Paul Stovell Paul Stovell April 16, 2015

Vulnerability in HTTP.sys Could Allow Remote Code Execution

It may not have a cool code name, but this is a very severe problem:

Vulnerability in HTTP.sys Could Allow Remote Code Execution

A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who successfully exploited this vulnerability could execute arbitrary code in the context of the System account.

As far as this applies to Octopus Deploy:

  1. The Octopus server/web portal uses HTTP.sys (as does IIS), therefore you'll need to ensure this patch is installed on your Octopus server
  2. The Tentacle agent software does not use HTTP.sys
  3. If you are deploying applications to IIS, or self-hosted web applications built with frameworks like Nancy SelfHost or WebAPI self host (which build on HttpListener which ultimately builds on HTTP.sys), you should patch those servers

Octopus Deploy makes it easy to automate the deployment of real-world applications.

Download Octopus Server Server Sign-up for Octopus Cloud Sign up

Octopus Server & Cloud are free for small teams deploying to 10 deployment targets or less, no credit card required.

Security Architecture