Advisory: Use of the 'port' parameter with puppetlabs-firewall could cause unexpectedly permissive firewall rules.

Overview

  • Posted August 31, 2015

  • Assessed Risk Level: Medium

Previous versions of the README for the puppetlabs-firewall module contained examples of configurations using the port parameter instead of referencing dport and sport. Following these examples explicitly could result in firewall rules that are unintentionally permissive. It is recommended to always use the specific dport and sport parameters.

With the puppetlabs-firewall 1.7.1 release, the port parameter is now deprecated and will be removed in the next major release.

If any manifests using puppetlabs-firewall's firewall resource are configured to use the port parameter, users should update those manifests to use the specific dport or sport parameters instead.

Thanks to Narayan Newton of Tag1 Consulting for responsibly disclosing this issue to us.

Status:

Affected Software Versions:

  • puppetlabs-firewall 1.7.0 and earlier

Resolved in:

  • puppetlabs-firewall 1.7.1