Summary: | <app-admin/puppet-agent-1.7.1: Puppet Execution Protocol (PXP) Command Whitelist Validation Vulnerability | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Matthew Thode ( prometheanfire ) <prometheanfire> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | prometheanfire |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://puppet.com/security/cve/pxp-agent-oct-2016 | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Matthew Thode ( prometheanfire )
2016-10-21 12:01:37 UTC
(In reply to Matthew Thode ( prometheanfire ) from comment #0) > Note: Considered alone this vulnerability is High Risk, but in combination > with the PCP Broker vulnerability this becomes Critical. > > Puppet Agent 1.3.6 added a whitelist to prevent arbitrary options from being > passed to Puppet runs triggered through the Puppet Communications Protocol > (PCP). There was an issue with command validation that allowed this > whitelist to be bypassed. This can potentially lead to arbitrary code > execution on Puppet Agent nodes in Puppet Enterprise prior to 2016.4.0. > > Default configurations of FOSS Puppet Agent are not vulnerable. Are there more details available? In particular; Is there a possibility of the FOSS version being affected by changing a configuration parameter? I'd like to do fast stable here (and can do so myself since it's just x86 and amd64 arches). I assume I have to go-ahead? hmm, this wasn't in the original link Puppet Agent 1.7.1 also contains updated versions of OpenSSL and Curl to address vulnerabilities recently announced by those projects. https://groups.google.com/forum/#!msg/puppet-announce/Hbr8gv2hlIo/szhXUEdzBgAJ another cve is also fixed in 1.7.1 from that message, but the cve link given says it was resolved in 1.7.0, nice... https://puppet.com/security/cve/cve-2016-5714 (In reply to Matthew Thode ( prometheanfire ) from comment #3) > hmm, this wasn't in the original link > > Puppet Agent 1.7.1 also contains updated versions of OpenSSL and Curl to > address vulnerabilities recently announced by those projects. Are we affected by this, i.e we don't remove embedded stuff and use the system libs? > > https://groups.google.com/forum/#!msg/puppet-announce/Hbr8gv2hlIo/ > szhXUEdzBgAJ > > another cve is also fixed in 1.7.1 from that message, but the cve link given > says it was resolved in 1.7.0, nice... > > https://puppet.com/security/cve/cve-2016-5714 This is separate CVE that should go in different bug 1.7.1 marked stable, cleaned up as well Yes, we are affected by that as well. This is a binary package-set. puppet-agent is currently on 1.10.6, is this report still valid? Gentoo Security Padawan ChrisADR This issue was resolved and addressed in GLSA 201710-12 at https://security.gentoo.org/glsa/201710-12 by GLSA coordinator Aaron Bauman (b-man). |