Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1335
Moderate: puppet security update
25 September 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: puppet
Publisher: Red Hat
Operating System: Red Hat
Linux variants
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Root Compromise -- Existing Account
Modify Arbitrary Files -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2013-4956 CVE-2013-4761 CVE-2013-3567
Reference: ESB-2013.1317
ESB-2013.1122
ESB-2013.0889
ESB-2013.0860
Original Bulletin:
https://rhn.redhat.com/errata/RHSA-2013-1283.html
https://rhn.redhat.com/errata/RHSA-2013-1284.html
Comment: This bulletin contains two (2) Red Hat security advisories.
This advisory references vulnerabilities in products which run on
platforms other than Red Hat. It is recommended that administrators
running puppet check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: puppet security update
Advisory ID: RHSA-2013:1283-01
Product: Red Hat OpenStack
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1283.html
Issue date: 2013-09-24
CVE Names: CVE-2013-3567 CVE-2013-4761 CVE-2013-4956
=====================================================================
1. Summary:
Updated puppet packages that fix several security issues are now available
for Red Hat OpenStack 3.0.
The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
OpenStack 3 - noarch, x86_64
3. Description:
Puppet allows provisioning, patching, and configuration of clients to be
managed and automated.
A flaw was found in the way Puppet handled YAML content during
Representational State Transfer (REST) API calls. An attacker could
construct a request containing a crafted YAML payload that would cause the
Puppet master to execute arbitrary code. (CVE-2013-3567)
It was found that resource_type requests could be used to cause the Puppet
master to load and run Ruby files from anywhere on the file system. In
non-default configurations, a local user on the Puppet master server could
use this flaw to have arbitrary Ruby code executed with the privileges of
the Puppet master. (CVE-2013-4761)
It was found that Puppet Module Tool (that is, running "puppet module"
commands from the command line) applied incorrect permissions to installed
modules. If a malicious, local user had write access to the Puppet module
directory, they could use this flaw to modify the modules and therefore
execute arbitrary code with the privileges of the Puppet master.
(CVE-2013-4956)
Red Hat would like to thank Puppet Labs for reporting these issues.
Upstream acknowledges Ben Murphy as the original reporter of CVE-2013-3567.
Note: OpenStack uses these puppet packages with PackStack, a command line
utility that uses Puppet modules to support rapid deployment of OpenStack
on existing servers over an SSH connection. The Puppet master is not used
in this configuration, and as such, CVE-2013-3567 and CVE-2013-4761 are not
exploitable in this OpenStack use case.
Users of Red Hat OpenStack 3.0 are advised to upgrade to these updated
packages, which correct these issues.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
974649 - CVE-2013-3567 puppet: remote code execution on master from unauthenticated clients
996855 - CVE-2013-4956 Puppet: Local Privilege Escalation/Arbitrary Code Execution
996856 - CVE-2013-4761 Puppet: resource_type service code execution
6. Package List:
OpenStack 3:
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/facter-1.6.6-1.el6_4.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/hiera-1.0.0-3.el6_4.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/puppet-3.2.4-1.el6_4.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/ruby-augeas-0.4.1-1.el6_4.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/ruby-shadow-1.4.1-13.el6_4.src.rpm
noarch:
hiera-1.0.0-3.el6_4.noarch.rpm
puppet-3.2.4-1.el6_4.noarch.rpm
puppet-server-3.2.4-1.el6_4.noarch.rpm
x86_64:
facter-1.6.6-1.el6_4.x86_64.rpm
ruby-augeas-0.4.1-1.el6_4.x86_64.rpm
ruby-augeas-debuginfo-0.4.1-1.el6_4.x86_64.rpm
ruby-shadow-1.4.1-13.el6_4.x86_64.rpm
ruby-shadow-debuginfo-1.4.1-13.el6_4.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2013-3567.html
https://www.redhat.com/security/data/cve/CVE-2013-4761.html
https://www.redhat.com/security/data/cve/CVE-2013-4956.html
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFSQdcEXlSAg2UNWIIRAhmVAKC3sRBDSTHdHNJmuzfvQW1sbWIQPACdGZ/O
ep5GAYws8xL4sNzYq2M144Y=
=4lIY
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: ruby193-puppet security update
Advisory ID: RHSA-2013:1284-01
Product: Red Hat OpenStack
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1284.html
Issue date: 2013-09-24
CVE Names: CVE-2013-3567 CVE-2013-4761 CVE-2013-4956
=====================================================================
1. Summary:
Updated ruby193-puppet packages that fix three security issues are now
available for Red Hat OpenStack 3.0.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
OpenStack 3 - noarch
3. Description:
Puppet allows provisioning, patching, and configuration of clients to be
managed and automated.
