Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.1335 Moderate: puppet security update 25 September 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: puppet Publisher: Red Hat Operating System: Red Hat Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Root Compromise -- Existing Account Modify Arbitrary Files -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2013-4956 CVE-2013-4761 CVE-2013-3567 Reference: ESB-2013.1317 ESB-2013.1122 ESB-2013.0889 ESB-2013.0860 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2013-1283.html https://rhn.redhat.com/errata/RHSA-2013-1284.html Comment: This bulletin contains two (2) Red Hat security advisories. This advisory references vulnerabilities in products which run on platforms other than Red Hat. It is recommended that administrators running puppet check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: puppet security update Advisory ID: RHSA-2013:1283-01 Product: Red Hat OpenStack Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1283.html Issue date: 2013-09-24 CVE Names: CVE-2013-3567 CVE-2013-4761 CVE-2013-4956 ===================================================================== 1. Summary: Updated puppet packages that fix several security issues are now available for Red Hat OpenStack 3.0. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: OpenStack 3 - noarch, x86_64 3. Description: Puppet allows provisioning, patching, and configuration of clients to be managed and automated. A flaw was found in the way Puppet handled YAML content during Representational State Transfer (REST) API calls. An attacker could construct a request containing a crafted YAML payload that would cause the Puppet master to execute arbitrary code. (CVE-2013-3567) It was found that resource_type requests could be used to cause the Puppet master to load and run Ruby files from anywhere on the file system. In non-default configurations, a local user on the Puppet master server could use this flaw to have arbitrary Ruby code executed with the privileges of the Puppet master. (CVE-2013-4761) It was found that Puppet Module Tool (that is, running "puppet module" commands from the command line) applied incorrect permissions to installed modules. If a malicious, local user had write access to the Puppet module directory, they could use this flaw to modify the modules and therefore execute arbitrary code with the privileges of the Puppet master. (CVE-2013-4956) Red Hat would like to thank Puppet Labs for reporting these issues. Upstream acknowledges Ben Murphy as the original reporter of CVE-2013-3567. Note: OpenStack uses these puppet packages with PackStack, a command line utility that uses Puppet modules to support rapid deployment of OpenStack on existing servers over an SSH connection. The Puppet master is not used in this configuration, and as such, CVE-2013-3567 and CVE-2013-4761 are not exploitable in this OpenStack use case. Users of Red Hat OpenStack 3.0 are advised to upgrade to these updated packages, which correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 974649 - CVE-2013-3567 puppet: remote code execution on master from unauthenticated clients 996855 - CVE-2013-4956 Puppet: Local Privilege Escalation/Arbitrary Code Execution 996856 - CVE-2013-4761 Puppet: resource_type service code execution 6. Package List: OpenStack 3: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/facter-1.6.6-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/hiera-1.0.0-3.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/puppet-3.2.4-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/ruby-augeas-0.4.1-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/ruby-shadow-1.4.1-13.el6_4.src.rpm noarch: hiera-1.0.0-3.el6_4.noarch.rpm puppet-3.2.4-1.el6_4.noarch.rpm puppet-server-3.2.4-1.el6_4.noarch.rpm x86_64: facter-1.6.6-1.el6_4.x86_64.rpm ruby-augeas-0.4.1-1.el6_4.x86_64.rpm ruby-augeas-debuginfo-0.4.1-1.el6_4.x86_64.rpm ruby-shadow-1.4.1-13.el6_4.x86_64.rpm ruby-shadow-debuginfo-1.4.1-13.el6_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-3567.html https://www.redhat.com/security/data/cve/CVE-2013-4761.html https://www.redhat.com/security/data/cve/CVE-2013-4956.