Security Flaw Found in Puppet IT Automation Software

Puppet Labs recently published a notice warning of a remote code execution vulnerability in its Puppet automation software (h/t The Register).

“When making REST api calls, the puppet master takes YAML from an untrusted client, deserializes it, and then calls methods on the resulting object,” the notice explains. “A YAML payload can be crafted to cause the deserialization to construct an instance of any class available in the ruby process, which allows an attacker to execute code contained in the payload.”

Users are advised to update to Puppet 2.7.22, Puppet 3.2.2, or Puppet Enterprise 2.8.2 to patch the vulnerability.

The flaw, CVE-2013-3567, was discovered and disclosed by Ben Murphy.

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Top Cybersecurity Companies

Related articles