CVE-2012-1987

Name of the Vulnerable Software and Affected Versions Puppet versions 2.6.x through 2.6.14 Puppet versions 2.7.x through 2.7.12 Puppet Enterprise (PE) Users versions 1.0 through 1.2.x Puppet Enterprise (PE) Users versions 2.0.x through 2.5.0

Description The issue affects the confidentiality, integrity, and availability of protected information. It can be exploited remotely by an authenticated attacker. The vulnerability allows remote authenticated users with agent SSL keys to cause a denial of service, either through memory consumption via a REST request to a stream that triggers a thread block, or through filesystem consumption via crafted REST requests that use a marshaled form of a Puppet::FileBucket::File object to write to arbitrary file locations.

Recommendations For Puppet versions 2.6.x through 2.6.14, update to version 2.6.15 or later. For Puppet versions 2.7.x through 2.7.12, update to version 2.7.13 or later. For Puppet Enterprise (PE) Users versions 1.0 through 1.2.x, update to a version after 2.5.0. For Puppet Enterprise (PE) Users versions 2.0.x through 2.5.0, update to version 2.5.1 or later. As a temporary workaround, consider restricting access to the REST API to minimize the risk of exploitation. Avoid using the Puppet::FileBucket::File object in crafted REST requests until the issue is resolved.