Bug 2023859 (CVE-2021-27023) - CVE-2021-27023 puppet: unsafe HTTP redirect
Summary: CVE-2021-27023 puppet: unsafe HTTP redirect
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-27023
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2023862 2023860 2023861 2025477 2027250 2027251 2027253 2027254 2066884 2090612 2090618
Blocks: 2023864
TreeView+ depends on / blocked
 
Reported: 2021-11-16 17:23 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-06-01 20:00 UTC (History)
28 users (show)

Fixed In Version: Puppet Server 6.17.1, Puppet Server 7.4.2, Puppet Agent 6.25.1, Puppet Agent 7.12.1
Doc Type: If docs needed, set a value
Doc Text:
An exposure flaw was found in Puppet Agent and Puppet Server where HTTP credentials were leaked. When the HTTP redirects occurred, the authentication and cookie header was added when following redirects to a different host. This flaw allows an unauthorized network attacker to access sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.
Clone Of:
Environment:
Last Closed: 2022-04-20 23:29:20 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:1478 0 None None None 2022-04-20 20:34:53 UTC
Red Hat Product Errata RHSA-2022:1708 0 None None None 2022-05-04 12:59:10 UTC
Red Hat Product Errata RHSA-2022:4866 0 None None None 2022-06-01 20:00:42 UTC
Red Hat Product Errata RHSA-2022:4867 0 None None None 2022-06-01 19:56:09 UTC

Description Guilherme de Almeida Suckevicz 2021-11-16 17:23:59 UTC
A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007.

Reference:
https://puppet.com/security/cve/cve-2021-27023

Comment 1 Guilherme de Almeida Suckevicz 2021-11-16 17:24:23 UTC
Created puppet tracking bugs for this issue:

Affects: epel-all [bug 2023861]
Affects: fedora-all [bug 2023860]
Affects: openstack-rdo [bug 2023862]

Comment 2 Summer Long 2021-11-17 04:08:19 UTC
Per upstream notes:
Puppet Server 6.17.1, shipped with Puppet 6.25.1
Puppet Server 7.4.2, shipped with Puppet 7.12.1
Upstream 7.12.1 commit: https://github.com/puppetlabs/puppet/commit/9a8d3ef017cf63ce0f848ec64394f7bad287e825

Comment 7 Yadnyawalk Tale 2021-11-29 09:36:51 UTC
Upcoming RHUI4 release is notaffected as product removed puppet to suppose installation with Ansible playbooks.

Comment 8 errata-xmlrpc 2022-04-20 20:34:50 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.9 for RHEL 7

Via RHSA-2022:1478 https://access.redhat.com/errata/RHSA-2022:1478

Comment 9 Product Security DevOps Team 2022-04-20 23:29:18 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-27023

Comment 10 errata-xmlrpc 2022-05-04 12:59:07 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.10 for RHEL 7

Via RHSA-2022:1708 https://access.redhat.com/errata/RHSA-2022:1708

Comment 11 errata-xmlrpc 2022-06-01 19:56:06 UTC
This issue has been addressed in the following products:

  Satellite Tools 6.9 for RHEL 7
  Satellite Tools 6.9 for RHEL 6.ELS
  Satellite Tools 6.9 for RHEL 7.2.AUS
  Satellite Tools 6.9 for RHEL 7.3.AUS
  Satellite Tools 6.9 for RHEL 7.4.AUS
  Satellite Tools 6.9 for RHEL 7.4.E4S
  Satellite Tools 6.9 for RHEL 7.4.TUS
  Satellite Tools 6.9 for RHEL 7.6.AUS
  Satellite Tools 6.9 for RHEL 7.6.E4S
  Satellite Tools 6.9 for RHEL 7.6.EUS
  Satellite Tools 6.9 for RHEL 7.6.TUS
  Satellite Tools 6.9 for RHEL 7.7.AUS
  Satellite Tools 6.9 for RHEL 7.7.E4S
  Satellite Tools 6.9 for RHEL 7.7.EUS
  Satellite Tools 6.9 for RHEL 7.7.TUS
  Satellite Tools 6.9 for RHEL 8
  Satellite Tools 6.9 for RHEL 8.0.E4S
  Satellite Tools 6.9 for RHEL 8.1.E4S
  Satellite Tools 6.9 for RHEL 8.1.EUS
  Satellite Tools 6.9 for RHEL 8.2.AUS
  Satellite Tools 6.9 for RHEL 8.2.E4S
  Satellite Tools 6.9 for RHEL 8.2.EUS
  Satellite Tools 6.9 for RHEL 8.2.TUS
  Satellite Tools 6.9 for RHEL 8.4.AUS
  Satellite Tools 6.9 for RHEL 8.4.E4S
  Satellite Tools 6.9 for RHEL 8.4.EUS
  Satellite Tools 6.9 for RHEL 8.6.AUS
  Satellite Tools 6.9 for RHEL 8.6.E4S
  Satellite Tools 6.9 for RHEL 8.6.EUS
  Satellite Tools 6.9 for RHEL 8.6.TUS

Via RHSA-2022:4867 https://access.redhat.com/errata/RHSA-2022:4867

Comment 12 errata-xmlrpc 2022-06-01 20:00:39 UTC
This issue has been addressed in the following products:

  Satellite Tools 6.10 for RHEL 7
  Satellite Tools 6.10 for RHEL 6.ELS
  Satellite Tools 6.10 for RHEL 7.2.AUS
  Satellite Tools 6.10 for RHEL 7.3.AUS
  Satellite Tools 6.10 for RHEL 7.4.AUS
  Satellite Tools 6.10 for RHEL 7.4.E4S
  Satellite Tools 6.10 for RHEL 7.4.TUS
  Satellite Tools 6.10 for RHEL 7.6.AUS
  Satellite Tools 6.10 for RHEL 7.6.E4S
  Satellite Tools 6.10 for RHEL 7.6.TUS
  Satellite Tools 6.10 for RHEL 7.7.AUS
  Satellite Tools 6.10 for RHEL 7.7.E4S
  Satellite Tools 6.10 for RHEL 7.7.TUS
  Satellite Tools 6.10 for RHEL 8
  Satellite Tools 6.10 for RHEL 8.1.E4S
  Satellite Tools 6.10 for RHEL 8.1.EUS
  Satellite Tools 6.10 for RHEL 8.2.AUS
  Satellite Tools 6.10 for RHEL 8.2.E4S
  Satellite Tools 6.10 for RHEL 8.2.EUS
  Satellite Tools 6.10 for RHEL 8.2.TUS
  Satellite Tools 6.10 for RHEL 8.4.AUS
  Satellite Tools 6.10 for RHEL 8.4.E4S
  Satellite Tools 6.10 for RHEL 8.4.EUS
  Satellite Tools 6.10 for RHEL 8.4.TUS
  Satellite Tools 6.10 for RHEL 8.6.AUS
  Satellite Tools 6.10 for RHEL 8.6.E4S
  Satellite Tools 6.10 for RHEL 8.6.EUS

Via RHSA-2022:4866 https://access.redhat.com/errata/RHSA-2022:4866


Note You need to log in before you can comment on or make changes to this bug.