What is the severity of CVE-2011-3872?

The severity of CVE-2011-3872 is considered to be moderate due to potential certificate spoofing vulnerabilities.

How do I fix CVE-2011-3872?

To fix CVE-2011-3872, upgrade Puppet to version 2.6.12 or 2.7.6 or later, or Puppet Enterprise to version 1.2.4 or later.

What versions of Puppet are affected by CVE-2011-3872?

CVE-2011-3872 affects Puppet versions 2.6.x before 2.6.12 and 2.7.x before 2.7.6.

Can CVE-2011-3872 affect Puppet Enterprise Users?

Yes, CVE-2011-3872 affects Puppet Enterprise Users versions 1.0, 1.1, and 1.2 prior to 1.2.4.

What type of attack does CVE-2011-3872 enable?

CVE-2011-3872 allows remote attackers to spoof a Puppet master's certificate via manipulating X.509 Subject Alternative Name fields.

Vulnerability/
CVE-2011-3872

low

2.6

CWE

27/10/2011

6/8/2024

CVE-2011-3872: Input Validation

First published: Thu Oct 27 2011(Updated: )

Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterprise (PE) Users 1.0, 1.1, and 1.2 before 1.2.4, when signing an agent certificate, adds the Puppet master's certdnsnames values to the X.509 Subject Alternative Name field of the certificate, which allows remote attackers to spoof a Puppet master via a man-in-the-middle (MITM) attack against an agent that uses an alternate DNS name for the master, aka "AltNames Vulnerability."

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
Puppet	=2.7.0
Puppet	=2.7.1
Puppet	=2.6.0
Puppet	=2.6.1
Puppet	=2.6.2
Puppet	=2.6.3
Puppet	=2.6.4
Puppet	=2.6.5
Puppet	=2.6.6
Puppet	=2.6.7
Puppet	=2.6.8
Puppet	=2.6.9
Puppet	=2.6.10
Puppet	=2.6.11
Puppet	=2.7.2
Puppet	=2.7.3
Puppet	=2.7.4
Puppet	=2.7.5
Puppetlabs Puppet Enterprise	=1.0
Puppetlabs Puppet Enterprise	=1.1
Puppet Enterprise	=1.2.0
Puppet Enterprise	=1.2.1
Puppet Enterprise	=1.2.2
Puppet Enterprise	=1.2.3

Remedy

http://groups.google.com/group/puppet-announce/browse_thread/thread/e7edc3a71348f3e1

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2011-3872?
The severity of CVE-2011-3872 is considered to be moderate due to potential certificate spoofing vulnerabilities.
How do I fix CVE-2011-3872?
To fix CVE-2011-3872, upgrade Puppet to version 2.6.12 or 2.7.6 or later, or Puppet Enterprise to version 1.2.4 or later.
What versions of Puppet are affected by CVE-2011-3872?
CVE-2011-3872 affects Puppet versions 2.6.x before 2.6.12 and 2.7.x before 2.7.6.
Can CVE-2011-3872 affect Puppet Enterprise Users?
Yes, CVE-2011-3872 affects Puppet Enterprise Users versions 1.0, 1.1, and 1.2 prior to 1.2.4.
What type of attack does CVE-2011-3872 enable?
CVE-2011-3872 allows remote attackers to spoof a Puppet master's certificate via manipulating X.509 Subject Alternative Name fields.

agent/type
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/references
agent/weakness
agent/severity
agent/remedy
agent/author
agent/first-publish-date
agent/event
agent/description
agent/source
agent/softwarecombine
agent/tags
collector/nvd-historical
agent/software-canonical-lookup-request
collector/nvd-index
vendor/puppetlabs
canonical/puppet
version/puppet/2.7.0
version/puppet/2.7.1
vendor/puppet
version/puppet/2.6.0
version/puppet/2.6.1
version/puppet/2.6.2
version/puppet/2.6.3
version/puppet/2.6.4
version/puppet/2.6.5
version/puppet/2.6.6
version/puppet/2.6.7
version/puppet/2.6.8
version/puppet/2.6.9
version/puppet/2.6.10
version/puppet/2.6.11
version/puppet/2.7.2
version/puppet/2.7.3
version/puppet/2.7.4
version/puppet/2.7.5
canonical/puppetlabs puppet enterprise
version/puppetlabs puppet enterprise/1.0
version/puppetlabs puppet enterprise/1.1
canonical/puppet enterprise
version/puppet enterprise/1.2.0
version/puppet enterprise/1.2.1
version/puppet enterprise/1.2.2
version/puppet enterprise/1.2.3