==================================================================== CERT-Renater Note d'Information No. 2020/VULN086 _____________________________________________________________________ DATE : 20/02/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Puppet versions 6.x prior to 6.13.0, Puppet Agent 6.x versions prior to 6.13.0. ===================================================================== https://puppet.com/security/cve/CVE-2020-7942/ _____________________________________________________________________ CVE-2020-7942 - Arbitrary Catalog Retrieval in Puppet Posted February 18, 2020 Assessed Risk Level: Medium CVSS 3 Base Score: 6.5 Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master Puppet 6.13.0 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior. Thank you to Mark Frost with Lightning Source, LLC for finding and reporting this issue! Status: Affected software versions: Puppet 6.x prior to 6.13.0 Puppet Agent 6.x prior to 6.13.0 Resolved in: Puppet 6.13.0 Puppet Agent 6.13.0 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================