Bug 1101346 (CVE-2014-3248) - CVE-2014-3248 puppet: Ruby modules could be loaded from the current working directory
Summary: CVE-2014-3248 puppet: Ruby modules could be loaded from the current working d...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2014-3248
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1107890 1107891 1107892 1107893 1107894 1108503 1114902
Blocks: 1101348
TreeView+ depends on / blocked
 
Reported: 2014-05-27 03:04 UTC by Murray McAllister
Modified: 2023-05-12 03:44 UTC (History)
47 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-17 19:42:26 UTC
Embargoed:


Attachments (Terms of Use)
facter patch from upstream (1.05 KB, patch)
2014-05-27 03:11 UTC, Murray McAllister
no flags Details | Diff
hiera patch from upstream (1020 bytes, patch)
2014-05-27 03:12 UTC, Murray McAllister
no flags Details | Diff
mcollective patch from upstream (1.43 KB, patch)
2014-05-27 03:13 UTC, Murray McAllister
no flags Details | Diff
puppet patch from upstream (953 bytes, patch)
2014-05-27 03:14 UTC, Murray McAllister
no flags Details | Diff
revised facter-2.0.1 patch (1.05 KB, patch)
2014-06-05 04:57 UTC, Murray McAllister
no flags Details | Diff
revised hiera-1.3.3 patch (1020 bytes, patch)
2014-06-05 04:57 UTC, Murray McAllister
no flags Details | Diff
revised mcollective-2.5.1 patch (997 bytes, patch)
2014-06-05 04:58 UTC, Murray McAllister
no flags Details | Diff
revised puppet-2.7.25 patch (2.66 KB, patch)
2014-06-05 04:59 UTC, Murray McAllister
no flags Details | Diff
revised puppet-3.6.1 patch (2.67 KB, patch)
2014-06-05 04:59 UTC, Murray McAllister
no flags Details | Diff

Description Murray McAllister 2014-05-27 03:04:03 UTC
Running Puppet, Mcollective, Facter, or Hiera on a host that has a version of Ruby older than 1.9.2 could result in a Ruby module being loaded from the current working directory. If Puppet, Mcollective, Facter, or Hiera were run from an attacker-controlled directory, it could result in arbitrary code execution. This issue affects all versions of Puppet, Mcollective, and Hiera. It affects Facter versions 1.6.x and 2.x.

This is due to an underlying issue in Ruby that was fixed in version 1.9.2: https://www.ruby-lang.org/en/news/2010/08/18/ruby-1-9.2-released

Acknowledgements:

Red Hat would like to thank Puppet Labs for reporting this issue. Upstream acknowledges Dennis Rowe (shr3kst3r) as the original reporter.

Comment 2 Murray McAllister 2014-05-27 03:11:22 UTC
Created attachment 899370 [details]
facter patch from upstream

Comment 3 Murray McAllister 2014-05-27 03:12:37 UTC
Created attachment 899371 [details]
hiera patch from upstream

Comment 4 Murray McAllister 2014-05-27 03:13:19 UTC
Created attachment 899372 [details]
mcollective patch from upstream

Comment 5 Murray McAllister 2014-05-27 03:14:07 UTC
Created attachment 899373 [details]
puppet patch from upstream

Comment 8 Murray McAllister 2014-06-05 04:57:02 UTC
Created attachment 902394 [details]
revised facter-2.0.1 patch

Comment 9 Murray McAllister 2014-06-05 04:57:34 UTC
Created attachment 902395 [details]
revised hiera-1.3.3 patch

Comment 10 Murray McAllister 2014-06-05 04:58:50 UTC
Created attachment 902396 [details]
revised mcollective-2.5.1 patch

Comment 11 Murray McAllister 2014-06-05 04:59:22 UTC
Created attachment 902397 [details]
revised puppet-2.7.25 patch

Comment 12 Murray McAllister 2014-06-05 04:59:47 UTC
Created attachment 902398 [details]
revised puppet-3.6.1 patch

Comment 14 Murray McAllister 2014-06-11 01:07:26 UTC
This issue has been fixed in Puppet Enterprise 2.8.7, Puppet 3.6.2, Puppet 2.7.26, Facter 2.0.2, Hiera 1.3.4, and Mcollective 2.5.2.

External References:

http://puppetlabs.com/security/cve/cve-2014-3248

Comment 15 Murray McAllister 2014-06-11 01:09:59 UTC
Created hiera tracking bugs for this issue:

Affects: epel-6 [bug 1107893]

Comment 16 Murray McAllister 2014-06-11 01:10:03 UTC
Created puppet tracking bugs for this issue:

Affects: epel-all [bug 1107890]

Comment 17 Murray McAllister 2014-06-11 01:10:06 UTC
Created facter tracking bugs for this issue:

Affects: fedora-19 [bug 1107891]
Affects: epel-all [bug 1107892]

Comment 18 Murray McAllister 2014-06-11 01:10:09 UTC
Created mcollective tracking bugs for this issue:

Affects: epel-all [bug 1107894]

Comment 20 Murray McAllister 2014-07-01 08:55:05 UTC
Created facter tracking bugs for this issue:

Affects: fedora-20 [bug 1114902]

Comment 21 Murray McAllister 2014-07-01 08:56:44 UTC
(In reply to Murray McAllister from comment #20)
> Created facter tracking bugs for this issue:
> 
> Affects: fedora-20 [bug 1114902]

Matthew Thode indicated version 1.7 is actually vulnerable:

https://bugs.gentoo.org/show_bug.cgi?id=514476#c1

Comment 22 Fedora Update System 2014-07-03 17:57:22 UTC
mcollective-2.2.3-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2014-07-03 17:58:05 UTC
hiera-1.0.0-4.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 24 Kurt Seifried 2014-09-17 19:39:39 UTC
Please note that we ship Ruby 1.9.3 in virtually all products (the exception being RHEL 4 and 5 base, however many products that run on these, e.g. SAM 1.4 ship their own up to date Ruby 1.9.3).

Comment 25 Kurt Seifried 2014-09-17 19:40:51 UTC
Please note that OpenStack 4 and 5 only run on RHEL 6 and 7, which have Ruby 1.9.3 so notaffected either.

Comment 26 Kurt Seifried 2014-09-17 19:42:26 UTC
Statement:

This issue did not affect the versions of Puppet, Mcollective, Facter, or Hiera as shipped with various Red Hat Enterprise products as they all run on top of Ruby 1.9.3 or later.

Comment 28 Lukas Zapletal 2014-10-20 10:57:49 UTC
For the record - in F19 branch I struggled with releasing a backport fix because the patch for this CVE/NOTABUG was never removed from the branch. I am reverting it (commenting the patch line out the SPEC).

Comment 29 Fedora Update System 2014-11-22 04:14:45 UTC
facter-1.6.18-7.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 30 Fedora Update System 2014-11-22 12:33:29 UTC
facter-1.7.6-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.