Running Puppet, Mcollective, Facter, or Hiera on a host that has a version of Ruby older than 1.9.2 could result in a Ruby module being loaded from the current working directory. If Puppet, Mcollective, Facter, or Hiera were run from an attacker-controlled directory, it could result in arbitrary code execution. This issue affects all versions of Puppet, Mcollective, and Hiera. It affects Facter versions 1.6.x and 2.x. This is due to an underlying issue in Ruby that was fixed in version 1.9.2: https://www.ruby-lang.org/en/news/2010/08/18/ruby-1-9.2-released Acknowledgements: Red Hat would like to thank Puppet Labs for reporting this issue. Upstream acknowledges Dennis Rowe (shr3kst3r) as the original reporter.
Created attachment 899370 [details] facter patch from upstream
Created attachment 899371 [details] hiera patch from upstream
Created attachment 899372 [details] mcollective patch from upstream
Created attachment 899373 [details] puppet patch from upstream
Created attachment 902394 [details] revised facter-2.0.1 patch
Created attachment 902395 [details] revised hiera-1.3.3 patch
Created attachment 902396 [details] revised mcollective-2.5.1 patch
Created attachment 902397 [details] revised puppet-2.7.25 patch
Created attachment 902398 [details] revised puppet-3.6.1 patch
This issue has been fixed in Puppet Enterprise 2.8.7, Puppet 3.6.2, Puppet 2.7.26, Facter 2.0.2, Hiera 1.3.4, and Mcollective 2.5.2. External References: http://puppetlabs.com/security/cve/cve-2014-3248
Created hiera tracking bugs for this issue: Affects: epel-6 [bug 1107893]
Created puppet tracking bugs for this issue: Affects: epel-all [bug 1107890]
Created facter tracking bugs for this issue: Affects: fedora-19 [bug 1107891] Affects: epel-all [bug 1107892]
Created mcollective tracking bugs for this issue: Affects: epel-all [bug 1107894]
Created facter tracking bugs for this issue: Affects: fedora-20 [bug 1114902]
(In reply to Murray McAllister from comment #20) > Created facter tracking bugs for this issue: > > Affects: fedora-20 [bug 1114902] Matthew Thode indicated version 1.7 is actually vulnerable: https://bugs.gentoo.org/show_bug.cgi?id=514476#c1
mcollective-2.2.3-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
hiera-1.0.0-4.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Please note that we ship Ruby 1.9.3 in virtually all products (the exception being RHEL 4 and 5 base, however many products that run on these, e.g. SAM 1.4 ship their own up to date Ruby 1.9.3).
Please note that OpenStack 4 and 5 only run on RHEL 6 and 7, which have Ruby 1.9.3 so notaffected either.
Statement: This issue did not affect the versions of Puppet, Mcollective, Facter, or Hiera as shipped with various Red Hat Enterprise products as they all run on top of Ruby 1.9.3 or later.
For the record - in F19 branch I struggled with releasing a backport fix because the patch for this CVE/NOTABUG was never removed from the branch. I am reverting it (commenting the patch line out the SPEC).
facter-1.6.18-7.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
facter-1.7.6-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.