EGI CSIRT:Alerts/puppet-2013-06-19

** WHITE information - Unlimited distribution allowed                       **  
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **


EGI CSIRT ADVISORY [EGI-ADV-20130619]  

Title:       EGI CSIRT Advisory "Critical" RISK - CVE 2013-3567 concerning puppet [EGI-ADV-20130619] 
Date:        2013-06-19
Updated:     2013-06-19
URL:         https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/puppet-2013-06-19  


Introduction
============

A vulnerability has been found in puppet, which allows remote unauthenticated command exection.  This has been fixed by the puppet providers, and sites must update as soon as possible and in any case within 7 days or risk site suspension. 


Details
=======

Details are available from puppet [R 1]

Some further information is available from Redhat bugzilla [R 2]


Risk category
=============

This issue has been assessed as "Critical" jointly by the EGI CSIRT and EGI SVG Risk Assessment Team  


Affected software
=================

Puppet versions prior to Puppet 2.7.22 and 3.2.2 are affected.


Component installation information
==================================

Site administrators who run puppet are probably familiar with the installation procedure, and should see the puppet site for update. 

All sites running puppet 2.X should ensure they are running 2.7.22 or later, if not upgrade

All sites running puppet 3.X should ensure they are running 3.2.2 or later, if not upgrade


Recommendations
===============


All running resources MUST be either patched or otherwise have a
work-around in place by 2013-06-26  T21:00+01:00. Sites failing to act and/or 
failing to respond to requests from the EGI CSIRT team risk site suspension. 


Credit
======

This vulnerability was reported to puppet by Ben Murphy and fixed by the puppet team.
Leif Nixon alerted the EGI CSIRT team to this issue. 



References
==========

[R 1] http://puppetlabs.com/security/cve/cve-2013-3567/ 

[R 2] https://bugzilla.redhat.com/show_bug.cgi?id=974649