CVE-2013-1654
First published: Wed Mar 20 2013(Updated: )
Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, and Puppet Enterprise 2.7.x before 2.7.2, does not properly negotiate the SSL protocol between client and master, which allows remote attackers to conduct SSLv2 downgrade attacks against SSLv3 sessions via unspecified vectors.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Puppet by Puppet Labs | =2.7.2 | |
| Puppet by Puppet Labs | =2.7.3 | |
| Puppet by Puppet Labs | =2.7.4 | |
| Puppet by Puppet Labs | =2.7.5 | |
| Puppet by Puppet Labs | =2.7.6 | |
| Puppet by Puppet Labs | =2.7.7 | |
| Puppet by Puppet Labs | =2.7.8 | |
| Puppet by Puppet Labs | =2.7.9 | |
| Puppet by Puppet Labs | =2.7.10 | |
| Puppet by Puppet Labs | =2.7.11 | |
| Puppet by Puppet Labs | =2.7.12 | |
| Puppet by Puppet Labs | =2.7.13 | |
| Puppet by Puppet Labs | =2.7.14 | |
| Puppet by Puppet Labs | =2.7.16 | |
| Puppet by Puppet Labs | =2.7.17 | |
| Puppet by Puppet Labs | =2.7.18 | |
| Puppet by Puppet Labs | =2.7.0 | |
| Puppet by Puppet Labs | =2.7.1 | |
| Puppet by Puppet Labs | =2.7.19 | |
| Puppet by Puppet Labs | =2.7.20 | |
| Puppet by Puppet Labs | =2.7.20-rc1 | |
| Puppetlabs Puppet Enterprise | =3.1.0 | |
| Puppet by Puppet Labs | =2.7.0 | |
| Puppet by Puppet Labs | =2.7.1 | |
| Ubuntu Linux | =11.10 | |
| Ubuntu Linux | =12.04 | |
| Ubuntu Linux | =12.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html
- http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html
- http://rhn.redhat.com/errata/RHSA-2013-0710.html
- http://secunia.com/advisories/52596
- http://ubuntu.com/usn/usn-1759-1
- http://www.debian.org/security/2013/dsa-2643
- http://www.securityfocus.com/bid/64758
- https://puppetlabs.com/security/cve/cve-2013-1654/
Frequently Asked Questions
What is the severity of CVE-2013-1654?
CVE-2013-1654 is considered a moderate severity vulnerability due to the potential for remote attackers to conduct SSLv2 downgrade attacks.
How do I fix CVE-2013-1654?
To fix CVE-2013-1654, upgrade Puppet to version 2.7.21 or 3.1.1 or later.
Which versions are affected by CVE-2013-1654?
CVE-2013-1654 affects Puppet versions 2.7.x before 2.7.21, 3.1.x before 3.1.1, and Puppet Enterprise 2.7.x before 2.7.2.
Can CVE-2013-1654 lead to data theft?
Yes, CVE-2013-1654 can potentially lead to data theft as it allows attackers to compromise SSL connections.
Is CVE-2013-1654 specific to certain platforms or operating systems?
CVE-2013-1654 primarily affects Puppet and Puppet Enterprise software, and it may be present on systems running affected versions regardless of the underlying operating system.
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/author
- agent/first-publish-date
- agent/event
- agent/description
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/puppet
- canonical/puppet by puppet labs
- version/puppet by puppet labs/2.7.2
- version/puppet by puppet labs/2.7.3
- version/puppet by puppet labs/2.7.4
- version/puppet by puppet labs/2.7.5
- version/puppet by puppet labs/2.7.6
- version/puppet by puppet labs/2.7.7
- version/puppet by puppet labs/2.7.8
- version/puppet by puppet labs/2.7.9
- version/puppet by puppet labs/2.7.10
- version/puppet by puppet labs/2.7.11
- version/puppet by puppet labs/2.7.12
- version/puppet by puppet labs/2.7.13
- version/puppet by puppet labs/2.7.14
- version/puppet by puppet labs/2.7.16
- version/puppet by puppet labs/2.7.17
- version/puppet by puppet labs/2.7.18
- vendor/puppetlabs
- version/puppet by puppet labs/2.7.0
- version/puppet by puppet labs/2.7.1
- version/puppet by puppet labs/2.7.19
- version/puppet by puppet labs/2.7.20
- version/puppet by puppet labs/2.7.20-rc1
- canonical/puppetlabs puppet enterprise
- version/puppetlabs puppet enterprise/3.1.0
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/11.10
- version/ubuntu linux/12.04
- version/ubuntu linux/12.10