Puppet CVE-2013-1654 Security Bypass Vulnerability
BID:58453
Info
Puppet CVE-2013-1654 Security Bypass Vulnerability
| Bugtraq ID: | 58453 |
| Class: | Design Error |
| CVE: |
CVE-2013-1654 |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 09 2013 12:00AM |
| Updated: | Apr 13 2015 09:54PM |
| Credit: | Puppet Labs |
| Vulnerable: |
Ubuntu Ubuntu Linux 12.10 Ubuntu Ubuntu Linux 12.04 LTS amd64 Ubuntu Ubuntu Linux 11.10 SuSE SUSE Linux Enterprise Server for VMware 11 SP2 SuSE SUSE Linux Enterprise Server 11 SP2 SuSE Suse Linux Enterprise Desktop 11 SP2 Redhat OpenStack Folsom 0 Redhat OpenStack Essex 0 Puppetlabs Puppet Enterprise 2.7.1 Puppetlabs Puppet Enterprise 2.7 Puppetlabs Puppet Enterprise 1.2 Puppetlabs Puppet Enterprise 1.1 Puppetlabs Puppet Enterprise 1.0 Puppetlabs Puppet 3.1 Puppetlabs Puppet 2.7.18 Puppetlabs Puppet 2.7.13 Puppetlabs Puppet 2.7.11 Puppetlabs Puppet 2.7.10 Puppetlabs Puppet 2.6.17 Puppetlabs Puppet 2.6.15 Puppetlabs Puppet 2.6.14 Puppetlabs Puppet 2.6.13 Puppetlabs Puppet 2.6.11 Puppetlabs Puppet 2.6.10 Puppetlabs Puppet 2.6.4 Puppetlabs Puppet 2.6.3 Puppetlabs Puppet 2.6 Oracle Oracle HTTP Server 11.1.1.6.0 Oracle Fusion Middleware 10.1.3 .5 Oracle Forms and Reports 11g Release 2 11.1.2.1 Gentoo Linux Debian Linux 6.0 sparc Debian Linux 6.0 s/390 Debian Linux 6.0 powerpc Debian Linux 6.0 mips Debian Linux 6.0 ia-64 Debian Linux 6.0 ia-32 Debian Linux 6.0 arm Debian Linux 6.0 amd64 |
| Not Vulnerable: |
Puppetlabs Puppet Enterprise 2.7.2 Puppetlabs Puppet Enterprise 1.2.7 Puppetlabs Puppet 3.1.1 Puppetlabs Puppet 2.7.21 Puppetlabs Puppet 2.6.18 |
Discussion
Puppet CVE-2013-1654 Security Bypass Vulnerability
Puppet is prone to a security-bypass vulnerability.
Successful exploits will allow attackers to bypass certain security restrictions, which may aid in further attacks.
The issue is fixed in the following versions:
Puppet 2.6.18, 2.7.21, and 3.1.1.
Puppet Enterprise 1.2.7 and 2.7.2.
Puppet is prone to a security-bypass vulnerability.
Successful exploits will allow attackers to bypass certain security restrictions, which may aid in further attacks.
The issue is fixed in the following versions:
Puppet 2.6.18, 2.7.21, and 3.1.1.
Puppet Enterprise 1.2.7 and 2.7.2.
Exploit / POC
Puppet CVE-2013-1654 Security Bypass Vulnerability
Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution / Fix
Puppet CVE-2013-1654 Security Bypass Vulnerability
Solution:
Updates are available. Please see the references or vendor advisory for more information.
Solution:
Updates are available. Please see the references or vendor advisory for more information.
References
Puppet CVE-2013-1654 Security Bypass Vulnerability
References:
References:
- Bug 919770 - CVE-2013-1654 Puppet: SSL protocol downgrade (Bugzilla)
- CVE-2013-1654 (SSL Protocol Downgrade Vulnerability) (Puppet Labs)
- Puppet Homepage (Puppet Labs)
- Important: puppet security update (Red Hat)
- Oracle Critical Patch Update Advisory - January 2014 (Oracle)