A flaw was found in the way Puppet handled YAML content during
Representational State Transfer (REST) API calls. An attacker could
construct a request containing a crafted YAML payload that would cause the
Puppet master to execute arbitrary code. (CVE-2013-3567)
It was found that resource_type requests could be used to cause the Puppet
master to load and run Ruby files from anywhere on the file system. In
non-default configurations, a local user on the Puppet master server could
use this flaw to have arbitrary Ruby code executed with the privileges of
the Puppet master. (CVE-2013-4761)
It was found that Puppet Module Tool (that is, running "puppet module"
commands from the command line) applied incorrect permissions to installed
modules. If a malicious, local user had write access to the Puppet module
directory, they could use this flaw to modify the modules and therefore
execute arbitrary code with the privileges of the Puppet master.
(CVE-2013-4956)
Red Hat would like to thank Puppet Labs for reporting these issues.
Upstream acknowledges Ben Murphy as the original reporter of CVE-2013-3567.
These ruby193-puppet packages are used by Foreman, which provides
facilities for rapidly deploying Red Hat OpenStack 3.0. In this use case,
Puppet master is used and exposed to these issues. Note that Foreman is
provided as a Technology Preview. For more information on the scope and
nature of support for items marked as Technology Preview, refer to
https://access.redhat.com/support/offerings/techpreview/
Users of Red Hat OpenStack 3.0 are advised to upgrade to these updated
packages, which correct these issues.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
974649 - CVE-2013-3567 puppet: remote code execution on master from unauthenticated clients
996855 - CVE-2013-4956 Puppet: Local Privilege Escalation/Arbitrary Code Execution
996856 - CVE-2013-4761 Puppet: resource_type service code execution
6. Package List:
OpenStack 3:
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/ruby193-puppet-3.1.1-11.1.el6ost.src.rpm
noarch:
ruby193-puppet-3.1.1-11.1.el6ost.noarch.rpm
ruby193-puppet-server-3.1.1-11.1.el6ost.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2013-3567.html
https://www.redhat.com/security/data/cve/CVE-2013-4761.html
https://www.redhat.com/security/data/cve/CVE-2013-4956.html
https://access.redhat.com/security/updates/classification/#critical
http://puppetlabs.com/security/cve/cve-2013-3567
http://puppetlabs.com/security/cve/cve-2013-4761
http://puppetlabs.com/security/cve/cve-2013-4956
https://access.redhat.com/support/offerings/techpreview/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFSQdcyXlSAg2UNWIIRAsm1AJ4kDgxzr7vYeSK0Y63WpHq3NPQGgQCeISx9
XEHYmRExEVYQFoNArdYhNHA=
=vYab
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUkKHQxLndAQH1ShLAQJS0Q/+IXpMK7hI0l+PsBN5+/GfaVeuCL44bLV0
EaKV6xa/soYzuJFyceQXceKTp3gzXb+Kx0ve99GGNOk5X3RNrITj59kWIf8+lDmo
dmJ//GB9C9NXvhvzyR+KPSjPgLzKB/0v6Ur3eVI8HdBZTA+g/z5JAJnSWw44Rgsd
zXYlojf8WoStnnhaOTaLlyFQ6ASzXgG6S48PN0LfmAhf1i80O1RQyESl/qpi2AuJ
O2v+uC8rey5sCdJ2y9MVIlBjU9IZzSotZfKjE8jbu109+fkOyPfEbH/P1oP6cwAw
Uw5fcoTyOeZKAic/bIZogUxnhFwKVpGVKN215aMCTbEwgFdOz05eyBtpkhMLOmo5
2ff6v2tMxeVRLk/O8gs5T8NPmywHh3UREU1Eq4+mDDwaohWCpPkdRzqmxcVIJ5Yq
umKloNklYbey48zSvwgNvSdRjTjmbxhrDt4w2p+zxQaxg0CAVMQLi0mfrUtsqbA0
Z3AWPSKyTK/dUfIeXkdnPRedC3NXKXsDiClOpDuto5EzT2XIBmH2/0f7CS1cH4tH
s9LjO5/91zXs/9i9itISx1yY66zQs9a42chVSw/V5guz40xrNPWpyq9LWkstmoyX
k2qtlR7czArvxOPlLb8b1salHEfPH/5Zx1de4ztAGJz+ZR17GNnahK+i1vNR8Jxr
EnaBho+1fzs=
=Za6r
-----END PGP SIGNATURE-----