Overview

CVE-2013-0263 (Rack Timing Attack)

Posted February 13, 2013

This vulnerability affects Rack, a middleware component of Puppet Enterprise used by the master and console roles. Specifically, it affects Rack::Session::Cookie. The vulnerability could allow remote attackers to guess the session cookie. This could let them gain privileges and then execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.

Status

• Hotfixes available for Puppet Enterprise 1.2.6 and 2.7.1

Hotfixes

• http://puppetlabs.com/security/cve/cve-2013-0263/hotfixes/