Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @

EGI CSIRT:Alerts/puppet-2013-06-19

From EGIWiki
Jump to navigation Jump to search
** WHITE information - Unlimited distribution allowed                       **  
** see for distribution restrictions **


Title:       EGI CSIRT Advisory "Critical" RISK - CVE 2013-3567 concerning puppet [EGI-ADV-20130619] 
Date:        2013-06-19
Updated:     2013-06-19


A vulnerability has been found in puppet, which allows remote unauthenticated command exection.  This has been fixed by the puppet providers, and sites must update as soon as possible and in any case within 7 days or risk site suspension. 


Details are available from puppet [R 1]

Some further information is available from Redhat bugzilla [R 2]

Risk category

This issue has been assessed as "Critical" jointly by the EGI CSIRT and EGI SVG Risk Assessment Team  

Affected software

Puppet versions prior to Puppet 2.7.22 and 3.2.2 are affected.

Component installation information

Site administrators who run puppet are probably familiar with the installation procedure, and should see the puppet site for update. 

All sites running puppet 2.X should ensure they are running 2.7.22 or later, if not upgrade

All sites running puppet 3.X should ensure they are running 3.2.2 or later, if not upgrade


All running resources MUST be either patched or otherwise have a
work-around in place by 2013-06-26  T21:00+01:00. Sites failing to act and/or 
failing to respond to requests from the EGI CSIRT team risk site suspension. 


This vulnerability was reported to puppet by Ben Murphy and fixed by the puppet team.
Leif Nixon alerted the EGI CSIRT team to this issue. 


[R 1] 

[R 2]