Advisory: puppetlabs-ntp default configuration does not fully mitigate CVE-2013-5211

  • Posted November 24, 2015

  • Assessed Risk Level: Low

Previous versions of the puppetlabs-ntp module did not default to using 'disable monitor', which is one of the two configurations required to fully mitigate CVE-2013-5211. The module by default would set 'noquery' for all remote hosts, but the system would still be vulnerable to local attacks.

With the puppetlabs-ntp 4.1.1 release, the default value for the 'disable_monitor' parameter is set to 'true' for all platforms.

No action is required unless you are manually setting 'disable_monitor' to false or you need monitoring enabled in your environment.


Affected Software Versions:

  • puppetlabs-ntp 4.1.0 and earlier

Resolved in:

  • puppetlabs-ntp 4.1.1
Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.