Paul Stovell Paul Stovell April 16, 2015

Vulnerability in HTTP.sys Could Allow Remote Code Execution

It may not have a cool code name, but this is a very severe problem:

Vulnerability in HTTP.sys Could Allow Remote Code Execution

A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who successfully exploited this vulnerability could execute arbitrary code in the context of the System account.

As far as this applies to Octopus Deploy:

  1. The Octopus server/web portal uses HTTP.sys (as does IIS), therefore you'll need to ensure this patch is installed on your Octopus server
  2. The Tentacle agent software does not use HTTP.sys
  3. If you are deploying applications to IIS, or self-hosted web applications built with frameworks like Nancy SelfHost or WebAPI self host (which build on HttpListener which ultimately builds on HTTP.sys), you should patch those servers
Security Architecture

Welcome! We use cookies and data about how you use our website allow us to improve the website and your experience, and resolve technical errors. Our website uses cookies and shares some of your data with third party analytics companies for these purposes.

If you decline, we will respect your privacy. A single cookie will be used in your browser to remember your preference.