=====================================================================

                           CERT-Renater

               Note d'Information No. 2015/VULN062
_____________________________________________________________________

DATE                : 30/04/2015

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Puppet Enterprise versions prior
                                    to 3.8.0,
                         Puppet-Agent versions prior to 1.0.1.

======================================================================
https://puppetlabs.com/security/cve/cve-2015-1855
______________________________________________________________________

 CVE-2015-1855 - Ruby OpenSSL Hostname Verification

    Posted April 28, 2015
    Assessed Risk Level: Low

Vulnerabilities in Ruby’s OpenSSL extension allow overly permissive
matching of hostnames, particularly when using wildcard SSL
certificates.

Puppet Enterprise does not generate wildcard SSL certificates by
default. However, if a PE infrastructure has been configured with
wildcard SSL certificates, it could theoretically be vulnerable to
man-in-the-middle attacks.

For more information on the vulnerability, please see the Ruby
project’s announcement.

CVSS v2 Score: 3.1

Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C
Status:

Affected Software Versions:

    Puppet Enterprise 3.x
    Puppet-Agent 1.0

Resolved in:

    Puppet Enterprise 3.8.0
    Puppet-Agent 1.0.1


=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================