CVE-2017-2295

NameCVE-2017-2295
DescriptionVersions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1012-1, DSA-3862-1
NVD severitymedium (attack range: remote)
Debian Bugs863212

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
puppet (PTS)wheezy2.7.23-1~deb7u3vulnerable
wheezy (security)2.7.23-1~deb7u4fixed
jessie (security), jessie3.7.2-4+deb8u1fixed
stretch4.8.2-5fixed
buster, sid4.10.4-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
puppetsource(unstable)4.8.2-5medium863212
puppetsourcejessie3.7.2-4+deb8u1mediumDSA-3862-1
puppetsourcewheezy2.7.23-1~deb7u4mediumDLA-1012-1

Notes

https://puppet.com/security/cve/cve-2017-2295
https://github.com/puppetlabs/puppet/commit/06d8c51367ca932b9da5d9b01958cfc0adf0f2ea

Search for package or bug name: Reporting problems