Bug 2023853 (CVE-2021-27025)

Summary: CVE-2021-27025 puppet: silent configuration failure in agent
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bbuckingham, bcourt, bkearney, brandfbb, btotty, dbecker, ehelms, ekohlvan, extras-orphan, jjoyce, jschluet, jsherril, lhh, lpeer, lutter, lzap, mburns, mhulan, mmagr, mmccune, myarboro, nmoumoul, orabin, pcreech, rchan, sclewis, slinaber, terje.rosten
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Puppet Agent 6.25.1, Puppet Agent 7.12.1 Doc Type: If docs needed, set a value
Doc Text:
A configuration flaw was found in Puppet Agent where the agent silently ignores Augeas settings. This flaw allows a network attacker to cause a denial of service before the first pluginsync. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-04 17:15:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2024044, 2024045, 2024046, 2024376, 2024377, 2025476, 2027207, 2027246, 2027254, 2066884, 2090612, 2090618    
Bug Blocks: 2023864    

Description Guilherme de Almeida Suckevicz 2021-11-16 17:18:24 UTC 
A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first pluginsync.

Reference:
https://puppet.com/security/cve/cve-2021-27025
Comment 1 Summer Long 2021-11-17 05:48:01 UTC 
Upstream commits (PUP-11209):
7.12.1: https://github.com/puppetlabs/puppet/commit/0e189e9988c4969280134d043b871851928caa41
6.x: https://github.com/puppetlabs/puppet/commit/da8b73edca174309a9bef5f62cd276933fe733e8
Comment 3 Summer Long 2021-11-17 05:54:14 UTC 
Created puppet tracking bugs for this issue:

Affects: epel-all [bug 2024044]
Affects: fedora-all [bug 2024045]
Affects: openstack-rdo [bug 2024046]
Comment 5 Breno 2021-11-19 03:27:41 UTC 
Epel and fedora are resolved.
I'm not sure who responds for the openstack-rdo builds.
Comment 8 Yadnyawalk Tale 2021-11-29 09:36:41 UTC 
Upcoming RHUI4 release is notaffected as product removed puppet to suppose installation with Ansible playbooks.
Comment 9 errata-xmlrpc 2022-05-04 12:59:03 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.10 for RHEL 7

Via RHSA-2022:1708 https://access.redhat.com/errata/RHSA-2022:1708
Comment 10 Product Security DevOps Team 2022-05-04 17:15:26 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-27025
Comment 11 errata-xmlrpc 2022-06-01 19:56:05 UTC 
This issue has been addressed in the following products:

  Satellite Tools 6.9 for RHEL 7
  Satellite Tools 6.9 for RHEL 6.ELS
  Satellite Tools 6.9 for RHEL 7.2.AUS
  Satellite Tools 6.9 for RHEL 7.3.AUS
  Satellite Tools 6.9 for RHEL 7.4.AUS
  Satellite Tools 6.9 for RHEL 7.4.E4S
  Satellite Tools 6.9 for RHEL 7.4.TUS
  Satellite Tools 6.9 for RHEL 7.6.AUS
  Satellite Tools 6.9 for RHEL 7.6.E4S
  Satellite Tools 6.9 for RHEL 7.6.EUS
  Satellite Tools 6.9 for RHEL 7.6.TUS
  Satellite Tools 6.9 for RHEL 7.7.AUS
  Satellite Tools 6.9 for RHEL 7.7.E4S
  Satellite Tools 6.9 for RHEL 7.7.EUS
  Satellite Tools 6.9 for RHEL 7.7.TUS
  Satellite Tools 6.9 for RHEL 8
  Satellite Tools 6.9 for RHEL 8.0.E4S
  Satellite Tools 6.9 for RHEL 8.1.E4S
  Satellite Tools 6.9 for RHEL 8.1.EUS
  Satellite Tools 6.9 for RHEL 8.2.AUS
  Satellite Tools 6.9 for RHEL 8.2.E4S
  Satellite Tools 6.9 for RHEL 8.2.EUS
  Satellite Tools 6.9 for RHEL 8.2.TUS
  Satellite Tools 6.9 for RHEL 8.4.AUS
  Satellite Tools 6.9 for RHEL 8.4.E4S
  Satellite Tools 6.9 for RHEL 8.4.EUS
  Satellite Tools 6.9 for RHEL 8.6.AUS
  Satellite Tools 6.9 for RHEL 8.6.E4S
  Satellite Tools 6.9 for RHEL 8.6.EUS
  Satellite Tools 6.9 for RHEL 8.6.TUS

Via RHSA-2022:4867 https://access.redhat.com/errata/RHSA-2022:4867
Comment 12 errata-xmlrpc 2022-06-01 20:00:39 UTC 
This issue has been addressed in the following products:

  Satellite Tools 6.10 for RHEL 7
  Satellite Tools 6.10 for RHEL 6.ELS
  Satellite Tools 6.10 for RHEL 7.2.AUS
  Satellite Tools 6.10 for RHEL 7.3.AUS
  Satellite Tools 6.10 for RHEL 7.4.AUS
  Satellite Tools 6.10 for RHEL 7.4.E4S
  Satellite Tools 6.10 for RHEL 7.4.TUS
  Satellite Tools 6.10 for RHEL 7.6.AUS
  Satellite Tools 6.10 for RHEL 7.6.E4S
  Satellite Tools 6.10 for RHEL 7.6.TUS
  Satellite Tools 6.10 for RHEL 7.7.AUS
  Satellite Tools 6.10 for RHEL 7.7.E4S
  Satellite Tools 6.10 for RHEL 7.7.TUS
  Satellite Tools 6.10 for RHEL 8
  Satellite Tools 6.10 for RHEL 8.1.E4S
  Satellite Tools 6.10 for RHEL 8.1.EUS
  Satellite Tools 6.10 for RHEL 8.2.AUS
  Satellite Tools 6.10 for RHEL 8.2.E4S
  Satellite Tools 6.10 for RHEL 8.2.EUS
  Satellite Tools 6.10 for RHEL 8.2.TUS
  Satellite Tools 6.10 for RHEL 8.4.AUS
  Satellite Tools 6.10 for RHEL 8.4.E4S
  Satellite Tools 6.10 for RHEL 8.4.EUS
  Satellite Tools 6.10 for RHEL 8.4.TUS
  Satellite Tools 6.10 for RHEL 8.6.AUS
  Satellite Tools 6.10 for RHEL 8.6.E4S
  Satellite Tools 6.10 for RHEL 8.6.EUS

Via RHSA-2022:4866 https://access.redhat.com/errata/RHSA-2022:4866
Comment 13 errata-xmlrpc 2022-12-07 19:25:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:8846 https://access.redhat.com/errata/RHSA-2022:8846
Comment 14 errata-xmlrpc 2022-12-07 20:26:39 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2022:8862 https://access.redhat.com/errata/RHSA-2022:8862