ID CVE-2017-2295
Summary Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML.
References
Vulnerable Configurations
  • Puppet 4.10.0
    cpe:2.3:a:puppet:puppet:4.10.0
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
CVSS
Base: 6.0
Impact:
Exploitability:
CWE CWE-502
CAPEC
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3862.NASL
    description It was discovered that unrestricted YAML deserialisation of data sent from agents to the server in the Puppet configuration management system could result in the execution of arbitrary code. Note that this fix breaks backward compability with Puppet agents older than 3.2.2 and there is no safe way to restore it. This affects puppet agents running on Debian wheezy; we recommend to update to the puppet version shipped in wheezy-backports.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 100432
    published 2017-05-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100432
    title Debian DSA-3862-1 : puppet - security update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-B9B66117BB.NASL
    description Contains fixes to ensure Puppet can start correctly and a security fix for remote code execution tracked as [CVE-2017-2295](https://bugzilla.redhat.com/show_bug.cgi?id=1452654). - Fix remote code execution in Puppet master during fact uploads - Fedora#1452654 - Fix SSL monkey patches error on startup - Fedora#1440710 , Fedora#1443673 - Fix xmlrpc/client require error on startup - Fedora#1443673 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-02
    plugin id 101710
    published 2017-07-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101710
    title Fedora 26 : puppet (2017-b9b66117bb)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-849.NASL
    description Unsafe YAML deserialization : Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML. (CVE-2017-2295 )
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 101002
    published 2017-06-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101002
    title Amazon Linux AMI : puppet3 (ALAS-2017-849)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1012.NASL
    description Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. For Debian 7 'Wheezy', these problems have been fixed in version 2.7.23-1~deb7u4, by enabling PSON serialization on clients and refusing non-PSON formats on the server. We recommend that you upgrade your puppet packages. Make sure you update all your clients before you update the server otherwise older clients won't be able to connect to the server. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-09
    plugin id 101211
    published 2017-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101211
    title Debian DLA-1012-1 : puppet security update
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-0600-1.NASL
    description This update for puppet fixes the following issues : - CVE-2017-2295: Fixed a security vulnerability where an attacker could force YAML deserialization in an unsafe manner, which would lead to remote code execution. In default, this update would break a backwards compatibility with Puppet agents older than 3.2.2 as the SLE11 master doesn't support other fact formats than pson in default anymore. In order to allow users to continue using their SLE11 agents a patch was added that enables sending PSON from agents. For non-SUSE clients older that 3.2.2 a new puppet master boolean option 'dangerous_fact_formats' was added. When it's set to true it enables using dangerous fact formats (e.g. YAML). When it's set to false, only PSON fact format is accepted. (bsc#1040151), (bsc#1077767) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 107139
    published 2018-03-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107139
    title SUSE SLES11 Security Update : puppet (SUSE-SU-2018:0600-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2113-1.NASL
    description This update for puppet fixes the following issues: Security issue fixed : - CVE-2017-2295: Possible code execution vulnerability where an attacker could force YAML deserialization in an unsafe manner. In default, this update breaks a backwards compatibility with Puppet agents older than 3.2.2 as the SLE12 master doesn't support other fact formats than pson in default anymore. In order to allow users to continue using their SLE12 master/SLE11 agents setup and fix CVE-2017-2295 for the others, a new puppet master boolean option 'dangerous_fact_formats' was added. When it's set to true it enables using dangerous fact formats (e.g. YAML). When it's set to false, only PSON fact format is accepted. (bsc#1040151) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 102352
    published 2017-08-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102352
