Bug 2023859 (CVE-2021-27023)

Summary: CVE-2021-27023 puppet: unsafe HTTP redirect
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bbuckingham, bcourt, bkearney, brandfbb, btotty, dbecker, ehelms, ekohlvan, extras-orphan, jjoyce, jschluet, jsherril, lhh, lpeer, lutter, lzap, mburns, mhulan, mmagr, mmccune, myarboro, nmoumoul, orabin, pcreech, rchan, sclewis, slinaber, terje.rosten
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Puppet Server 6.17.1, Puppet Server 7.4.2, Puppet Agent 6.25.1, Puppet Agent 7.12.1 Doc Type: If docs needed, set a value
Doc Text:
An exposure flaw was found in Puppet Agent and Puppet Server where HTTP credentials were leaked. When the HTTP redirects occurred, the authentication and cookie header was added when following redirects to a different host. This flaw allows an unauthorized network attacker to access sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-04-20 23:29:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2023860, 2023861, 2023862, 2025477, 2027250, 2027251, 2027253, 2027254, 2066884, 2090612, 2090618    
Bug Blocks: 2023864    

Description Guilherme de Almeida Suckevicz 2021-11-16 17:23:59 UTC 
A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007.

Reference:
https://puppet.com/security/cve/cve-2021-27023
Comment 1 Guilherme de Almeida Suckevicz 2021-11-16 17:24:23 UTC 
Created puppet tracking bugs for this issue:

Affects: epel-all [bug 2023861]
Affects: fedora-all [bug 2023860]
Affects: openstack-rdo [bug 2023862]
Comment 2 Summer Long 2021-11-17 04:08:19 UTC 
Per upstream notes:
Puppet Server 6.17.1, shipped with Puppet 6.25.1
Puppet Server 7.4.2, shipped with Puppet 7.12.1
Upstream 7.12.1 commit: https://github.com/puppetlabs/puppet/commit/9a8d3ef017cf63ce0f848ec64394f7bad287e825
Comment 3 Summer Long 2021-11-17 04:12:28 UTC 
Upstream 6.x commit: https://github.com/puppetlabs/puppet/commit/e90023a8b54a58073d71dae655d7636e2c9bcc61
Comment 7 Yadnyawalk Tale 2021-11-29 09:36:51 UTC 
Upcoming RHUI4 release is notaffected as product removed puppet to suppose installation with Ansible playbooks.
Comment 8 errata-xmlrpc 2022-04-20 20:34:50 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.9 for RHEL 7

Via RHSA-2022:1478 https://access.redhat.com/errata/RHSA-2022:1478
Comment 9 Product Security DevOps Team 2022-04-20 23:29:18 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-27023
Comment 10 errata-xmlrpc 2022-05-04 12:59:07 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.10 for RHEL 7

Via RHSA-2022:1708 https://access.redhat.com/errata/RHSA-2022:1708
Comment 11 errata-xmlrpc 2022-06-01 19:56:06 UTC 
This issue has been addressed in the following products:

  Satellite Tools 6.9 for RHEL 7
  Satellite Tools 6.9 for RHEL 6.ELS
  Satellite Tools 6.9 for RHEL 7.2.AUS
  Satellite Tools 6.9 for RHEL 7.3.AUS
  Satellite Tools 6.9 for RHEL 7.4.AUS
  Satellite Tools 6.9 for RHEL 7.4.E4S
  Satellite Tools 6.9 for RHEL 7.4.TUS
  Satellite Tools 6.9 for RHEL 7.6.AUS
  Satellite Tools 6.9 for RHEL 7.6.E4S
  Satellite Tools 6.9 for RHEL 7.6.EUS
  Satellite Tools 6.9 for RHEL 7.6.TUS
  Satellite Tools 6.9 for RHEL 7.7.AUS
  Satellite Tools 6.9 for RHEL 7.7.E4S
  Satellite Tools 6.9 for RHEL 7.7.EUS
  Satellite Tools 6.9 for RHEL 7.7.TUS
  Satellite Tools 6.9 for RHEL 8
  Satellite Tools 6.9 for RHEL 8.0.E4S
  Satellite Tools 6.9 for RHEL 8.1.E4S
  Satellite Tools 6.9 for RHEL 8.1.EUS
  Satellite Tools 6.9 for RHEL 8.2.AUS
  Satellite Tools 6.9 for RHEL 8.2.E4S
  Satellite Tools 6.9 for RHEL 8.2.EUS
  Satellite Tools 6.9 for RHEL 8.2.TUS
  Satellite Tools 6.9 for RHEL 8.4.AUS
  Satellite Tools 6.9 for RHEL 8.4.E4S
  Satellite Tools 6.9 for RHEL 8.4.EUS
  Satellite Tools 6.9 for RHEL 8.6.AUS
  Satellite Tools 6.9 for RHEL 8.6.E4S
  Satellite Tools 6.9 for RHEL 8.6.EUS
  Satellite Tools 6.9 for RHEL 8.6.TUS

Via RHSA-2022:4867 https://access.redhat.com/errata/RHSA-2022:4867
Comment 12 errata-xmlrpc 2022-06-01 20:00:39 UTC 
This issue has been addressed in the following products:

  Satellite Tools 6.10 for RHEL 7
  Satellite Tools 6.10 for RHEL 6.ELS
  Satellite Tools 6.10 for RHEL 7.2.AUS
  Satellite Tools 6.10 for RHEL 7.3.AUS
  Satellite Tools 6.10 for RHEL 7.4.AUS
  Satellite Tools 6.10 for RHEL 7.4.E4S
  Satellite Tools 6.10 for RHEL 7.4.TUS
  Satellite Tools 6.10 for RHEL 7.6.AUS
  Satellite Tools 6.10 for RHEL 7.6.E4S
  Satellite Tools 6.10 for RHEL 7.6.TUS
  Satellite Tools 6.10 for RHEL 7.7.AUS
  Satellite Tools 6.10 for RHEL 7.7.E4S
  Satellite Tools 6.10 for RHEL 7.7.TUS
  Satellite Tools 6.10 for RHEL 8
  Satellite Tools 6.10 for RHEL 8.1.E4S
  Satellite Tools 6.10 for RHEL 8.1.EUS
  Satellite Tools 6.10 for RHEL 8.2.AUS
  Satellite Tools 6.10 for RHEL 8.2.E4S
  Satellite Tools 6.10 for RHEL 8.2.EUS
  Satellite Tools 6.10 for RHEL 8.2.TUS
  Satellite Tools 6.10 for RHEL 8.4.AUS
  Satellite Tools 6.10 for RHEL 8.4.E4S
  Satellite Tools 6.10 for RHEL 8.4.EUS
  Satellite Tools 6.10 for RHEL 8.4.TUS
  Satellite Tools 6.10 for RHEL 8.6.AUS
  Satellite Tools 6.10 for RHEL 8.6.E4S
  Satellite Tools 6.10 for RHEL 8.6.EUS

Via RHSA-2022:4866 https://access.redhat.com/errata/RHSA-2022:4866