This week, there was a high severity vulnerability announced by OpenSSL that affects versions 3.x.
We can confirm that Octopus Deploy depends on OpenSSL versions 1.x, which are not affected by this vulnerability. The OpenSSL vulnerability only affects servers configured to validate client certificates.
- Client certificate authentication is used by Octopus Tentacle communication to register with the Octopus Deploy Server. This is not affected because it currently depends on versions of OpenSSL 1.x.
- The OpenSSL version Octopus Tentacle is using is under support until 11th September 2023.
For more details on the OpenSSL vulnerability, check out this excellent write up published on the Datadog blog.
Related posts
Improved control over package retention
Optimize efficiency with our latest package retention enhancements
Help shape Ephemeral Environments
Learn about Ephemeral Environments, coming soon to Octopus, and help us shape the feature.
New to our Enterprise tier
Octopus 2025.2 includes new features for our Enterprise tier.