Blog

August 7, 2025

Tutorial: How to Remediate Vulnerabilities with Puppet Enterprise Advanced Patching

Jason St-Cyr
Jason St-Cyr

Security & Compliance,

Products & Services,

How to & Use Cases

The rate at which vulnerabilities are being exploited is on the rise. The VulnCheck company, which specializes in vulnerability intelligence, found that in Q1 2025, 28.3% of vulnerabilities were exploited within 1 day of CVE disclosure. Keeping your systems up to date is more important than ever. The reality is that many security teams are running scans and then exporting to giant spreadsheets, which are “tossed over the wall” to the Operations team with little context. This long and frustrating process often leads to vulnerabilities being unresolved for more than 200 days from detection!  

In this tutorial, you’ll learn how to use Puppet Enterprise Advanced Patching to resolve vulnerabilities quickly across your entire infrastructure, making the remediation process a lot smoother.  

Prerequisites  

Ensure that you have already completed the following prerequisites: 

🎦 Do you prefer video? We have a short video walkthrough that you can watch now

 

How Does Puppet Enterprise Advanced Know about Vulnerabilities? 

Puppet Enterprise Advanced uses transformer nodes to connect to other tools, like security scanners, to get additional information. The transformer node is a special Puppet role that connects to a security scanning tool, like the Tenable Nessus scanner, which you’ll see in this tutorial. The transformer converts scan data from the integrated tool into a format that Puppet can process. This transformed data is then displayed on the Vulnerabilities tab in the Puppet Enterprise console. 

In this tutorial, you will learn how to view scanner data from Tenable Nessus identifying vulnerabilities and then use Puppet Enterprise Advanced to fix those vulnerabilities. If you are interested in using a different scanner tool, read about integrating vulnerability data from a security scanner

Scenario: You Receive a CVE report  

For this tutorial, assume that you’ve been notified about a security advisory from Red Hat regarding the kernel.  

Screenshot of RHSA-2024:1249 Security Advisory, taken from access.redhat.com. For full text, navigate to the previous link to the article. The important portion from the image follows: The overview of the CVE reads: Synopsis Important: kernel security and bug fix update Type/Severity Security Advisory: Important Topic An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): (CVE-2024-26602, ?) kernel: use-after-free in l2cap_connect and l2cap_le_connect_req in net/bluetooth/l2cap_core.c (CVE-2022-42896) kernel: use-after-free in sch_qfq network scheduler (CVE-2023-4921) kernel: IGB driver inadequate buffer size for frames larger than MTU (CVE-2023-45871) kernel: fbcon: out-of-sync arrays in fbcon_mode_deleted due to wrong con2fb_map assignment (CVE-2023-38409) kernel: nf_tables: use-after-free vulnerability in the nft_verdict_init() function (CVE-2024-1086) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): [rhel-7] INFO: possible circular locking dependency detected: store+0x70/0xe0 kernfs_fop_write+0xe3/0x190 (BZ#2161654) qedf: Reading /sys/kernel/debug/qedf/hostX/stop_io_on_error can cause panic (BZ#2224973) 

Typically, your security team will notify you of the advisory and request a remediation with a handoff that looks something like this: 

Urgent remediation required for critical vulnerability - CentOS 7: kernel (RHSA-2024:1249) 

According to the latest results from our Nessus security scanner, servers in our data centre running CentOS 7 are affected by a critical vulnerability in the kernel, as detailed in RHSA-2024:1249. This vulnerability has a CVSS score of 9.8 (Critical) and is associated with the following CVEs: 

  • CVE-2022-42896
  • CVE-2023-4921
  • CVE-2023-45871
  • CVE-2023-38409
  • CVE-2024-1086 

Action Required: During the next available maintenance window, please apply the necessary package updates required for remediation of CentOS 7: kernel (RHSA-2024:1249)

During the next steps, you will identify the affected systems and patch them. 

Step 1: Find the Vulnerable Nodes Using the Puppet Enterprise Console 

The Vulnerabilities dashboard is your first stop for information about vulnerabilities, including their severity, and how much of your infrastructure is affected. In our scenario, the first step is to find the CVE mentioned by the security team and then identify which systems are impacted. 

ℹ️ What You’ll Do in This Step: 

  • Find the vulnerability details in the Puppet Enterprise console.
  • Find the nodes in your infrastructure that are affected by the vulnerability. 

