Executive Summary
Summary | |
---|---|
Title | Puppet vulnerabilities |
Informations | |||
---|---|---|---|
Name | USN-1759-1 | First vendor Publication | 2013-03-12 |
Vendor | Ubuntu | Last vendor Modification | 2013-03-12 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:S/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 8 | Authentication | Requires single instance |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.10 - Ubuntu 12.04 LTS - Ubuntu 11.10 Summary: Several security issues were fixed in Puppet. Software Description: - puppet: Centralized configuration management Details: It was discovered that Puppet agents incorrectly handled certain kick connections in a non-default configuration. An attacker on an authenticated client could use this issue to possibly execute arbitrary code. (CVE-2013-1653) It was discovered that Puppet incorrectly handled certain catalog requests. An attacker on an authenticated client could use this issue to possibly execute arbitrary code on the master. (CVE-2013-1640) It was discovered that Puppet incorrectly handled certain client requests. An attacker on an authenticated client could use this issue to possibly perform unauthorized actions. (CVE-2013-1652) It was discovered that Puppet incorrectly handled certain SSL connections. An attacker could use this issue to possibly downgrade connections to SSLv2. (CVE-2013-1654) It was discovered that Puppet incorrectly handled serialized attributes. An attacker on an authenticated client could use this issue to possibly cause a denial of service, or execute arbitrary. (CVE-2013-1655) It was discovered that Puppet incorrectly handled submitted reports. An attacker on an authenticated node could use this issue to possibly submit a report for any other node. (CVE-2013-2275) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.10: Ubuntu 12.04 LTS: Ubuntu 11.10: In general, a standard system update will make all the necessary changes. References: Package Information: |
Original Source
Url : http://www.ubuntu.com/usn/USN-1759-1 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-264 | Permissions, Privileges, and Access Controls |
50 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:17328 | |||
Oval ID: | oval:org.mitre.oval:def:17328 | ||
Title: | USN-1759-1 -- puppet vulnerabilities | ||
Description: | Several security issues were fixed in Puppet. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1759-1 CVE-2013-1653 CVE-2013-1640 CVE-2013-1652 CVE-2013-1654 CVE-2013-1655 CVE-2013-2275 | Version: | 7 |
Platform(s): | Ubuntu 12.10 Ubuntu 12.04 Ubuntu 11.10 | Product(s): | puppet |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17992 | |||
Oval ID: | oval:org.mitre.oval:def:17992 | ||
Title: | DSA-2643-1 puppet - several issues | ||
Description: | Multiple vulnerabilities were discovered in Puppet, a centralized configuration management system. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2643-1 CVE-2013-1640 CVE-2013-1652 CVE-2013-1653 CVE-2013-1654 CVE-2013-1655 CVE-2013-2274 CVE-2013-2275 | Version: | 7 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | puppet |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25947 | |||
Oval ID: | oval:org.mitre.oval:def:25947 | ||
Title: | SUSE-SU-2013:0618-1 -- Security update for puppet | ||
Description: | uppet has been updated to fix 2.6.18 multiple vulnerabilities and bugs. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2013:0618-1 CVE-2013-1653 CVE-2013-2275 CVE-2013-1652 CVE-2013-2274 CVE-2013-1655 CVE-2013-1654 CVE-2013-1640 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | puppet |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2014-01-16 | IAVM : 2014-A-0009 - Multiple Vulnerabilities in Oracle Fusion Middleware Severity : Category I - VMSKEY : V0043395 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-295.nasl - Type : ACT_GATHER_INFO |
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-181.nasl - Type : ACT_GATHER_INFO |
2013-08-25 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201308-04.nasl - Type : ACT_GATHER_INFO |
2013-08-02 | Name : The remote Fedora host is missing a security update. File : fedora_2013-3935.nasl - Type : ACT_GATHER_INFO |
2013-04-26 | Name : A web application on the remote host has a code execution vulnerability. File : puppet_cve_2013-1655.nasl - Type : ACT_GATHER_INFO |
2013-04-26 | Name : A configuration management application running on the remote host has multipl... File : puppet_multiple_vulns.nasl - Type : ACT_GATHER_INFO |
2013-04-04 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_puppet-130320.nasl - Type : ACT_GATHER_INFO |
2013-04-01 | Name : The remote Fedora host is missing a security update. File : fedora_2013-4187.nasl - Type : ACT_GATHER_INFO |
2013-03-14 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_04042f9514b84382a8b9b30e365776cf.nasl - Type : ACT_GATHER_INFO |
2013-03-14 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_cda566a02df04eb0b70eed7a6fb0ab3c.nasl - Type : ACT_GATHER_INFO |
2013-03-13 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2643.nasl - Type : ACT_GATHER_INFO |
2013-03-13 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1759-1.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 12:01:40 |
|
2013-03-21 21:19:22 |
|
2013-03-21 00:19:48 |
|
2013-03-12 22:06:54 |
|