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSQdcEXlSAg2UNWIIRAhmVAKC3sRBDSTHdHNJmuzfvQW1sbWIQPACdGZ/O ep5GAYws8xL4sNzYq2M144Y= =4lIY - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: ruby193-puppet security update Advisory ID: RHSA-2013:1284-01 Product: Red Hat OpenStack Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1284.html Issue date: 2013-09-24 CVE Names: CVE-2013-3567 CVE-2013-4761 CVE-2013-4956 ===================================================================== 1. Summary: Updated ruby193-puppet packages that fix three security issues are now available for Red Hat OpenStack 3.0. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: OpenStack 3 - noarch 3. Description: Puppet allows provisioning, patching, and configuration of clients to be managed and automated. A flaw was found in the way Puppet handled YAML content during Representational State Transfer (REST) API calls. An attacker could construct a request containing a crafted YAML payload that would cause the Puppet master to execute arbitrary code. (CVE-2013-3567) It was found that resource_type requests could be used to cause the Puppet master to load and run Ruby files from anywhere on the file system. In non-default configurations, a local user on the Puppet master server could use this flaw to have arbitrary Ruby code executed with the privileges of the Puppet master. (CVE-2013-4761) It was found that Puppet Module Tool (that is, running "puppet module" commands from the command line) applied incorrect permissions to installed modules. If a malicious, local user had write access to the Puppet module directory, they could use this flaw to modify the modules and therefore execute arbitrary code with the privileges of the Puppet master. (CVE-2013-4956) Red Hat would like to thank Puppet Labs for reporting these issues. Upstream acknowledges Ben Murphy as the original reporter of CVE-2013-3567. These ruby193-puppet packages are used by Foreman, which provides facilities for rapidly deploying Red Hat OpenStack 3.0. In this use case, Puppet master is used and exposed to these issues. Note that Foreman is provided as a Technology Preview. For more information on the scope and nature of support for items marked as Technology Preview, refer to https://access.redhat.com/support/offerings/techpreview/ Users of Red Hat OpenStack 3.0 are advised to upgrade to these updated packages, which correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 974649 - CVE-2013-3567 puppet: remote code execution on master from unauthenticated clients 996855 - CVE-2013-4956 Puppet: Local Privilege Escalation/Arbitrary Code Execution 996856 - CVE-2013-4761 Puppet: resource_type service code execution 6. Package List: OpenStack 3: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/ruby193-puppet-3.1.1-11.1.el6ost.src.rpm noarch: ruby193-puppet-3.1.1-11.1.el6ost.noarch.rpm ruby193-puppet-server-3.1.1-11.1.el6ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-3567.html https://www.redhat.com/security/data/cve/CVE-2013-4761.html https://www.redhat.com/security/data/cve/CVE-2013-4956.html https://access.redhat.com/security/updates/classification/#critical http://puppetlabs.com/security/cve/cve-2013-3567 http://puppetlabs.com/security/cve/cve-2013-4761 http://puppetlabs.com/security/cve/cve-2013-4956 https://access.redhat.com/support/offerings/techpreview/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSQdcyXlSAg2UNWIIRAsm1AJ4kDgxzr7vYeSK0Y63WpHq3NPQGgQCeISx9 XEHYmRExEVYQFoNArdYhNHA= =vYab - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUkKHQxLndAQH1ShLAQJS0Q/+IXpMK7hI0l+PsBN5+/GfaVeuCL44bLV0 EaKV6xa/soYzuJFyceQXceKTp3gzXb+Kx0ve99GGNOk5X3RNrITj59kWIf8+lDmo dmJ//GB9C9NXvhvzyR+KPSjPgLzKB/0v6Ur3eVI8HdBZTA+g/z5JAJnSWw44Rgsd zXYlojf8WoStnnhaOTaLlyFQ6ASzXgG6S48PN0LfmAhf1i80O1RQyESl/qpi2AuJ O2v+uC8rey5sCdJ2y9MVIlBjU9IZzSotZfKjE8jbu109+fkOyPfEbH/P1oP6cwAw Uw5fcoTyOeZKAic/bIZogUxnhFwKVpGVKN215aMCTbEwgFdOz05eyBtpkhMLOmo5 2ff6v2tMxeVRLk/O8gs5T8NPmywHh3UREU1Eq4+mDDwaohWCpPkdRzqmxcVIJ5Yq umKloNklYbey48zSvwgNvSdRjTjmbxhrDt4w2p+zxQaxg0CAVMQLi0mfrUtsqbA0 Z3AWPSKyTK/dUfIeXkdnPRedC3NXKXsDiClOpDuto5EzT2XIBmH2/0f7CS1cH4tH s9LjO5/91zXs/9i9itISx1yY66zQs9a42chVSw/V5guz40xrNPWpyq9LWkstmoyX k2qtlR7czArvxOPlLb8b1salHEfPH/5Zx1de4ztAGJz+ZR17GNnahK+i1vNR8Jxr EnaBho+1fzs= =Za6r -----END PGP SIGNATURE-----