In January, 2018 Oracle announced several vulnerabilities for Java. Puppet Enterprise prior to 2016.4.10 and 2017.3.3 shipped with a vulnerable version of Java. Puppet Enterprise 2016.4.10 and 2017.3.3 include updates to Java to address these vulnerabilities.
For more information about this vulnerability, refer to the Oracle’s security announcement (http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixJAVA)
Affected software versions: