A flaw was discovered in Puppet DB, this flaw results in an escalation of privileges which allows the user to delete tables via an SQL query. This has been resolved in Puppet DB 6.17.0, 7.4.1, Platform 6.23, 7.7.0 and Puppet Enterprise 2021.2, 2019.8.7. Reference: https://puppet.com/security/cve/cve-2021-27021/
Created puppet tracking bugs for this issue: Affects: epel-all [bug 1976316] Affects: fedora-all [bug 1976315] Affects: openstack-rdo [bug 1976317]
We do not package puppet DB, therefore I don't think this applies to us? We package puppet agent only at the moment.
Related patches, addressing the vulnerability: (PDB-5138) validate-dotted-field: anchor regexp: https://github.com/puppetlabs/puppetdb/commit/c146e624d230f7410fb648d58ae28c0e3cd457a2 (PDB-5138) quote-projections: quote all projections: https://github.com/puppetlabs/puppetdb/commit/f8dc81678cf347739838e42cc1c426d96406c266 (PDB-5138) Strictly validate function AST: https://github.com/puppetlabs/puppetdb/commit/72bd137511487643a3a6236ad9e72a5dd4a6fadb A patch to ensure PuppetDB logs if the query user’s permissions are insufficiently restricted: (PDB-5145) Detect and log ERROR level messages if read-only user is misconfigured: https://github.com/puppetlabs/puppetdb/commit/4077d580913c45e471e12cecc9f90df62d95f38f
Satellite and RHUI does ship puppet-agent, puppetserver and puppet respectively but vulnerability is with puppetdb which we does not ship with this products atm. There is way to integrate PuppetDB with upstream Foreman but that appears to be optional configuration. https://github.com/theforeman/puppet-puppet#puppetdb-integration
Can we close this ticket, then?