Octopus Deploy's response to Log4j

On December 9, 2021, Octopus Deploy identified a vulnerability in the Log4j logging utility, prompting them to initiate their Security Incident Response Plan to assess the potential impact on their products and infrastructure. Fortunately, Octopus Cloud, Octopus Server, and Octopus Tentacle are unaffected due to their .NET framework basis; however, some related products like the JetBrains TeamCity plugin and the Octopus Java SDK were identified as vulnerable and require updating to versions 6.1.7 and 0.0.3, respectively, to mitigate the risk of remote code execution. The company's thorough investigation of their internal infrastructure, using Infrastructure as Code and network traffic analysis, concluded that there was no compromise, despite suspicious inbound network traffic being observed. Octopus Deploy is committed to tracking updates related to the vulnerability and will provide further information if any risk arises.