Blue DevOps infinity diagram outlined in green with a green security shield over the right top-hand corner.

Octopus Deploy's response to the OpenSSL vulnerability

Colby Prior

This week, there was a high severity vulnerability announced by OpenSSL that affects versions 3.x.

We can confirm that Octopus Deploy depends on OpenSSL versions 1.x, which are not affected by this vulnerability. The OpenSSL vulnerability only affects servers configured to validate client certificates.

  • Client certificate authentication is used by Octopus Tentacle communication to register with the Octopus Deploy Server. This is not affected because it currently depends on versions of OpenSSL 1.x.
  • The OpenSSL version Octopus Tentacle is using is under support until 11th September 2023.

For more details on the OpenSSL vulnerability, check out this excellent write up published on the Datadog blog.