Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master. Puppet 6.13.0 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior. References: https://puppet.com/security/cve/CVE-2020-7942/
Created puppet tracking bugs for this issue: Affects: epel-7 [bug 1816724] Affects: fedora-all [bug 1816723] Affects: openstack-rdo [bug 1816722]
Mitigation: In the puppet.conf configuration file set `strict_hostname_checking = true`.
External References: https://puppet.com/security/cve/CVE-2020-7942/
Relevant patch: https://github.com/puppetlabs/puppet/commit/c08b9fda717b30d580bbec1a3114632e36c26302
This issue has been addressed in the following products: Red Hat Satellite 6.7 for RHEL 8 Via RHSA-2020:4366 https://access.redhat.com/errata/RHSA-2020:4366
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-7942