CVE-2012-1987
The MITRE CVE dictionary describes this issue as:
Unspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys to (1) cause a denial of service (memory consumption) via a REST request to a stream that triggers a thread block, as demonstrated using CVE-2012-1986 and /dev/random; or (2) cause a denial of service (filesystem consumption) via crafted REST requests that use "a marshaled form of a Puppet::FileBucket::File object" to write to arbitrary file locations.
Find out more about CVE-2012-1987 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v2 metrics
| Base Score | 3.5 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:S/C:N/I:N/A:P |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | Single |
| Confidentiality Impact | None |
| Integrity Impact | None |
| Availability Impact | Partial |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat CloudForms System Engine 1 (puppet) | RHSA-2012:1542 | 2012-12-04 |
| Red Hat CloudForms Cloud Engine 1 (puppet) | RHSA-2012:1542 | 2012-12-04 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise MRG 1 | puppet | Will not fix |
| Red Hat CloudForms Tools 1 | puppet | Will not fix |
Acknowledgements
Red Hat would like to thank Puppet Labs for reporting this issue.External References
CVE description copyright © 2017, The MITRE Corporation