Note: Considered alone this vulnerability is High Risk, but in combination with the PCP Broker vulnerability this becomes Critical. Puppet Agent 1.3.6 added a whitelist to prevent arbitrary options from being passed to Puppet runs triggered through the Puppet Communications Protocol (PCP). There was an issue with command validation that allowed this whitelist to be bypassed. This can potentially lead to arbitrary code execution on Puppet Agent nodes in Puppet Enterprise prior to 2016.4.0. Default configurations of FOSS Puppet Agent are not vulnerable. Status: Affected Software Versions: Puppet Enterprise 2015.3.3 Puppet Enterprise 2016.x prior to 2016.4.0 Puppet Agent 1.3.6 - 1.7.0 Resolved in: Puppet Enterprise 2016.4.0 Puppet Agent 1.7.1 As said above, the FOSS Puppet Agent is not vulnerable, so this doesn't effect us. Reproducible: Always
(In reply to Matthew Thode ( prometheanfire ) from comment #0) > Note: Considered alone this vulnerability is High Risk, but in combination > with the PCP Broker vulnerability this becomes Critical. > > Puppet Agent 1.3.6 added a whitelist to prevent arbitrary options from being > passed to Puppet runs triggered through the Puppet Communications Protocol > (PCP). There was an issue with command validation that allowed this > whitelist to be bypassed. This can potentially lead to arbitrary code > execution on Puppet Agent nodes in Puppet Enterprise prior to 2016.4.0. > > Default configurations of FOSS Puppet Agent are not vulnerable. Are there more details available? In particular; Is there a possibility of the FOSS version being affected by changing a configuration parameter?
I'd like to do fast stable here (and can do so myself since it's just x86 and amd64 arches). I assume I have to go-ahead?
hmm, this wasn't in the original link Puppet Agent 1.7.1 also contains updated versions of OpenSSL and Curl to address vulnerabilities recently announced by those projects. https://groups.google.com/forum/#!msg/puppet-announce/Hbr8gv2hlIo/szhXUEdzBgAJ another cve is also fixed in 1.7.1 from that message, but the cve link given says it was resolved in 1.7.0, nice... https://puppet.com/security/cve/cve-2016-5714
(In reply to Matthew Thode ( prometheanfire ) from comment #3) > hmm, this wasn't in the original link > > Puppet Agent 1.7.1 also contains updated versions of OpenSSL and Curl to > address vulnerabilities recently announced by those projects. Are we affected by this, i.e we don't remove embedded stuff and use the system libs? > > https://groups.google.com/forum/#!msg/puppet-announce/Hbr8gv2hlIo/ > szhXUEdzBgAJ > > another cve is also fixed in 1.7.1 from that message, but the cve link given > says it was resolved in 1.7.0, nice... > > https://puppet.com/security/cve/cve-2016-5714 This is separate CVE that should go in different bug
1.7.1 marked stable, cleaned up as well
Yes, we are affected by that as well. This is a binary package-set.
puppet-agent is currently on 1.10.6, is this report still valid? Gentoo Security Padawan ChrisADR
This issue was resolved and addressed in GLSA 201710-12 at https://security.gentoo.org/glsa/201710-12 by GLSA coordinator Aaron Bauman (b-man).
