Release date:
Updated on: 2013-04-12
Affected Systems:
Puppet Labs Puppet Enterprise 2.x
Description:
--------------------------------------------------------------------------------
Puppet Enterprise is an IT automation software.
Puppet Enterprise 2.x has a security vulnerability. Malicious users can exploit this vulnerability to bypass certain security restrictions. When the CAS client configuration file is used to upgrade an application, the configuration file '/etc/puppetlabs/console-auth/cas_client_config.yml' does not require a random password to be installed. Attackers use a specially crafted cookie, this vulnerability allows you to bypass Console Authentication.
<* Source: vendor
Link: http://secunia.com/advisories/52862
Https://puppetlabs.com/security/cve/cve-2013-2716/
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Puppet Labs
-----------
PE 2.8.0 has fixed this vulnerability. If the old version is installed, run the following command to fix it:
/Opt/puppet/bin/rake-f/opt/puppet/share/console-auth/Rakefile console: auth: generate_secret
Vendors
Http://puppetlabs.com/puppet/what-is-puppet/