Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 597684 (CVE-2016-5714)

Summary: <app-admin/puppet-agent-1.7.1: Puppet Execution Protocol (PXP) Command Whitelist Validation Vulnerability
Product: Gentoo Security Reporter: Matthew Thode ( prometheanfire ) <prometheanfire>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: prometheanfire
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://puppet.com/security/cve/pxp-agent-oct-2016
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: ---

Description Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2016-10-21 12:01:37 UTC
Note: Considered alone this vulnerability is High Risk, but in combination with the PCP Broker vulnerability this becomes Critical.

Puppet Agent 1.3.6 added a whitelist to prevent arbitrary options from being passed to Puppet runs triggered through the Puppet Communications Protocol (PCP). There was an issue with command validation that allowed this whitelist to be bypassed. This can potentially lead to arbitrary code execution on Puppet Agent nodes in Puppet Enterprise prior to 2016.4.0.

Default configurations of FOSS Puppet Agent are not vulnerable.
Status:

Affected Software Versions:

    Puppet Enterprise 2015.3.3
    Puppet Enterprise 2016.x prior to 2016.4.0
    Puppet Agent 1.3.6 - 1.7.0

Resolved in:

    Puppet Enterprise 2016.4.0
    Puppet Agent 1.7.1


As said above, the FOSS Puppet Agent is not vulnerable, so this doesn't effect us.

Reproducible: Always
Comment 1 Kristian Fiskerstrand gentoo-dev Security 2016-10-21 12:05:05 UTC
(In reply to Matthew Thode ( prometheanfire ) from comment #0)
> Note: Considered alone this vulnerability is High Risk, but in combination
> with the PCP Broker vulnerability this becomes Critical.
> 
> Puppet Agent 1.3.6 added a whitelist to prevent arbitrary options from being
> passed to Puppet runs triggered through the Puppet Communications Protocol
> (PCP). There was an issue with command validation that allowed this
> whitelist to be bypassed. This can potentially lead to arbitrary code
> execution on Puppet Agent nodes in Puppet Enterprise prior to 2016.4.0.
> 
> Default configurations of FOSS Puppet Agent are not vulnerable.

Are there more details available? In particular; Is there a possibility of the FOSS version being affected by changing a configuration parameter?
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2016-10-21 12:19:33 UTC
I'd like to do fast stable here (and can do so myself since it's just x86 and amd64 arches).  I assume I have to go-ahead?
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2016-10-21 12:21:27 UTC
hmm, this wasn't in the original link

Puppet Agent 1.7.1 also contains updated versions of OpenSSL and Curl to address vulnerabilities recently announced by those projects.

https://groups.google.com/forum/#!msg/puppet-announce/Hbr8gv2hlIo/szhXUEdzBgAJ

another cve is also fixed in 1.7.1 from that message, but the cve link given says it was resolved in 1.7.0, nice...

https://puppet.com/security/cve/cve-2016-5714
Comment 4 Kristian Fiskerstrand gentoo-dev Security 2016-10-21 12:24:16 UTC
(In reply to Matthew Thode ( prometheanfire ) from comment #3)
> hmm, this wasn't in the original link
> 
> Puppet Agent 1.7.1 also contains updated versions of OpenSSL and Curl to
> address vulnerabilities recently announced by those projects.

Are we affected by this, i.e we don't remove embedded stuff and use the system libs?
> 
> https://groups.google.com/forum/#!msg/puppet-announce/Hbr8gv2hlIo/
> szhXUEdzBgAJ
> 
> another cve is also fixed in 1.7.1 from that message, but the cve link given
> says it was resolved in 1.7.0, nice...
> 
> https://puppet.com/security/cve/cve-2016-5714


This is separate CVE that should go in different bug
Comment 5 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2016-10-21 15:18:30 UTC
1.7.1 marked stable, cleaned up as well
Comment 6 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2016-10-21 15:19:15 UTC
Yes, we are affected by that as well.  This is a binary package-set.
Comment 7 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-05 17:07:47 UTC
puppet-agent is currently on 1.10.6, is this report still valid?

Gentoo Security Padawan
ChrisADR
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2017-10-13 23:33:23 UTC
This issue was resolved and addressed in
 GLSA 201710-12 at https://security.gentoo.org/glsa/201710-12
by GLSA coordinator Aaron Bauman (b-man).