Versions of MCollective prior to 2.10.4 deserialized YAML from agents without calling safe_load, allowing the potential for arbitrary code execution on the server. The fix for this is to call YAML.safe_load on input. This has been tested in all Puppet-supplied MCollective plugins, but there is a chance that third-party plugins could rely on this insecure behavior. External References: https://puppet.com/security/cve/cve-2017-2292 Upstream patch: https://github.com/puppetlabs/marionette-collective/commit/e0e741889f5adeb8f75387037106b0d28a9099b0
Created mcollective tracking bugs for this issue: Affects: epel-6 [bug 1470088] Affects: fedora-all [bug 1470087] Created ruby193-mcollective tracking bugs for this issue: Affects: openshift-1 [bug 1470089]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2017-2292