024-2975, making it crucial for users to upgrade to a fixed version.

The company has released the following patched versions of Octopus Server:

  • 2023.4.8432
  • 2024.1.12087
  • 2024.2.2075

Upgrade Recommendations

Octopus Deploy recommends upgrading to the latest version, 2024.1.12087, to ensure protection against the vulnerability.

For users unable to upgrade to the latest version, the following upgrade paths are advised:

  • For versions 0. x.x to 4. x.x, and 2018. x to 2022.x: Upgrade to 2024.1.12087 or greater
  • For versions 2023.1.x to 2023.3.x: Upgrade to 2024.1.12087 or greater
  • For versions 2023.4.x: Upgrade to 2023.4.8432 or greater
  • For versions 2024.1.x: Upgrade to 2024.1.12087 or greater

Support and Exploitation Status

Octopus Deploy’s security team has not observed any public announcements or malicious exploitation of CVE-2024-2975.

However, given the flaw’s severity, users are encouraged to take immediate action.

The discovery of CVE-2024-2975 reminds us of the importance of maintaining up-to-date software to safeguard against potential security threats.
Octopus Server users should review their installed versions and promptly upgrade to secure their systems from this high-severity vulnerability.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.