SB2017070515 - Multiple vulnerabilities in Puppet

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2017-2293)

The vulnerability allows a remote privileged user to manipulate data.

Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 shipped with an MCollective configuration that allowed the package plugin to install or remove arbitrary packages on all managed agents. This release adds default configuration to not allow these actions. Customers who rely on this functionality can change this policy.

2) Improper Authentication (CVE-ID: CVE-2017-2297)

The vulnerability allows a remote authenticated user to execute arbitrary code.

Puppet Enterprise versions prior to 2016.4.5 and 2017.2.1 did not correctly authenticate users before returning labeled RBAC access tokens. This issue has been fixed in Puppet Enterprise 2016.4.5 and 2017.2.1. This only affects users with labeled tokens, which is not the default for tokens.

3) Information disclosure (CVE-ID: CVE-2017-2294)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 failed to mark MCollective server private keys as sensitive (a feature added in Puppet 4.6), so key values could be logged and stored in PuppetDB. These releases use the sensitive data type to ensure this won't happen anymore.

Remediation

Install update from vendor's website.

References

• https://puppet.com/security/cve/cve-2017-2293
• https://puppet.com/security/cve/cve-2017-2297
• https://puppet.com/security/cve/cve-2017-2294