Bug 1452651 (CVE-2017-2295)

Summary: CVE-2017-2295 puppet: Unsafe YAML deserialization
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: apevec, bcourt, bkearney, cbillett, ccoleman, chrisw, cvsbot-xmlrpc, dedgar, dmcphers, dominic, gchamoul, jgoulding, jjoyce, jmatthew, joelsmith, jose.p.oliveira.oss, jschluet, k.georgiou, lhh, lpeer, marianne, markmc, mastahnke, mmagr, mmccune, moses, ohadlevy, rbryant, rchan, sclewis, sisharma, srevivo, s, tdecacqu, terje.rosten, tlestach, tomckay, tsanders, vanmeeuwen+fedora
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: puppet 4.10.1, puppet agent 1.10.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 11:53:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1452653, 1452654, 1452655, 1460091, 1469897    
Bug Blocks: 1452658    

Description Andrej Nemec 2017-05-19 12:26:27 UTC
It was found that Puppet will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML.

External References:

https://puppet.com/security/cve/cve-2017-2295

Comment 1 Andrej Nemec 2017-05-19 12:27:31 UTC
Created puppet tracking bugs for this issue:

Affects: epel-7 [bug 1452653]
Affects: fedora-all [bug 1452654]
Affects: openshift-1 [bug 1452655]

Comment 3 Summer Long 2017-06-09 04:26:52 UTC
Created puppet tracking bugs for this issue:

Affects: openstack-rdo [bug 1460091]

Comment 5 Kurt Seifried 2018-03-22 18:57:09 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.3 for RHEL 7

Via RHSA-2018:0336 https://access.redhat.com/errata/RHSA-2018:0336