Security Flaw Found in Puppet IT Automation Software


Puppet Labs recently published a notice warning of a remote code execution vulnerability in its Puppet automation software (h/t The Register).

"When making REST api calls, the puppet master takes YAML from an untrusted client, deserializes it, and then calls methods on the resulting object," the notice explains. "A YAML payload can be crafted to cause the deserialization to construct an instance of any class available in the ruby process, which allows an attacker to execute code contained in the payload."

Users are advised to update to Puppet 2.7.22, Puppet 3.2.2, or Puppet Enterprise 2.8.2 to patch the vulnerability.

The flaw, CVE-2013-3567, was discovered and disclosed by Ben Murphy.