2071567 – (CVE-2022-0675) CVE-2022-0675 puppetlabs-firewall: unmanaged rules could leave system in an unsafe state via duplicate comment

Bug 2071567 (CVE-2022-0675) - CVE-2022-0675 puppetlabs-firewall: unmanaged rules could leave system in an unsafe state via duplicate comment

Summary: CVE-2022-0675 puppetlabs-firewall: unmanaged rules could leave system in an u...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-0675
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2067017 (view as bug list)
Depends On:	2071568 2071569 2071572 2102637
Blocks:	2067016 2071571
TreeView+	depends on / blocked

Reported:	2022-04-04 08:53 UTC by Avinash Hanwate
Modified:	2022-12-07 20:27 UTC (History)
CC List:	12 users (show)
Fixed In Version:	Puppet Firewall Module 3.4.0
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Puppet Firewall module. In certain situations, an unmanaged rule can exist on the target system that has the same comment as a rule specified in the manifest. When this condition is true, Puppet will ignore the unmanaged rule and continue to apply the rule in the manifest. This issue occurs because the firewall module uses the comment field in IPT as its namevar and therefore expects it to be a unique identifier. In the case of IPT, this is not true, given that you can have multiple rules with the same comment.
Clone Of:
Environment:
Last Closed:	2022-06-22 20:37:18 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:5116	0	None	None	None	2022-06-22 16:06:24 UTC
Red Hat Product Errata	RHSA-2022:8869	0	None	None	None	2022-12-07 20:27:06 UTC

Description Avinash Hanwate 2022-04-04 08:53:47 UTC

In certain situations it is possible for an unmanaged rule to exist on the target system that has the same comment as the rule specified in the manifest. This could allow for unmanaged rules to exist on the target system and leave the system in an unsafe state.

https://puppet.com/security/cve/CVE-2022-0675

Comment 1 Avinash Hanwate 2022-04-04 08:54:10 UTC

Created puppet-firewall tracking bugs for this issue:

Affects: openstack-rdo [bug 2071568]

Comment 4 Pedro Sampaio 2022-04-08 17:29:17 UTC

*** Bug 2067017 has been marked as a duplicate of this bug. ***

Comment 8 errata-xmlrpc 2022-06-22 16:06:22 UTC

This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:5116 https://access.redhat.com/errata/RHSA-2022:5116

Comment 9 Product Security DevOps Team 2022-06-22 20:37:15 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-0675

Comment 14 errata-xmlrpc 2022-12-07 20:27:05 UTC

This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2022:8869 https://access.redhat.com/errata/RHSA-2022:8869

Note You need to log in before you can comment on or make changes to this bug.