Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network. PE 2018.1.13 & 2019.5.0, Puppet Server 6.9.2 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default. This affects software versions: Puppet Enterprise 2018.1.x stream prior to 2018.1.13 Puppet Enterprise prior to 2019.5.0 Puppet Server prior to 6.9.2 Puppet Server prior to 5.3.12 PuppetDB prior to 6.9.1 PuppetDB prior to 5.2.13 Resolved in: Puppet Enterprise 2018.1.13 Puppet Enterprise 2019.5.0 Puppet Server 6.9.2 Puppet Server 5.3.12 PuppetDB 6.9.1 PuppetDB 5.2.13 Reference: https://puppet.com/security/cve/CVE-2020-7943/
External References: https://puppet.com/security/cve/CVE-2020-7943
The fix seems to be: https://github.com/puppetlabs/puppet_metrics_dashboard/commit/9c4ce53dc642a7aaa2e6cc960d00cc4e79558870 Which comes from the following PR: https://github.com/puppetlabs/puppet_metrics_dashboard/pull/92
FYI, AFAIK, We don't have/support puppetserver [1]. Puppet 5 is the last version of puppet that included puppet master, which is a different thing, not actually puppet server. 1 https://github.com/puppetlabs/puppetserver
Mitigation: Disable the trapperkeeper-metrics /v1 metrics API
Statement: No releases of Red Hat OpenStack Platform are affected as they do not provide Puppet Server or PuppetDB.
This issue has been addressed in the following products: Red Hat Satellite 6.7 for RHEL 8 Via RHSA-2020:4366 https://access.redhat.com/errata/RHSA-2020:4366
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-7943