Bug 1816720 (CVE-2020-7942) - CVE-2020-7942 puppet: Arbitrary catalog retrieval
Summary: CVE-2020-7942 puppet: Arbitrary catalog retrieval
Keywords:
Status: NEW
Alias: CVE-2020-7942
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1816723 1816724 1817370 1817371 1817372 1820148 1823722 1823723 1816722
Blocks: 1816725
TreeView+ depends on / blocked
 
Reported: 2020-03-24 15:34 UTC by Pedro Sampaio
Modified: 2020-07-10 21:41 UTC (History)
25 users (show)

Fixed In Version: puppet 6.13.0, puppet-agent 6.13.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Puppet, where changes in the application lead to node declarations having increased access. An attacker can use this flaw to modify run facts and to retrieve different nodes of information when the `strict_hostname_checking` is false, and the node's catalog falls back to the `default` node.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Pedro Sampaio 2020-03-24 15:34:41 UTC
Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master. Puppet 6.13.0 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior.

References:

https://puppet.com/security/cve/CVE-2020-7942/

Comment 1 Pedro Sampaio 2020-03-24 15:35:44 UTC
Created puppet tracking bugs for this issue:

Affects: epel-7 [bug 1816724]
Affects: fedora-all [bug 1816723]
Affects: openstack-rdo [bug 1816722]

Comment 2 Joshua Padman 2020-03-26 08:54:22 UTC
Mitigation:

In the puppet.conf configuration file set `strict_hostname_checking = true`.

Comment 3 Joshua Padman 2020-03-26 08:55:34 UTC
External References:

https://puppet.com/security/cve/CVE-2020-7942/


Note You need to log in before you can comment on or make changes to this bug.