CVE-2013-1398 (MCO Private Key Leak)

  • Posted February 6, 2013

  • Under certain circumstances, a user with root access to a single node in a PE deployment could possibly manipulate that client's local facts in order to force the pe_mcollective module to deliver a catalog containing SSL keys. These keys could be used to access other nodes in the collective and send them arbitrary commands as root. For the vast majority of users, the fix is to apply the 2.7.1 upgrade.

    For PE users who do not use the Console, this can be fixed by making sure that the pe_mcollective::role::master class is applied to your master, and the pe_mcollective::role::console class is applied to your console. This can be as simple as adding the following to your site.pp manifest or other node classifier:

    node console {
      include pe_mcollective::role::console
    node master {
      include pe_mcollective::role::master

    This vulnerability affects the master role of Puppet Enterprise.


    • Resolved in Puppet Enterprise 2.7.1