    title SUSE SLED12 Security Update : puppet (SUSE-SU-2017:2113-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3308-1.NASL
    description Dennis Rowe discovered that Puppet incorrectly handled the search path. A local attacker could use this issue to possibly execute arbitrary code. (CVE-2014-3248) It was discovered that Puppet incorrectly handled YAML deserialization. A remote attacker could possibly use this issue to execute arbitrary code on the master. This update is incompatible with agents older than 3.2.2. (CVE-2017-2295). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 100632
    published 2017-06-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100632
    title Ubuntu 14.04 LTS : puppet vulnerabilities (USN-3308-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-8AD8D1BD86.NASL
    description Security fix for CVE-2017-2295 and fix for using systemd service provider in a chroot. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-02
    plugin id 100564
    published 2017-06-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100564
    title Fedora 25 : puppet (2017-8ad8d1bd86)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-835.NASL
    description This update for rubygem-puppet fixes the following issues : - CVE-2017-2295: A remote attacker could have forced unsafe YAML deserialization which could have led to code execution (bsc#1040151)
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 101969
    published 2017-07-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101969
    title openSUSE Security Update : rubygem-puppet (openSUSE-2017-835)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-0336.NASL
    description An update is now available for Red Hat Satellite. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. This update provides Satellite 6.3 packages for Red Hat Enterprise Linux 7 Satellite server. For the full list of new features provided by Satellite 6.3, see the Release Notes linked to in the references section. See the Satellite 6 Installation Guide for detailed instructions on how to install a new Satellite 6.3 environment, or the Satellite 6 Upgrading and Updating guide for detailed instructions on how to upgrade from prior versions of Satellite 6. All users who require Satellite version 6.3 are advised to install these new packages. Security Fix(es) : * V8: integer overflow leading to buffer overflow in Zone::New (CVE-2016-1669) * rubygem-will_paginate: XSS vulnerabilities (CVE-2013-6459) * foreman: models with a 'belongs_to' association to an Organization do not verify association belongs to that Organization (CVE-2014-8183) * foreman: inspect in a provisioning template exposes sensitive controller information (CVE-2016-3693) * pulp: Unsafe use of bash $RANDOM for NSS DB password and seed (CVE-2016-3704) * foreman: privilege escalation through Organization and Locations API (CVE-2016-4451) * foreman: inside discovery-debug, the root password is displayed in plaintext (CVE-2016-4996) * foreman: Persistent XSS in Foreman remote execution plugin (CVE-2016-6319) * foreman: Stored XSS via organization/location with HTML in name (CVE-2016-8639) * katello-debug: Possible symlink attacks due to use of predictable file names (CVE-2016-9595) * rubygem-hammer_cli: no verification of API server's SSL certificate (CVE-2017-2667) * foreman: Image password leak (CVE-2017-2672) * pulp: Leakage of CA key in pulp-qpid-ssl-cfg (CVE-2016-3696) * foreman: Information disclosure in provisioning template previews (CVE-2016-4995) * foreman-debug: missing obfuscation of sensitive information (CVE-2016-9593) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Randy Barlow (RedHat) for reporting CVE-2016-3704 and Sander Bos for reporting CVE-2016-3696. The CVE-2014-8183 issue was discovered by Eric Helms (Red Hat); the CVE-2016-3693 and CVE-2016-4995 issues were discovered by Dominic Cleal (Red Hat); the CVE-2016-4451 and CVE-2016-6319 issues were discovered by Marek Hulan (Red Hat); the CVE-2016-4996 issue was discovered by Thom Carlin (Red Hat); the CVE-2016-8639 issue was discovered by Sanket Jagtap (Red Hat); the CVE-2016-9595 issue was discovered by Evgeni Golov (Red Hat); the CVE-2017-2667 issue was discovered by Tomas Strachota (Red Hat); and the CVE-2016-9593 issue was discovered by Pavel Moravec (Red Hat).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 107053
    published 2018-02-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107053
    title RHEL 7 : Satellite Server (RHSA-2018:0336)
refmap via4
bid 98582
confirm https://puppet.com/security/cve/cve-2017-2295
debian DSA-3862
Last major update 05-07-2017 - 11:29
Published 05-07-2017 - 11:29
Last modified 24-05-2018 - 09:36
Back to Top