Posted July 15, 2014
Assessed Risk Level: Medium
Due to a vulnerability in OpenSSL versions 1.0.1 and later, an attacker could intercept and decrypt secure communications. This vulnerability requires that both the client and server be running an unpatched version of OpenSSL. Unlike heartbleed, this attack vector occurs after the initial handshake, which means ecnryption keys are not compromised. However, puppet encrypts catalogs for transmission to agents, so puppet manifests containing sensitive information could have been intercepted. We advise all users to avoid including sensitive information in catalogs. This affects agents running on the following operating systems: Solaris 10, Windows, and AIX.
Users of Puppet Enterprise 2.8.7 are strongly advised to update OpenSSL on their Puppet Master to the latest version (fixed by distros in all supported PE master platforms).
Puppet Enterprise 3.3.0 includes a patched version of OpenSSL.
CVSS v2 score: 2.4 with Vector: AV:N/AC:H/Au:M/C:P/I:P/A:N/E:U/RL:OF/RC:C
Puppet Enterprise 2.8 (Solaris, Windows)
Puppet Enterprise 3.2 (Solaris, Windows, AIX)
Puppet Enterprise 3.3.0