Overview

CVE-2014-3250 (Information Leakage Vulnerability)

  • Posted June 10, 2014

  • Assessed Risk Level: Low

In Apache 2.4, SSLCARevocationCheck directive was added to mod_ssl, which defaults it to none and must be explicitly configured. This setting enables checking of a certificate revocation list. The default Puppet master vhost config shipped with Puppet does not include this setting. If a Puppet master is set up to run with Apache 2.4, and this default vhost configuration file is used, the Puppet master will continue to honor a host's certificate even after it is revoked.

CVSSv2 Score: 3.1

Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C

Status

Affected Software Versions:

  • Puppet (all, must be configured as a master behind Apache 2.4 using the default puppet master vhost)
  • Puppet Enterprise Not Affected

Resolved in:

  • Puppet 3.6.2