==================================================================== CERT-Renater Note d'Information No. 2020/VULN126 _____________________________________________________________________ DATE : 12/03/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Puppet Enterprise versions prior to 2018.1.13, 2019.4.0, Puppet Server versions prior to 6.9.1, 5.3.12, PuppetDB versions prior to 6.9.1, 5.2.13, Puppet versions 6.x prior to 6.13.0 Puppet Agent versions 6.x prior to 6.13.0. ===================================================================== https://puppet.com/security/cve/CVE-2020-7943 https://puppet.com/security/cve/CVE-2020-7942 _____________________________________________________________________ CVE-2020-7943 - Puppet Server and PuppetDB may leak sensitive information via metrics API Posted March 10, 2020 Assessed Risk Level: High CVSS 3 Base Score: 7.5 Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like hostnames. Puppet Server reports resource names and titles for defined types (which may contain sensitive information) as well as function names and class names. Previously, these endpoints were open to the local network. PE 2018.1.13 & 2019.4.0, Puppet Server 6.9.1 & 5.3.12, and PuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API and only allows /v2 access on localhost by default. Status: Affected software versions: Puppet Enterprise 2018.1.x stream prior to 2018.1.13 Puppet Enterprise prior to 2019.4.0 Puppet Server prior to 6.9.1 Puppet Server prior to 5.3.12 PuppetDB prior to 6.9.1 PuppetDB prior to 5.2.13 Resolved in: Puppet Enterprise 2018.1.13 Puppet Enterprise 2019.4.0 Puppet Server 6.9.1 Puppet Server 5.3.12 PuppetDB 6.9.1 PuppetDB 5.2.13 _____________________________________________________________________ CVE-2020-7942 - Arbitrary Catalog Retrieval in Puppet Posted February 18, 2020 Assessed Risk Level: Medium CVSS 3 Base Score: 6.5 Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master Puppet 6.13.0 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior. Thank you to Mark Frost with Lightning Source, LLC for finding and reporting this issue! Status: Affected software versions: Puppet 6.x prior to 6.13.0 Puppet Agent 6.x prior to 6.13.0 Resolved in: Puppet 6.13.0 Puppet Agent 6.13.0 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================