Important Security Announcement: AltNames Vulnerability [new version of puppet]

Skip to first unread message

Michael Stahnke

Oct 24, 2011, 4:02:05 PM10/24/11
We have discovered a security vulnerability (“AltNames Vulnerability”)
whereby a malicious attacker can impersonate the Puppet master using
credentials from a Puppet agent node. This vulnerability cannot cross
Puppet deployments, but it can allow an attacker with elevated
privileges on one Puppet-managed node to gain control of any other
Puppet-managed node within the same infrastructure.

All Puppet Enterprise deployments are vulnerable, and Puppet open
source deployments may be, depending upon their site configuration.

We believe this to be a serious risk, and we have confirmed this with
security experts outside of Puppet Labs.

For more information we have the following resources:

* Blog Post with all the details:
* Security links and details:
* Remediation module:

As a result of this vulnerability (CVE-2011-3872) we have released new
version of Puppet.

* 2.6.12
* 2.7.6

We will be sending separate announcements about each of those releases.

Michael Stahnke
Release Manager - Puppet Labs

Reply all
Reply to author
0 new messages