Overview

CVE-2014-3250 (Information Leakage Vulnerability)

Posted June 10, 2014
Assessed Risk Level: Low

In Apache 2.4, SSLCARevocationCheck directive was added to mod_ssl, which defaults it to none and must be explicitly configured. This setting enables checking of a certificate revocation list. The default Puppet master vhost config shipped with Puppet does not include this setting. If a Puppet master is set up to run with Apache 2.4, and this default vhost configuration file is used, the Puppet master will continue to honor a host's certificate even after it is revoked.

CVSSv2 Score: 3.1

Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C

Status

Affected Software Versions:

Puppet (all, must be configured as a master behind Apache 2.4 using the default puppet master vhost)
Puppet Enterprise Not Affected

Resolved in:

Puppet 3.6.2

Overview

CVE-2014-3250 (Information Leakage Vulnerability)

Posted June 10, 2014

Assessed Risk Level: Low

Status