1816720 – (CVE-2020-7942) CVE-2020-7942 puppet: Arbitrary catalog retrieval

Bug 1816720 (CVE-2020-7942) - CVE-2020-7942 puppet: Arbitrary catalog retrieval

Summary: CVE-2020-7942 puppet: Arbitrary catalog retrieval

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-7942
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1816722 1816723 1816724 1817370 1817371 1817372 1820148 1823722 1823723 1993158
Blocks:	1816725
TreeView+	depends on / blocked

Reported:	2020-03-24 15:34 UTC by Pedro Sampaio
Modified:	2022-01-17 00:30 UTC (History)
CC List:	24 users (show)
Fixed In Version:	puppet 6.13.0, puppet-agent 6.13.0
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Puppet, where changes in the application lead to node declarations having increased access. An attacker can use this flaw to modify run facts and to retrieve different nodes of information when the `strict_hostname_checking` is false, and the node's catalog falls back to the `default` node.
Clone Of:
Environment:
Last Closed:	2020-10-27 14:21:27 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:4366	0	None	None	None	2020-10-27 12:56:15 UTC

Description Pedro Sampaio 2020-03-24 15:34:41 UTC

Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master. Puppet 6.13.0 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior.

References:

https://puppet.com/security/cve/CVE-2020-7942/

Comment 1 Pedro Sampaio 2020-03-24 15:35:44 UTC

Created puppet tracking bugs for this issue:

Affects: epel-7 [bug 1816724]
Affects: fedora-all [bug 1816723]
Affects: openstack-rdo [bug 1816722]

Comment 2 Joshua Padman 2020-03-26 08:54:22 UTC

Mitigation:

In the puppet.conf configuration file set `strict_hostname_checking = true`.

Comment 3 Joshua Padman 2020-03-26 08:55:34 UTC

External References:

https://puppet.com/security/cve/CVE-2020-7942/

Comment 5 Joshua Padman 2020-03-27 00:02:23 UTC

Relevant patch:
https://github.com/puppetlabs/puppet/commit/c08b9fda717b30d580bbec1a3114632e36c26302

Comment 9 errata-xmlrpc 2020-10-27 12:56:12 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 6.7 for RHEL 8

Via RHSA-2020:4366 https://access.redhat.com/errata/RHSA-2020:4366

Comment 10 Product Security DevOps Team 2020-10-27 14:21:27 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-7942

Note You need to log in before you can comment on or make changes to this bug.

bbuckingham
bcourt
bkearney
brandfbb
btotty
dbecker
hhudgeon
jjoyce
jschluet
lhh
lpeer
lutter
lzap
mburns
mmagr
mmccune
nmoumoul
rchan
rjerrido
sclewis
slinaber
sokeeffe
s
terje.rosten