Bug 1816720 (CVE-2020-7942)

Summary: CVE-2020-7942 puppet: Arbitrary catalog retrieval
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bbuckingham, bcourt, bkearney, brandfbb, btotty, dbecker, hhudgeon, jjoyce, jschluet, lhh, lpeer, lutter, lzap, mburns, mmagr, mmccune, nmoumoul, rchan, rjerrido, sclewis, slinaber, sokeeffe, s, terje.rosten
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: puppet 6.13.0, puppet-agent 6.13.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Puppet, where changes in the application lead to node declarations having increased access. An attacker can use this flaw to modify run facts and to retrieve different nodes of information when the `strict_hostname_checking` is false, and the node's catalog falls back to the `default` node.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 14:21:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1816722, 1816723, 1816724, 1817370, 1817371, 1817372, 1820148, 1823722, 1823723, 1993158    
Bug Blocks: 1816725    

Description Pedro Sampaio 2020-03-24 15:34:41 UTC 
Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master. Puppet 6.13.0 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior.

References:

https://puppet.com/security/cve/CVE-2020-7942/
Comment 1 Pedro Sampaio 2020-03-24 15:35:44 UTC 
Created puppet tracking bugs for this issue:

Affects: epel-7 [bug 1816724]
Affects: fedora-all [bug 1816723]
Affects: openstack-rdo [bug 1816722]
Comment 2 Joshua Padman 2020-03-26 08:54:22 UTC 
Mitigation:

In the puppet.conf configuration file set `strict_hostname_checking = true`.
Comment 3 Joshua Padman 2020-03-26 08:55:34 UTC 
External References:

https://puppet.com/security/cve/CVE-2020-7942/
Comment 5 Joshua Padman 2020-03-27 00:02:23 UTC 
Relevant patch:
https://github.com/puppetlabs/puppet/commit/c08b9fda717b30d580bbec1a3114632e36c26302
Comment 9 errata-xmlrpc 2020-10-27 12:56:12 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.7 for RHEL 8

Via RHSA-2020:4366 https://access.redhat.com/errata/RHSA-2020:4366
Comment 10 Product Security DevOps Team 2020-10-27 14:21:27 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-7942