How to mitigate the 0-day Apache path traversal vulnerability with Puppet or Bolt
Apache has disclosed a critical actively exploited path traversal flaw in the popular Apache web server, version 2.4.49. This path traversal means that an attacker can trivially read the contents of any file on the server that the Apache process has access to. This could expose highly sensitive information, even as critical as the server's own private SSL certificates. See the Sonatype blog for more technical information on the vulnerability.
Puppet Enterprise and Bolt both make it easy to identify vulnerable systems and mitigate the exposure by upgrading the Apache package.
Update: The fix in Apache version 2.4.50 was incomplete. Please follow these instructions to upgrade your nodes to Apache version 2.4.51 from both 2.4.49 and 2.4.50.
Using Puppet Enterprise
Puppet Enterprise includes a feature called Package Inventory. This will allow you to quickly identify which nodes in your infrastructure are running the vulnerable version of Apache. It's disabled by default, so you'll need to turn it on first.
In the PE Console, find the PE Agent node group. Add the
puppet_enterprise::profile::agent class if needed and then set the
package_inventory_enabled parameter to
true. Use the Run Puppet button to trigger a Puppet run on all nodes. The inventory collection will take effect on all subsequent Puppet runs, so once it's completed, trigger a second Puppet run.
Now use the Packages page to view your infrastructure's package inventory. Filter by the package name "httpd" then click into the package detail page and filter by the version 2.4.49. This now lists all nodes with the vulnerable version.
If the package is managed by Puppet, use the Instances selector to drill in and then click Copy path to quickly find the spot in your codebase you need to update with a newer version. Run Puppet on all nodes once the codebase has been updated.
If you have instances in which the package is not managed by Puppet, then use a Puppet Task to push a package update to these nodes. Create a list of the affected nodes, then use the Package task to force the package to be updated. See the docs for more information.
Since some distributions call the package "apache", repeat the above steps with that name too. Find more information about the Package Inventory on its docs page.
Using Puppet Bolt
If you don't have Puppet Enterprise, Bolt allows you to use plans to gather information from nodes. Let's start by creating a new project by creating a directory called
apache_mitigation. Now cd into that directory and turn it into a Bolt project by running
bolt project init.
You'll want an inventory file so you can address all your nodes. If you don't have one already, then create one following these instructions. We will use the implicit
all target group, or you can create a more specific group if you want to limit the nodes to be inspected.
Then create a new plan to manage the package upgrade process. Run
bolt plan new apache_mitigation::upgrade_vulnerable_packages --pp
Add the following content to your new plan file:
Since different distributions use different package names, run that plan for both
Verifying the mitigation
Whether you choose to use Puppet Enterprise or Bolt to mitigate your exposure, once you're finished you can go back and verify that the vulnerable nodes have been upgraded. On Puppet Enterprise, you'd go back to the Packages page in the PE Console and drill down to the
apache packages to validate versions. And if you used Bolt, you'd just run the
apache_mitigation::upgrade_vulnerable_packages plan again and validate that the output is empty.
Ben is the Product Manager of Ecosystem and Developer Experience at Puppet.