Octopus Server is a renowned automation tool. It helps users to deploy, operate runbooks, and develop tasks. This way, it has also been identified as a complex security vulnerability. One of the interesting facts to be aware of this vulnerability is that it was tracked as CVE-2024-2975. It has the ability to allow attackers to boost privileges as per a race condition present in the software.

An overview of CVE-2024-2975

On February 20, 2024, the race condition flaw was recognized. Later on, the patch was delivered on March 21, 2024. One of the key facts to be aware of Octopus Deploy is that on April 2, 2024, it issued an advisory. Additionally, it also gave every detail about the high-severity flaw. This way, it becomes easy to know its impacts on both the Linux and Microsoft Windows operating systems.

Octopus Server’s Influenced Versions

Below are all the impacted versions related to Octopus Server releases. So, let’s have an eye on them one by one.

1. All 0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x versions
2. All 2018.x.x, 2019.x.x, 2020.x.x, 2021.x.x, 2022.x.x versions
3. All 2023.1.x, 2023.2.x, 2023.3.x versions
4. All 2023.4.x versions before 2022.4.8432
5. All 2024.1.x versions before 2024.1.12087
6. All 2024.2.x versions before 2024.2.2075

So, it is up to you which version you use out of the above-mentioned list. But, you have to keep this thing in mind that each version will urge you to update promptly. This is the way that you can achieve success in mitigating the risk and posing the flaw.

Steps To Fix The Issue

A few users are not aware of the potential fixes or mitigations to resolve issues concerned with CVE-2024-2975. This way, it has become crucial for all users to upgrade their server to a fixed version.

Note: To help you become familiar with the patched versions of Octopus Server, the company has released the latest details given below -   

1. 2023.4.8432
2. 2024.1.12087
3. 2024.2.2075

Recommendations For The Server Upgradation  -

It is highly recommended to upgrade the Octopus server to the latest version. This version is named as -2024.1.12087. With the help of this version, you can surely ensure top-notch security against the vulnerability.

If you are one of the users unable to upgrade to the latest version available, follow the up-to-date paths given below -

1. For versions 0. x.x to 4. x.x, and 2018. x to 2022.x: Upgrade to 2024.1.12087 or greater
2. For versions 2023.1.x to 2023.3.x: Upgrade to 2024.1.12087 or greater
3. For versions 2023.4.x: Upgrade to 2023.4.8432 or greater
4. For versions 2024.1.x: Upgrade to 2024.1.12087 or greater

Status of Maintenance and Penetration

The Octopus Deploy security team has not seen any open-source statements or harmful misuse of CVE-2024-2975. However, considering the seriousness of the issue, users are advised to take quick action.

The identification of CVE-2024-2975 emphasizes the significance of using up-to-date software. This is the way you can protect against potential security risks. Octopus Server customers should evaluate their current versions. Along with this, they ought to think about upgrading it as soon as possible. As a result, you can be able to protect their systems from this serious vulnerability.