dcsimg

Security Flaw Found in Puppet IT Automation Software

SHARE
Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
Email  

Puppet Labs recently published a notice warning of a remote code execution vulnerability in its Puppet automation software (h/t The Register).

"When making REST api calls, the puppet master takes YAML from an untrusted client, deserializes it, and then calls methods on the resulting object," the notice explains. "A YAML payload can be crafted to cause the deserialization to construct an instance of any class available in the ruby process, which allows an attacker to execute code contained in the payload."

Users are advised to update to Puppet 2.7.22, Puppet 3.2.2, or Puppet Enterprise 2.8.2 to patch the vulnerability.

The flaw, CVE-2013-3567, was discovered and disclosed by Ben Murphy.

Submit a Comment

Loading Comments...