This week, there was a high severity vulnerability announced by OpenSSL that affects versions 3.x.
We can confirm that Octopus Deploy depends on OpenSSL versions 1.x, which are not affected by this vulnerability. The OpenSSL vulnerability only affects servers configured to validate client certificates.
- Client certificate authentication is used by Octopus Tentacle communication to register with the Octopus Deploy Server. This is not affected because it currently depends on versions of OpenSSL 1.x.
- The OpenSSL version Octopus Tentacle is using is under support until 11th September 2023.
For more details on the OpenSSL vulnerability, check out this excellent write up published on the Datadog blog.