On April 19, 2016 Oracle announced several vulnerabilities in Java.
Puppet Enterprise 3.8.x, 2015.3.x and 2016.1.x ship with a vulnerable version of Java. Puppet Enterprise 3.8.5 and 2016.1.2 include updates to address the security announcement.
For more information about these vulnerabilities, please refer to the Oracle security announcement (http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html#AppendixJAVA).
Affected Software Versions: