Armis Vulnerability Intelligence Database

Description Preview

The vulnerability in Puppet versions before 2.6.15 and 2.7.13, and Puppet Enterprise (PE) Users versions before 2.5.1 allows remote authenticated users with agent SSL keys to cause a denial of service (DoS) condition. This can be achieved by triggering a thread block through a REST request to a stream, leading to memory consumption, or by using crafted REST requests to write to arbitrary file locations, causing filesystem consumption.

Overview

This vulnerability in Puppet and Puppet Enterprise allows remote authenticated users to exploit the system by triggering a denial of service condition through specific REST requests. The vulnerability affects versions prior to 2.6.15 and 2.7.13 for Puppet, and versions before 2.5.1 for Puppet Enterprise.

Remediation

To remediate this vulnerability, users are advised to upgrade their Puppet installations to version 2.6.15 or 2.7.13, and Puppet Enterprise installations to version 2.5.1 or later. By updating to the patched versions, users can mitigate the risk of remote authenticated users causing denial of service through memory or filesystem consumption.

References

IBM X-Force: puppet-rest-dos(74795)
Puppet Labs: CVE-2012-1987
Puppet Labs Issue Tracker: Issue 13552
Ubuntu Security Notice: USN-1419-1
Fedora Advisory: FEDORA-2012-5999
openSUSE-SU Advisory: openSUSE-SU-2012:0608
Secunia Advisory: 48743
Puppet Labs Hotfixes: CVE-2012-1987 Hotfixes
Puppet Release Notes: Puppet 2.6.15 Release Notes
Fedora Advisory: FEDORA-2012-6055
Fedora Advisory: FEDORA-2012-6674
Secunia Advisory: 49136
OSVDB: 81308
SecurityFocus BID: 52975
Secunia Advisory: 48748
Debian Security Advisory: DSA-2451
Puppet Labs Issue Tracker: Issue 13553
openSUSE-SU Advisory: openSUSE-SU-2012:0835
Secunia Advisory: 48789

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

Management of Companies & Enterprises
Management of Companies & Enterprises
Manufacturing
Manufacturing
Accommodation & Food Services
Accommodation & Food Services
Administrative, Support, Waste Management & Remediation Services
Administrative, Support, Waste Management & Remediation Services
Agriculture, Forestry Fishing & Hunting
Agriculture, Forestry Fishing & Hunting
Arts, Entertainment & Recreation
Arts, Entertainment & Recreation
Construction
Construction
Educational Services
Educational Services
Finance and Insurance
Finance and Insurance
Health Care & Social Assistance
Health Care & Social Assistance
Information
Information
Mining
Mining
Other Services (except Public Administration)
Other Services (except Public Administration)
Professional, Scientific, & Technical Services
Professional, Scientific, & Technical Services
Public Administration
Public Administration
Real Estate Rental & Leasing
Real Estate Rental & Leasing
Retail Trade
Retail Trade
Transportation & Warehousing
Transportation & Warehousing
Utilities
Utilities
Wholesale Trade
Wholesale Trade

^{CVE-2012-1987:}Unspecified vulnerability in Puppet versions before 2.6.15 and 2.7.13, and Puppet Enterprise (PE) Users versions before 2.5.1 allows remote authenticated users to cause denial of service via crafted REST requests.

Description Preview

Overview

Remediation

References

Focus on What Matters

Let's talk!