CVE-2012-3408
First published: Wed Jul 11 2012(Updated: )
From puppet labs: Puppet agents with certnames of IP addresses can be impersonated This affects Puppet 2.6.16 and 2.7.17 If an authenticated host with a certname of an IP address changes IP addresses, and a second host assumes the first host's former IP address, the second host will be treated by the puppet master as the first one, giving the second host access to the first host's catalog. Note: This will not be fixed in Puppet versions prior to the forthcoming 3.x. Instead, with this announcement IP-based authentication in Puppet < 3.x is deprecated. Resolved in Puppet 2.6.17, 2.7.18
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Puppetlabs Puppet Enterprise | <2.5.2 | |
| Puppet by Puppet Labs | <2.7.18 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=839168
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=839171
- http://puppetlabs.com/security/cve/cve-2012-3408/
- https://github.com/puppetlabs/puppet/commit/ab9150b
- https://bugzilla.redhat.com/show_bug.cgi?id=839166
- https://github.com/puppetlabs/puppet/commit/ab9150baa1b738467a33b01df1d90e076253fbbd
- collector/redhat-bugzilla
- alias/CVE-2012-3408
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/remedy
- agent/weakness
- agent/severity
- agent/references
- agent/author
- agent/softwarecombine
- agent/tags
- agent/description
- agent/event
- vendor/puppet
- canonical/puppetlabs puppet enterprise
- vendor/puppetlabs
- canonical/puppet by puppet labs