OSVDB ID: 81308

Title: Puppet Marshalled Puppet::FileBucket::File Object REST Request Parsing Remote DoS

Info

Disclosure

Apr 11, 2012

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Puppet contains a flaw that may allow a remote denial of service. The issue is triggered when handling marshalled Puppet::FileBucket::Files, and will result in loss of availability for the program.

Classification

Location: Remote / Network Access
Attack Type: Denial of Service
Impact: Loss of Availability
Solution: Patch / RCS, Upgrade
Exploit: Exploit Unknown
Disclosure: Vendor Verified

Solution

Upgrade to version 2.6.15 or 2.7.13 or 2.5.1 for Enterprise or higher, as they have been reported to fix this vulnerability. In addition, the vendor has released a patch for some older versions.

Products

Puppet Labs	Puppet	2.6.14
		2.7.12
	Puppet Enterprise	2.5.0
		1.0
		1.1
		1.2.x
		2.0.x

References

CVE ID: 2012-1987 (see also: NVD)
Secunia Advisory ID: 48743 48748 48789 49136 49815 50269 51472
Bugtraq ID: 52975
ISS X-Force ID: 74795
Related OSVDB ID: 81306 81307 81309 81310
Vendor Specific News/Changelog Entry: http://lists.debian.org/debian-security-announce/2012/msg00081.html
http://lists.opensuse.org/opensuse-updates/2012-05/msg00012.html
http://lists.opensuse.org/opensuse-updates/2012-07/msg00015.html
http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15
http://puppetlabs.com/security/cve/cve-2012-1987/
http://puppetlabs.com/security/cve/cve-2012-1987/hotfixes/
http://security.gentoo.org/glsa/glsa-201208-02.xml
http://www.ubuntu.com/usn/usn-1419-1/
Mail List Post: http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079289.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080003.html
Other Advisory URL: http://projects.puppetlabs.com/issues/13552
http://projects.puppetlabs.com/issues/13553
http://www.debian.org/security/2012/dsa-2451
https://hermes.opensuse.org/messages/14523305
https://hermes.opensuse.org/messages/15087408
Vendor Specific Advisory URL: http://puppetlabs.com/security/cve/cve-2012-1987/
RedHat RHSA: RHSA-2012-1542

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/81308

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Puppet Labs

Puppet

Puppet Enterprise

References

Credit