Security Advisory 2024-10
| Summary | Sensitive Variables Exposed in Logs |
| Advisory Number | 2024-10 |
| Discovery Date | 27 NOV 2024 |
| Patch Release Date | 02 DEC 2024 |
| Advisory Release Date | 05 DEC 2024 |
| Product | Kubernetes Worker or Kubernetes Agent |
| Severity | Medium |
| CVE ID | CVE-2024-12226 |
Customers who have downloaded and installed any of the Kubernetes worker or agent versions listed below ("Details") are affected.
Please upgrade your Kubernetes worker or agent immediately to fix this vulnerability.
Customers who have upgraded Kubernetes worker or agent to version 1.19.0 or greater and version 2.8.0 or greater are not affected.
Severity
Octopus Deploy has given this vulnerability a medium rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.
This is our assessment and you should evaluate its applicability to your own environment.
Details
In affected versions of the Octopus Kubernetes worker or agent, sensitive variables could be written to the Kubernetes script pod log in clear-text. This was identified in Version 2 however it was determined that this could also be achieved in Version 1 and the fix was applied to both versions accordingly.
The versions of Kubernetes worker affected by this vulnerability are:
- All 2.x versions before 2.8.0
- All 1.x versions before 1.19.0
Fix
To address this vulnerability, we have released versions 1.19.0 and 2.8.0 of the Kubernetes worker and agent.
What You Need to Do
Octopus Deploy recommends that you upgrade to the latest relevant version (2.8.1 or 1.19.1). By default, V1 and V2 Kubernetes workers or agents will automatically update to the latest versions respectively.
In the event that a manual update needs to be performed upgrade guidance can be found on the Kubernetes worker troubleshooting page: https://octopus.com/docs/kubernetes/targets/kubernetes-agent/troubleshooting#health-checks-and-upgrades
Mitigation
Restricting access to/collection of pod logs can be used as a mitigation for CVE-2024-12226, however it is important to upgrade to a fixed version as soon as possible.
Support
If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.
Exploitation and Public Announcements
The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
Source
This vulnerability was found by an Octopus Deploy customer.