Important Security Announcement: AltNames Vulnerability [new version of puppet]

34 views
Skip to first unread message

Michael Stahnke

unread,
Oct 24, 2011, 4:02:05 PM10/24/11
to puppet-...@googlegroups.com, puppet...@googlegroups.com, puppe...@googlegroups.com
We have discovered a security vulnerability (“AltNames Vulnerability”)
whereby a malicious attacker can impersonate the Puppet master using
credentials from a Puppet agent node. This vulnerability cannot cross
Puppet deployments, but it can allow an attacker with elevated
privileges on one Puppet-managed node to gain control of any other
Puppet-managed node within the same infrastructure.

All Puppet Enterprise deployments are vulnerable, and Puppet open
source deployments may be, depending upon their site configuration.

We believe this to be a serious risk, and we have confirmed this with
security experts outside of Puppet Labs.

For more information we have the following resources:

* Blog Post with all the details:
http://puppetlabs.com/blog/important-security-announcement-altnames-vulnerability/
* Security links and details:
http://puppetlabs.com/security/cve/cve-2011-3872/
* Remediation module:
http://links.puppetlabs.com/cve20113872_remediation


As a result of this vulnerability (CVE-2011-3872) we have released new
version of Puppet.

* 2.6.12
* 2.7.6

We will be sending separate announcements about each of those releases.


Michael Stahnke
Release Manager - Puppet Labs

Reply all
Reply to author
Forward
0 new messages