|Summary:||CVE-2014-3248 puppet: Ruby modules could be loaded from the current working directory|
|Product:||[Other] Security Response||Reporter:||Murray McAllister <mmcallis>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED NOTABUG||QA Contact:|
|Version:||unspecified||CC:||abaron, admiller, aortega, apevec, ayoung, bkearney, carnil, cbillett, ccoleman, chrisw, cpelland, dallan, dcleal, dmcphers, fedora, gkotton, jialiu, jokerman, jose.p.oliveira.oss, jrusnack, katello-bugs, k.georgiou, kseifried, ktdreyer, lhh, lmeyer, lzap, markmc, mastahnke, mmagr, mmccomas, mmccune, mmcgrath, moses, rbryant, rhos-maint, rrati, sclewis, security-response-team, s, steve.traylen, tjay, tmz, tomckay, vanmeeuwen+fedora, vdanen, yeylon|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2014-09-17 19:42:26 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1107890, 1107891, 1107892, 1107893, 1107894, 1108503, 1114902|
Description Murray McAllister 2014-05-27 03:04:03 UTC
Running Puppet, Mcollective, Facter, or Hiera on a host that has a version of Ruby older than 1.9.2 could result in a Ruby module being loaded from the current working directory. If Puppet, Mcollective, Facter, or Hiera were run from an attacker-controlled directory, it could result in arbitrary code execution. This issue affects all versions of Puppet, Mcollective, and Hiera. It affects Facter versions 1.6.x and 2.x. This is due to an underlying issue in Ruby that was fixed in version 1.9.2: https://www.ruby-lang.org/en/news/2010/08/18/ruby-1-9.2-released Acknowledgements: Red Hat would like to thank Puppet Labs for reporting this issue. Upstream acknowledges Dennis Rowe (shr3kst3r) as the original reporter.
Comment 2 Murray McAllister 2014-05-27 03:11:22 UTC
Created attachment 899370 [details] facter patch from upstream
Comment 3 Murray McAllister 2014-05-27 03:12:37 UTC
Created attachment 899371 [details] hiera patch from upstream
Comment 4 Murray McAllister 2014-05-27 03:13:19 UTC
Created attachment 899372 [details] mcollective patch from upstream
Comment 5 Murray McAllister 2014-05-27 03:14:07 UTC
Created attachment 899373 [details] puppet patch from upstream
Comment 8 Murray McAllister 2014-06-05 04:57:02 UTC
Created attachment 902394 [details] revised facter-2.0.1 patch
Comment 9 Murray McAllister 2014-06-05 04:57:34 UTC
Created attachment 902395 [details] revised hiera-1.3.3 patch
Comment 10 Murray McAllister 2014-06-05 04:58:50 UTC
Created attachment 902396 [details] revised mcollective-2.5.1 patch
Comment 11 Murray McAllister 2014-06-05 04:59:22 UTC
Created attachment 902397 [details] revised puppet-2.7.25 patch
Comment 12 Murray McAllister 2014-06-05 04:59:47 UTC
Created attachment 902398 [details] revised puppet-3.6.1 patch
Comment 14 Murray McAllister 2014-06-11 01:07:26 UTC
This issue has been fixed in Puppet Enterprise 2.8.7, Puppet 3.6.2, Puppet 2.7.26, Facter 2.0.2, Hiera 1.3.4, and Mcollective 2.5.2. External References: http://puppetlabs.com/security/cve/cve-2014-3248
Comment 15 Murray McAllister 2014-06-11 01:09:59 UTC
Created hiera tracking bugs for this issue: Affects: epel-6 [bug 1107893]
Comment 16 Murray McAllister 2014-06-11 01:10:03 UTC
Created puppet tracking bugs for this issue: Affects: epel-all [bug 1107890]
Comment 17 Murray McAllister 2014-06-11 01:10:06 UTC
Created facter tracking bugs for this issue: Affects: fedora-19 [bug 1107891] Affects: epel-all [bug 1107892]
Comment 18 Murray McAllister 2014-06-11 01:10:09 UTC
Created mcollective tracking bugs for this issue: Affects: epel-all [bug 1107894]
Comment 20 Murray McAllister 2014-07-01 08:55:05 UTC
Created facter tracking bugs for this issue: Affects: fedora-20 [bug 1114902]
Comment 21 Murray McAllister 2014-07-01 08:56:44 UTC
(In reply to Murray McAllister from comment #20) > Created facter tracking bugs for this issue: > > Affects: fedora-20 [bug 1114902] Matthew Thode indicated version 1.7 is actually vulnerable: https://bugs.gentoo.org/show_bug.cgi?id=514476#c1
Comment 22 Fedora Update System 2014-07-03 17:57:22 UTC
mcollective-2.2.3-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 23 Fedora Update System 2014-07-03 17:58:05 UTC
hiera-1.0.0-4.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 24 Kurt Seifried 2014-09-17 19:39:39 UTC
Please note that we ship Ruby 1.9.3 in virtually all products (the exception being RHEL 4 and 5 base, however many products that run on these, e.g. SAM 1.4 ship their own up to date Ruby 1.9.3).
Comment 25 Kurt Seifried 2014-09-17 19:40:51 UTC
Please note that OpenStack 4 and 5 only run on RHEL 6 and 7, which have Ruby 1.9.3 so notaffected either.
Comment 26 Kurt Seifried 2014-09-17 19:42:26 UTC
Statement: This issue did not affect the versions of Puppet, Mcollective, Facter, or Hiera as shipped with various Red Hat Enterprise products as they all run on top of Ruby 1.9.3 or later.
Comment 28 Lukas Zapletal 2014-10-20 10:57:49 UTC
For the record - in F19 branch I struggled with releasing a backport fix because the patch for this CVE/NOTABUG was never removed from the branch. I am reverting it (commenting the patch line out the SPEC).
Comment 29 Fedora Update System 2014-11-22 04:14:45 UTC
facter-1.6.18-7.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 30 Fedora Update System 2014-11-22 12:33:29 UTC
facter-1.7.6-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.