CVE-2014-3251: Race Condition
First published: Tue Aug 12 2014(Updated: )
The MCollective aes_security plugin, as used in Puppet Enterprise before 3.3.0 and Mcollective before 2.5.3, does not properly validate new server certificates based on the CA certificate, which allows local users to establish unauthorized Mcollective connections via unspecified vectors related to a race condition.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Puppet Enterprise | <=3.2.0 | |
| Puppet MCollective |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2014-3251?
CVE-2014-3251 is considered a high severity vulnerability due to the potential for unauthorized MCollective connections.
How do I fix CVE-2014-3251?
To fix CVE-2014-3251, upgrade Puppet Enterprise to version 3.3.0 or later and MCollective to version 2.5.3 or later.
Who is affected by CVE-2014-3251?
CVE-2014-3251 affects users of Puppet Enterprise versions prior to 3.3.0 and MCollective versions prior to 2.5.3.
What are the potential impacts of CVE-2014-3251?
CVE-2014-3251 can allow local users to establish unauthorized connections, potentially leading to data exposure or manipulation.
Is there a workaround for CVE-2014-3251?
There are no specific workarounds for CVE-2014-3251; upgrading to patched versions is strongly recommended.
- agent/type
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/author
- agent/first-publish-date
- agent/event
- agent/description
- agent/source
- agent/weakness
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/puppet
- canonical/puppet enterprise
- version/puppet enterprise/3.2.0
- vendor/puppetlabs
- canonical/puppet mcollective