Posted February 13, 2013
In its transport layer, OpenSSL, (amongst other products) uses the TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2. These protocols are not sufficiently hardened against timing side-channel attacks. This vulnerability, also known as the "Lucky Thirteen" issue, is discussed in detail here: http://www.isg.rhul.ac.uk/tls/.
Because PE provides OpenSSL packages for Windows and Solaris, agents running on these platforms are vulnerable to this issue.
- Hotfixes available for Puppet Enterprise 1.2.6 and 2.7.1