Bug 748447 (CVE-2011-3872)

Summary:

CVE-2011-3872 puppet: MITM by the x509v3 certificate signing

Product:

[Other] Security Response

Reporter:

Jan Lieskovsky <jlieskov>

Component:

vulnerability

Assignee:

Red Hat Product Security <security-response-team>

Status:

CLOSED ERRATA

QA Contact:

Severity:

high

Docs Contact:

Priority:

high

Version:

unspecified

CC:

blentz, katello-internal, pbrobinson, security-response-team, tmz, vdanen

Target Milestone:

---

Keywords:

Reopened, Security

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

puppet 2.6.12, puppet 2.7.6

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2012-07-04 06:56:34 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

748650, 748651, 748652, 790898, 790917, 801972

Bug Blocks:

742180, 748458

Attachments:

Description	Flags
Local copy of proposed upstream patch for Puppet CVE-2011-3872 issue against the v2.7.5 branch	none
Local copy of proposed upstream patch for Puppet CVE-2011-3872 issue against the v0.24 branch	none

Description Jan Lieskovsky 2011-10-24 13:44:53 UTC

A security flaw was found in the way Puppet, a network tool for managing many disparate systems, recognized additional DNS names to be added to the certificate of the Puppet master, when that certicate was used for subsequent communication with Puppet clients. A remote, privileged user, with ability to modify the SSL certificate of the Puppet agent could use this flaw to impersonate main Puppet master server against Puppet clients (MITM).

Comment 1 Jan Lieskovsky 2011-10-24 13:46:46 UTC

This issue affects the versions of the puppet package, as shipped with Fedora release of 14 and 15.

--

This issue affects the versions of the puppet package, as shipped with Fedora EPEL 4, Fedora EPEL 5 and Fedora EPEL 6 releases.

Comment 3 Jan Lieskovsky 2011-10-24 13:51:42 UTC

Created attachment 529872 [details]
Local copy of proposed upstream patch for Puppet CVE-2011-3872 issue against the v2.7.5 branch

Comment 4 Jan Lieskovsky 2011-10-24 14:00:33 UTC

Created attachment 529874 [details]
Local copy of proposed upstream patch for Puppet CVE-2011-3872 issue against the v0.24 branch


Removes the certdnsnames option all together.

Comment 5 Jan Lieskovsky 2011-10-24 14:01:44 UTC

This issue affects the versions of the puppet package, as shipped with Red Hat
Enterprise MRG 1.3.

Comment 7 Vincent Danen 2011-10-25 01:39:46 UTC

This issue is now public.

External Reference:

http://www.puppetlabs.com/security/cve/cve-2011-3872/

Comment 9 Peter Robinson 2011-11-29 14:39:49 UTC

Closing as puppet 2.6.12 has been pushed to stable as an update for EPEL 4,5,6 and Fedora 14,15,16 and rawhide.

Comment 10 Kurt Seifried 2012-02-15 17:07:10 UTC

This issue also affects CloudForms

Comment 13 Kurt Seifried 2012-03-10 00:49:48 UTC

Created puppet tracking bugs for this issue

Affects: fedora-all [bug 801972]

Comment 14 Todd Zullinger 2012-03-10 02:53:07 UTC

I'm a bit confused (nothing new there).  This issue was fixed in puppet 2.6.12 which has been in all fedora releases for a while now.  As a puppet maintainer for fedora/epel, is there something that further that I need to do?

Comment 15 Kurt Seifried 2012-04-11 16:18:36 UTC

Resolved in Puppet 2.7.6 and 2.6.12, CloudForms ships Puppet 2.6.14.