CVE-2014-3250
The MITRE CVE dictionary describes this issue as:
The default vhost configuration file in Puppet before 3.6.2 does not include the SSLCARevocationCheck directive, which might allow remote attackers to obtain sensitive information via a revoked certificate when a Puppet master runs with Apache 2.4.
Find out more about CVE-2014-3250 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
Not vulnerable. This issue did not affect the versions of puppet as shipped with Red Hat Subscription Asset Manager 1.3 as they did not include puppet-server.
CVSS v2 metrics
NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.
| Base Score | 5 |
|---|---|
| Base Metrics | AV:N/AC:L/Au:N/C:P/I:N/A:N |
| Access Vector | Network |
| Access Complexity | Low |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | None |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Subscription Asset Manager 1 | ruby193-puppet | Not affected |
| Red Hat Satellite 6 | puppet | Will not fix |
| Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) | puppet | Will not fix |
| Red Hat Enterprise Linux OpenStack Platform 4.0 | puppet | Will not fix |
| Red Hat Enterprise Linux OpenStack Platform 3.0 | puppet | Will not fix |
Acknowledgements
Red Hat would like to thank Puppet Labs for reporting this issue.External References
CVE description copyright © 2017, The MITRE Corporation