Puppet Response to Log4j Remote Code Execution Vulnerabilities
Puppet Response to Log4j Remote Code Execution Vulnerabilities CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832
January 21, 2022 Update: On January 20, 2022, Puppet released Puppet Comply version 2.2.2, updating the Log4j library to 2.17.0.
December 29, 2021 Update: On December 28, a new vulnerability was identified in Log4j through versions 2.17.0. This is identified as CVE-2021-44832. Puppet has determined that none of our products are vulnerable to being exploited by this issue. The Log4j configuration in our product cannot be modified by users which is a requirement for this vulnerability to be exploited. Puppet will include an update to Log4j as part of the regular release cadence.
December 20, 2021 Update: On December 20, in response to a new Log4j vulnerability CVE-2021-45105, we released Continuous Delivery for Puppet Enterprise version 4.10.5 with Apache Log4j 2.17.0.
December 17, 2021 Update: The severity of CVE-2021-45046, the fix to address CVE-2021-44228 in Apache Log4j 2.15.0, has been changed from medium to critical. In response, we have released Continuous Delivery for Puppet Enterprise (CD for PE) version 4.10.4 with Apache Log4j 2.16.0. We still do not believe that CD for PE is vulnerable given the Log4j configuration and mitigation, but want to provide our users with the most up-to-date software possible as the situation evolves.
If you are a Continuous Delivery for PE customer running version 3.x, we emphasize this version is not eligible for Puppet-delivered remediation. Our guidance continues to be to upgrade to version 4.x. If you continue to use 3.x, the mitigation steps provided may help. We strongly suggest you actively monitor your servers.
December 16, 2021 Update: The content of this blog was updated on December 16th to acknowledge that the pattern matching layout in Continuous Delivery for Puppet Enterprise (CD for PE) 4.10.3 does not use a Context Lookup or Thread Context Map Pattern described in CVE-2021-45046. As such, this CVE is currently not exploitable in the latest release of CD for PE, version 4.10.3. We are actively working on our next release of CD for PE which will include Apache log4j 2.16.0 and will be released as soon as safely possible.
December 15, 2021 Update: The content of this blog was updated on December 15th to acknowledge that Puppet Comply may also be vulnerable to CVE-2021-44228 due to a third-party component that provides key functionality to the product. Puppet Comply does not use Log4j directly. Further details below.
Continuous Delivery for Puppet Enterprise impact
A new remote code execution (RCE) vulnerability in the popular open source Log4j logging library has been discovered and assigned CVE-2021-44228. Malicious actors who can cause a malicious string to be logged can exploit this vulnerability.
Many companies have been impacted by this vulnerability.
After an extensive security audit of the Puppet product portfolio, we have discovered that Continuous Delivery for Puppet Enterprise (CD for PE) has been impacted by this CVE.
Puppet Enterprise is not impacted; Puppetserver is not impacted; Puppet agents are not impacted.
A release update and mitigation steps for Continuous Delivery for Puppet Enterprise version 4.x, is now available. Partial mitigation steps for Continuous Delivery for Puppet Enterprise version 3.x, which reached end of life earlier this year, can be found in the FAQ. For Continuous Delivery for PE customers running version 3.x, our guidance continues to be to upgrade to version 4.x. If you continue to use 3.x, the mitigation steps provided may help. We strongly suggest you actively monitor your servers.
Puppet Comply impact
Puppet was alerted that a third-party component that provides key functionality to Puppet Comply was also impacted. The Puppet Comply server is not vulnerable and Puppet Comply does not use Log4j directly. Only the Puppet Comply third-party assessor uses the vulnerable package but given its limited scope, the potential for exploitation is reduced. On January 20, Puppet released Comply v. 2.2.2 which addresses all known vulnerabilities that can potentially be exploited in the product.
Sarah Hullender is a Senior Engineering, Product Manager, at Puppet. Diego Lapiduz is a Senior Director, Product Security, at Puppet.
- Visit our FAQ on the Puppet Support Portal here.
- CD for PE 4.10.5 release notes
- Comply 2.2.2 release notes
Additional information re: CVE-2021-44228
Additional information re: CVE-2021-45046
Additional information re: CVE-2021-44832