On May 3, 2016 OpenSSL announced several vulnerabilities.
Previous versions of Puppet Enterprise shipped with a vulnerable version of OpenSSL. Of the announced vulnerabilities,the default configuration of Puppet Enterprise is only vulnerable to CVE-2016-2107. However, connections are unlikely to be negotiated with the vulnerable AES-CBC cipher, as it is far down our list of preferred ciphers.
For more information about these vulnerabilities, please refer to the OpenSSL security announcement (https://www.openssl.org/news/secadv/20160503.txt).
Affected Software Versions: