Overview

CVE-2014-0224 (OpenSSL vulnerability in secure communications)

  • Posted July 15, 2014

  • Assessed Risk Level: Medium

Due to a vulnerability in OpenSSL versions 1.0.1 and later, an attacker could intercept and decrypt secure communications. This vulnerability requires that both the client and server be running an unpatched version of OpenSSL. Unlike heartbleed, this attack vector occurs after the initial handshake, which means ecnryption keys are not compromised. However, puppet encrypts catalogs for transmission to agents, so puppet manifests containing sensitive information could have been intercepted. We advise all users to avoid including sensitive information in catalogs. This affects agents running on the following operating systems: Solaris 10, Windows, and AIX.
 
Users of Puppet Enterprise 2.8.7 are strongly advised to update OpenSSL on their Puppet Master to the latest version (fixed by distros in all supported PE master platforms).
Puppet Enterprise 3.3.0 includes a patched version of OpenSSL.
 
CVSS v2 score: 2.4 with Vector: AV:N/AC:H/Au:M/C:P/I:P/A:N/E:U/RL:OF/RC:C

Status:

Affected Platforms:
Puppet Enterprise 2.8 (Solaris, Windows)
Puppet Enterprise 3.2 (Solaris, Windows, AIX)
 
Resolved in:
Puppet Enterprise 3.3.0