Bug 1101346 (CVE-2014-3248)

Summary: CVE-2014-3248 puppet: Ruby modules could be loaded from the current working directory
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, admiller, aortega, apevec, ayoung, bkearney, carnil, cbillett, ccoleman, chrisw, cpelland, dallan, dcleal, dmcphers, fedora, gkotton, jialiu, jokerman, jose.p.oliveira.oss, jrusnack, katello-bugs, k.georgiou, kseifried, ktdreyer, lhh, lmeyer, lzap, markmc, mastahnke, mmagr, mmccomas, mmccune, mmcgrath, moses, rbryant, rhos-maint, rrati, sclewis, security-response-team, s, steve.traylen, tjay, tmz, tomckay, vanmeeuwen+fedora, vdanen, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-17 19:42:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1107890, 1107891, 1107892, 1107893, 1107894, 1108503, 1114902    
Bug Blocks: 1101348    
Attachments:
Description Flags
facter patch from upstream
none
hiera patch from upstream
none
mcollective patch from upstream
none
puppet patch from upstream
none
revised facter-2.0.1 patch
none
revised hiera-1.3.3 patch
none
revised mcollective-2.5.1 patch
none
revised puppet-2.7.25 patch
none
revised puppet-3.6.1 patch none

Description Murray McAllister 2014-05-27 03:04:03 UTC
Running Puppet, Mcollective, Facter, or Hiera on a host that has a version of Ruby older than 1.9.2 could result in a Ruby module being loaded from the current working directory. If Puppet, Mcollective, Facter, or Hiera were run from an attacker-controlled directory, it could result in arbitrary code execution. This issue affects all versions of Puppet, Mcollective, and Hiera. It affects Facter versions 1.6.x and 2.x.

This is due to an underlying issue in Ruby that was fixed in version 1.9.2: https://www.ruby-lang.org/en/news/2010/08/18/ruby-1-9.2-released

Acknowledgements:

Red Hat would like to thank Puppet Labs for reporting this issue. Upstream acknowledges Dennis Rowe (shr3kst3r) as the original reporter.

Comment 2 Murray McAllister 2014-05-27 03:11:22 UTC
Created attachment 899370 [details]
facter patch from upstream

Comment 3 Murray McAllister 2014-05-27 03:12:37 UTC
Created attachment 899371 [details]
hiera patch from upstream

Comment 4 Murray McAllister 2014-05-27 03:13:19 UTC
Created attachment 899372 [details]
mcollective patch from upstream

Comment 5 Murray McAllister 2014-05-27 03:14:07 UTC
Created attachment 899373 [details]
puppet patch from upstream

Comment 8 Murray McAllister 2014-06-05 04:57:02 UTC
Created attachment 902394 [details]
revised facter-2.0.1 patch

Comment 9 Murray McAllister 2014-06-05 04:57:34 UTC
Created attachment 902395 [details]
revised hiera-1.3.3 patch

Comment 10 Murray McAllister 2014-06-05 04:58:50 UTC
Created attachment 902396 [details]
revised mcollective-2.5.1 patch

Comment 11 Murray McAllister 2014-06-05 04:59:22 UTC
Created attachment 902397 [details]
revised puppet-2.7.25 patch

Comment 12 Murray McAllister 2014-06-05 04:59:47 UTC
Created attachment 902398 [details]
revised puppet-3.6.1 patch

Comment 14 Murray McAllister 2014-06-11 01:07:26 UTC
This issue has been fixed in Puppet Enterprise 2.8.7, Puppet 3.6.2, Puppet 2.7.26, Facter 2.0.2, Hiera 1.3.4, and Mcollective 2.5.2.

External References:

http://puppetlabs.com/security/cve/cve-2014-3248

Comment 15 Murray McAllister 2014-06-11 01:09:59 UTC
Created hiera tracking bugs for this issue:

Affects: epel-6 [bug 1107893]

Comment 16 Murray McAllister 2014-06-11 01:10:03 UTC
Created puppet tracking bugs for this issue:

Affects: epel-all [bug 1107890]

Comment 17 Murray McAllister 2014-06-11 01:10:06 UTC
Created facter tracking bugs for this issue:

Affects: fedora-19 [bug 1107891]
Affects: epel-all [bug 1107892]

Comment 18 Murray McAllister 2014-06-11 01:10:09 UTC
Created mcollective tracking bugs for this issue:

Affects: epel-all [bug 1107894]

Comment 20 Murray McAllister 2014-07-01 08:55:05 UTC
Created facter tracking bugs for this issue:

Affects: fedora-20 [bug 1114902]

Comment 21 Murray McAllister 2014-07-01 08:56:44 UTC
(In reply to Murray McAllister from comment #20)
> Created facter tracking bugs for this issue:
> 
> Affects: fedora-20 [bug 1114902]

Matthew Thode indicated version 1.7 is actually vulnerable:

https://bugs.gentoo.org/show_bug.cgi?id=514476#c1

Comment 22 Fedora Update System 2014-07-03 17:57:22 UTC
mcollective-2.2.3-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2014-07-03 17:58:05 UTC
hiera-1.0.0-4.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 24 Kurt Seifried 2014-09-17 19:39:39 UTC
Please note that we ship Ruby 1.9.3 in virtually all products (the exception being RHEL 4 and 5 base, however many products that run on these, e.g. SAM 1.4 ship their own up to date Ruby 1.9.3).

Comment 25 Kurt Seifried 2014-09-17 19:40:51 UTC
Please note that OpenStack 4 and 5 only run on RHEL 6 and 7, which have Ruby 1.9.3 so notaffected either.

Comment 26 Kurt Seifried 2014-09-17 19:42:26 UTC
Statement:

This issue did not affect the versions of Puppet, Mcollective, Facter, or Hiera as shipped with various Red Hat Enterprise products as they all run on top of Ruby 1.9.3 or later.

Comment 28 Lukas Zapletal 2014-10-20 10:57:49 UTC
For the record - in F19 branch I struggled with releasing a backport fix because the patch for this CVE/NOTABUG was never removed from the branch. I am reverting it (commenting the patch line out the SPEC).

Comment 29 Fedora Update System 2014-11-22 04:14:45 UTC
facter-1.6.18-7.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 30 Fedora Update System 2014-11-22 12:33:29 UTC
facter-1.7.6-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.