Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2014.0142
A vulnerability has been identified in Puppet
18 December 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Puppet
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2014-9355
Member content until: Saturday, January 17 2015
OVERVIEW
A vulnerability has been identified in Puppet prior to version
3.7.1. [1]
IMPACT
The vendor has provided the following details regarding this
vulnerability:
CVE-2014-9355: "In Puppet Enterprise 3.7.0, an authenticated Puppet
Enterprise Console user with no permissions could access certain API
endpoints providing information about PE licensing and certificate
signing requests." [1]
MITIGATION
It is recommended that administrators update to the latest version of
Puppet to correct this issue. [1]
REFERENCES
[1] CVE-2014-9355 (Information Leakage in Puppet Enterprise Console)
http://puppetlabs.com/security/cve/cve-2014-9355
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVJJUvhLndAQH1ShLAQLy6A/6A7iuMgx0XDygHH4IqU/M9coGt2A0B9Zi
TMfp+98Vm8rXdRNJvR1WvUNhdVLJni9dQ2QFrqvKBURUf9bUdugy+g6QXluBVB4G
QjN6a36vtnH9oqn/jNI8DQm0QJkW55hlDu4CaAEhnISlMJde7ySomq7Y96T9Rvqs
9LfI4XEKxWy7eb7ttOvelZzFv4LA1YVLrIpk7843Qf/OCpZryC+aNAsgPos1zdg+
OgqC3U8qgJlCREdgQJqEPs/J+JH73OvfYYlMy0Ag4DZdkunpNZqT6BZ647GzIdKh
A1WpkdXur+KGc3QGoB8XKoCH0u/d6xBfCkgmdOqFAdDSmcHcG+GIoZase6KVkEOl
KXEaWOiknyKwJmkvdf3YcLyH0RNRNX+CLcmxwbJi20r6fGn1iUcFSyuPWdij/ecp
vhGb3sQ3BfJT3Yv5K4RbwMiEyHjSXs94hyfEcq7wTpeLWzXCJF486Z4ii/yU6qK5
b/rDeqN2X15m4SvyWMpqKQmKjsQL5N2i+fecX7c7JfMsOoSMiY3T+bRNKfuiclQ1
hItcbYh75rJvibg2kCOst5pEGRQfipuz7pLuwf89JlIa4RmRihV70z6Q/jUF+WPD
XayaSB5JUm5+u9xZsPZm6ar3AWVZw6QO6zONw/6Itx10Bnw8ZVjmOos6cyM60djg
u/HvnQGP8j4=
=pBzy
-----END PGP SIGNATURE-----