Overview

CVE-2015-1855 - Ruby OpenSSL Hostname Verification

  • Posted April 28, 2015

  • Assessed Risk Level: Low

Vulnerabilities in Ruby’s OpenSSL extension allow overly permissive matching of hostnames, particularly when using wildcard SSL certificates.

Puppet Enterprise does not generate wildcard SSL certificates by default. However, if a PE infrastructure has been configured with wildcard SSL certificates, it could theoretically be vulnerable to man-in-the-middle attacks.

For more information on the vulnerability, please see the Ruby project’s announcement.

CVSS v2 Score: 3.1

Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C

Status:

Affected Software Versions:

  • Puppet Enterprise 3.x
  • Puppet-Agent 1.0

Resolved in:

  • Puppet Enterprise 3.8.0
  • Puppet-Agent 1.0.1