It may not have a cool code name, but this is a very severe problem:
A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who successfully exploited this vulnerability could execute arbitrary code in the context of the System account.
As far as this applies to Octopus Deploy:
- The Octopus server/web portal uses HTTP.sys (as does IIS), therefore you'll need to ensure this patch is installed on your Octopus server
- The Tentacle agent software does not use HTTP.sys
- If you are deploying applications to IIS, or self-hosted web applications built with frameworks like Nancy SelfHost or WebAPI self host (which build on
HttpListenerwhich ultimately builds on HTTP.sys), you should patch those servers