Bugzilla – Bug 983729
VUL-0: CVE-2016-2786: puppet: Incorrect Client Verification in Puppet Communications Protocol
Last modified: 2016-10-19 12:25:43 UTC
CVE-2016-2786 https://puppet.com/security/cve/CVE-2016-2786 CVE-2016-2786 - Incorrect Client Verification in Puppet Communications Protocol Overview Posted March 14, 2016 Assessed Risk Level: High The Puppet Communications Protocol included in Puppet Enterprise 2015.3 does not properly validate certificates in all cases. This potentially allows for arbitrary remote code execution on Puppet agent nodes. In PE 2015.3.2 and earlier, the pxp-agent component does not properly validate the server certificate. This makes it possible for an attacker to impersonate a broker and issue commands to the agent, assuming the attacker can force the agent to connect to an arbitrary broker via a secondary attack (DNS spoofing, etc). Default configurations of FOSS Puppet Agent are not vulnerable. Status: Affected Software Versions: Puppet Enterprise 2015.3.x prior to 2015.3.3 Puppet Agent 1.3.x Resolved in: Puppet Enterprise 2015.3.3 Puppet Agent 1.3.6
we ship the foss agent, not sure what they mean with default configuration is not affected there. I am guessing we are good, but can you cross check perhaps?
bugbot adjusting priority
(In reply to Marcus Meissner from comment #1) > I am guessing we are good, but can you cross check perhaps? According to [1], affected Puppet Enterprise 2015.3.x and Puppet Agent 1.3.x contain Puppet 4.3.x that we don't ship. It seems that we are not affected by this issue. [1] https://docs.puppet.com/pe/latest/overview_version_table.html
does not affect us apparently.