Bug 917383 (CVE-2015-1426) - VUL-1: CVE-2015-1426: facter: potential sensitive information leakage in Facter's Amazon EC2 metadata facts handling
Summary: VUL-1: CVE-2015-1426: facter: potential sensitive information leakage in Fact...
Status: RESOLVED FIXED
Alias: CVE-2015-1426
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/113790/
Whiteboard: CVSSv2:NVD:CVE-2015-1426:2.1:(AV:L/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-02-11 13:48 UTC by Johannes Segitz
Modified: 2020-10-21 09:18 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Backported fix to SLE-11 facter (770 bytes, patch)
2020-05-18 10:46 UTC, Vítězslav Čížek 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2015-02-11 13:48:05 UTC 
http://puppetlabs.com/security/cve/cve-2015-1426

CVE-2015-1426 - Potential sensitive information leakage in Facter’s Amazon EC2 metadata facts handling

    Posted February 10, 2015
    Assessed Risk Level: Low

An issue exists where sensitive Amazon EC2 IAM instance metadata could be added to an Amazon EC2 node's facts, where a non-privileged local user could access the information via Facter.

Although Amazon’s API allows anyone who can access an EC2 instance to view its instance metadata, facts containing sensitive EC2 instance metadata could be unintentionally exposed through off-host applications that display facts.

CVSS v2 Score: 1.3

Vector AV:L/AC:L/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C
Status:

Affected Software Versions:

    Puppet Enterprise 2.x, 3.x
    Facter 1.6.0 - 2.4.0
    CFacter 0.2.0 and earlier


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1191538
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1426
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1426
Comment 1 Swamp Workflow Management 2015-02-11 23:00:35 UTC 
bugbot adjusting priority
Comment 2 Vítězslav Čížek 2020-05-18 09:47:10 UTC 
Affects only SLE-11.
SLE-12 has facter 2.4.6 which includes the fix (https://github.com/puppetlabs/facter/commit/e546bc546e7fb23ad6b68fcf2059452df4d320dd)
Comment 3 Vítězslav Čížek 2020-05-18 10:46:19 UTC 
Created attachment 837917 [details]
Backported fix to SLE-11 facter

Kristyna,
Does the patch look good to you?
Comment 4 Kristyna Streitova 2020-05-19 11:10:54 UTC 
(In reply to Vítězslav Čížek from comment #3)
> Kristyna,
> Does the patch look good to you?

Yes, it looks reasonable, thanks!
Comment 5 Kristyna Streitova 2020-05-19 11:16:56 UTC 
The patch has been submitted (mr#218441), thanks Vita! I'm closing it as fixed.
Comment 6 Kristyna Streitova 2020-05-19 11:26:31 UTC 
Reopening and reassigning it to the security team as it's a security issue.
Comment 8 Alexandros Toptsoglou 2020-07-10 14:54:52 UTC 
Done