Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0142 A vulnerability has been identified in Puppet 18 December 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Puppet Operating System: UNIX variants (UNIX, Linux, OSX) Impact/Access: Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2014-9355 Member content until: Saturday, January 17 2015 OVERVIEW A vulnerability has been identified in Puppet prior to version 3.7.1. [1] IMPACT The vendor has provided the following details regarding this vulnerability: CVE-2014-9355: "In Puppet Enterprise 3.7.0, an authenticated Puppet Enterprise Console user with no permissions could access certain API endpoints providing information about PE licensing and certificate signing requests." [1] MITIGATION It is recommended that administrators update to the latest version of Puppet to correct this issue. [1] REFERENCES [1] CVE-2014-9355 (Information Leakage in Puppet Enterprise Console) http://puppetlabs.com/security/cve/cve-2014-9355 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVJJUvhLndAQH1ShLAQLy6A/6A7iuMgx0XDygHH4IqU/M9coGt2A0B9Zi TMfp+98Vm8rXdRNJvR1WvUNhdVLJni9dQ2QFrqvKBURUf9bUdugy+g6QXluBVB4G QjN6a36vtnH9oqn/jNI8DQm0QJkW55hlDu4CaAEhnISlMJde7ySomq7Y96T9Rvqs 9LfI4XEKxWy7eb7ttOvelZzFv4LA1YVLrIpk7843Qf/OCpZryC+aNAsgPos1zdg+ OgqC3U8qgJlCREdgQJqEPs/J+JH73OvfYYlMy0Ag4DZdkunpNZqT6BZ647GzIdKh A1WpkdXur+KGc3QGoB8XKoCH0u/d6xBfCkgmdOqFAdDSmcHcG+GIoZase6KVkEOl KXEaWOiknyKwJmkvdf3YcLyH0RNRNX+CLcmxwbJi20r6fGn1iUcFSyuPWdij/ecp vhGb3sQ3BfJT3Yv5K4RbwMiEyHjSXs94hyfEcq7wTpeLWzXCJF486Z4ii/yU6qK5 b/rDeqN2X15m4SvyWMpqKQmKjsQL5N2i+fecX7c7JfMsOoSMiY3T+bRNKfuiclQ1 hItcbYh75rJvibg2kCOst5pEGRQfipuz7pLuwf89JlIa4RmRihV70z6Q/jUF+WPD XayaSB5JUm5+u9xZsPZm6ar3AWVZw6QO6zONw/6Itx10Bnw8ZVjmOos6cyM60djg u/HvnQGP8j4= =pBzy -----END PGP SIGNATURE-----