CVE-2021-31816
📋 TL;DR
CVE-2021-31816 is a cleartext storage vulnerability in Octopus Server where database passwords are written to log files in plaintext during initial configuration with external SQL databases. This affects Octopus Server administrators who configure external SQL databases, potentially exposing database credentials to anyone with access to log files.
💻 Affected Systems
- Octopus Server
📦 What is this software?
Server by Octopus
Server by Octopus
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain database credentials, leading to full database compromise, data exfiltration, privilege escalation, or lateral movement to other systems.
Likely Case
Internal users or attackers with log file access obtain database credentials, potentially compromising the Octopus database and associated systems.
If Mitigated
With proper access controls and log file protection, risk is limited to authorized administrators only.
🎯 Exploit Status
Exploitation requires access to OctopusServer.txt log file. No authentication needed once file access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2021.2.3150 and later
Vendor Advisory: https://advisories.octopus.com/adv/2021-05---Cleartext-Storage-of-Sensitive-Information-(CVE-2021-31816).2121793537.html
Restart Required: Yes
Instructions:
1. Download Octopus Server 2021.2.3150 or later from Octopus Deploy website. 2. Run the installer. 3. Follow upgrade prompts. 4. Restart Octopus Server service.
🔧 Temporary Workarounds
Secure log file permissions
allRestrict access to OctopusServer.txt log file to only necessary administrators
Windows: icacls "C:\Octopus\Logs\OctopusServer.txt" /inheritance:r /grant:r "Administrators:(R)"
Linux: chmod 600 /path/to/OctopusServer.txt
Remove sensitive log entries
allManually search and remove password entries from existing log files
Find password patterns: grep -i 'password\|pwd' OctopusServer.txt
Remove lines: sed -i '/password/d' OctopusServer.txt
🧯 If You Can't Patch
- Rotate database passwords immediately after confirming log files don't contain credentials
- Implement strict access controls on Octopus log directory and files
🔍 How to Verify
Check if Vulnerable:
Check OctopusServer.txt log files for plaintext database password entries, particularly around initial configuration timestampsCheck Version:
Octopus.Server.exe show-configuration --format=json | grep VersionVerify Fix Applied:
Verify Octopus Server version is 2021.2.3150 or later, and check that new configurations don't write passwords to logs📡 Detection & Monitoring
Log Indicators:
- Plaintext database connection strings in OctopusServer.txt
- Password entries in log files during configuration
Network Indicators:
- Unauthorized database connection attempts using credentials from logs
SIEM Query:
source="OctopusServer.txt" AND ("password=" OR "pwd=" OR "DatabasePassword")