A bug in Puppet can be used to exhaust resources on the puppet master.
This vulnerability can present itself in two ways:
- Using the symlink vulnerability described in CVE-2012-1986, the puppet master can be caused to read from a stream (e.g. /dev/random) when trying to read or write a file. Due to the way Puppet sends files via REST requests, the thread handling the request will block forever, reading from the stream and continually consuming more memory. This can lead to the puppet master system running out of memory, causing a denial of service. In order to do this, the attacker needs access to agent SSL keys and the ability to create directories and symlinks on the puppet master system.
- By constructing a marshaled form of a Puppet::FileBucket::File object, a user can craft a REST request that will cause it it to be written to any place on the puppet master's filesystem. This can cause a denial of service on the puppet master if an attacker fills a filesystem. In order to do this, the attacker only needs access to agent SSL keys, and does not require access to the puppet master system.
- Resolved in Puppet 2.6.15 (source), 2.7.13 (source), rpm, deb
- Resolved in Puppet Enterprise 1.2.5 and 2.5.1
- Hotfixes available for Puppet Enterprise 1.0, 1.1, 1.2.x, and 2.0.x