CVE-2015-1855 - Ruby OpenSSL Hostname Verification
Posted April 28, 2015
Assessed Risk Level: Low
Vulnerabilities in Ruby’s OpenSSL extension allow overly permissive matching of hostnames, particularly when using wildcard SSL certificates.
Puppet Enterprise does not generate wildcard SSL certificates by default. However, if a PE infrastructure has been configured with wildcard SSL certificates, it could theoretically be vulnerable to man-in-the-middle attacks.
For more information on the vulnerability, please see the Ruby project’s announcement.
CVSS v2 Score: 3.1
Affected Software Versions:
- Puppet Enterprise 3.x
- Puppet-Agent 1.0
- Puppet Enterprise 3.8.0
- Puppet-Agent 1.0.1