📝Instructions: 

  1. In the Puppet Enterprise console, click Vulnerabilities in the navigation pane to view the list of vulnerabilities identified by the scanner.
  2. Above the Vulnerability table, in the Filter by list, select the CVE ID option.
  3. In the field next to the Filter by list, paste the CVE ID that you are looking for. For example: CVE-2025-29927.
  4. To find the vulnerability, click Submit.
  5. Take note of the CVSS score and the number of nodes affected by the vulnerability. You can use this information to make strategic decisions about which vulnerabilities to address first.
  6. To see details about the vulnerability, in the Vulnerability column, click the vulnerability description.
  7. To view the details provided by the Nessus scanner, expand the Analysis collapsible section.
  8. To view the actions or package updates required to remediate the vulnerability, expand the Remediation collapsible section.
  9. To view the list of individual nodes that could be patched, click the Nodes affected tab in the Nodes with the vulnerability section.
  10. In the patch group selection list, select a patch group to filter the nodes (for example, all “Linux production” nodes).

  11. To start the Create patch job wizard, click Remediate vulnerability

     

Step 2: Create a Job to Remediate the Vulnerability 

After you have identified the vulnerability and selected the nodes to patch, you will configure a patch job to remediate the vulnerability. 

ℹ️ What You’ll Do in This Step: 

  • Configure the vulnerability remediation job.
  • Run the remediation job. 

📝Instructions: 

  1. Optionally, provide a job description, for example, “Patching CVE-2025-29927 on Linux Production.”
  2. To restart the node after the job, in the Reboot policy section, select Yes, if required. In other cases, you might not want to restart the node, but this tutorial uses the reboot option.
  3. To ensure that the caches on the node are cleared when the job starts, select the clean_cache (optional) checkbox.
  4. To advance to the scheduling step, click Next: Schedule.
  5. To ensure that the job runs at a scheduled time and not immediately, under Schedule, select the Later option.
  6. Specify the scheduled time in the Time zone (UTC or browser local) section. For example, choose UTC -07:00 if you are in the Mountain time zone.
  7. Select the start date and time by specifying values in the Start time section. For example, you might set the start time for tomorrow at 2:00 AM to schedule the job overnight. 
     
    ℹ️ Do not select the Allow this job to run outside of the defined maintenance windows checkbox. This option is for urgent scenarios when you must run a patch job immediately and override the maintenance windows that you have configured, and you won’t need that for this tutorial.
  8. To advance to the final step in the wizard, click Next: Review.
  9. Review the settings to ensure that the scheduled job meets your requirements.
  10. To activate the scheduled patch job, click Remediate. 

Step 3: Monitor the Job and Validate Results 

After scheduling your vulnerability remediation job, you will monitor the job and review the results to ensure that your affected nodes were successfully patched by the Puppet Enterprise remediation job.  

ℹ️ What You’ll Do in This Step: 

  • Monitor the progress of the job while it runs.
  • Confirm that the job succeeded.
  • Review the task logs for each node. 

📝Instructions: 

  1. To view the list of all patching jobs, in the navigation pane, click Patch jobs.
  2. On the Patch Jobs page, switch to the Scheduled patch jobs tab to view all scheduled jobs in your environment. Your new vulnerability remediation job should be listed here.
  3. Wait for your job to run. After your job is completed, it will disappear from the Scheduled patch jobs list.
  4. After the job is completed, switch to the Patch jobs tab to view the completed job.
  5. Click the completed job to view the details of the job run, including the number of nodes patched and number of nodes that failed.
  6. Scroll down to view individual logs for each node.
  7. Click a node log to view the details of the changes made to that node.  

⚠️ You might see out-of-date information if you use the Vulnerabilities page, instead of the documented steps, to validate patch jobs. Depending on the schedule configured for your scanner, your nodes might still show up as affected by the vulnerability on the Vulnerabilities page. You might want to update the vulnerability data after these steps to ensure that the scan data is current if you know it will be some time before the next refresh. 

Wrapping It All Up 

Congratulations on patching your nodes! In this tutorial you: 

  • Located the CVE and the nodes affected by the CVE.
  • Created a job to remediate the vulnerability on those nodes.
  • Reviewed the progress and success of the patching. 

Using the vulnerability remediation feature in Puppet Enterprise is a fantastic way to bring security and engineering together in a much tighter feedback loop. In just these few steps from this tutorial, you can go from reported vulnerability to patched infrastructure, reducing the time it takes for you to secure your infrastructure. No more passing around spreadsheets between teams, just getting things fixed! 

Related Links