CVE-2016-9686: Input Validation
First published: Wed Feb 08 2017(Updated: )
The Puppet Communications Protocol (PCP) Broker incorrectly validates message header sizes. An attacker could use this to crash the PCP Broker, preventing commands from being sent to agents. This is resolved in Puppet Enterprise 2016.4.3 and 2016.5.2.
Credit: security@puppet.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Puppet Enterprise | >=2016.4.0<2016.4.3 | |
| Puppet Enterprise | =2016.5.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2016-9686?
CVE-2016-9686 is a high severity vulnerability due to its potential to crash the Puppet Communications Protocol Broker.
How do I fix CVE-2016-9686?
To resolve CVE-2016-9686, upgrade to Puppet Enterprise versions 2016.4.3 or 2016.5.2 or later.
Which versions of Puppet Enterprise are affected by CVE-2016-9686?
Affected versions include Puppet Enterprise 2016.4.0 to 2016.4.2 and version 2016.5.1.
What are the consequences of exploiting CVE-2016-9686?
Exploiting CVE-2016-9686 can lead to the crash of the PCP Broker, hindering command communications with agents.
Is CVE-2016-9686 a remote or local exploit?
CVE-2016-9686 can be exploited remotely since it affects the communication protocol.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/author
- agent/references
- agent/weakness
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/puppet
- canonical/puppet enterprise
- version/puppet enterprise/2016.4.0
- version/puppet enterprise/2016.5.1