製品・ソフトウェアに関する情報

JVN脆弱性詳細

Puppet における SSLv2 ダウングレード攻撃を実行される脆弱性

Title	Puppet における SSLv2 ダウングレード攻撃を実行される脆弱性
Summary	Puppet および Puppet Enterprise は、クライアントとマスタの間で SSL プロトコルを適切に処理しないため、SSLv3 セッションに対して、SSLv2 ダウングレード攻撃を実行される脆弱性が存在します。
Possible impacts	第三者により、SSLv3 セッションに対して、SSLv2 ダウングレード攻撃を実行される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 12, 2013, midnight
Registration Date	March 25, 2013, 10:25 a.m.
Last Update	Jan. 22, 2014, 2:17 p.m.

Affected System

オラクル

Oracle Fusion Middleware 10.1.3.5.0

Oracle Fusion Middleware の Oracle Forms and Reports 11.1.2.1

Oracle Fusion Middleware の Oracle HTTP Server 11.1.1.6.0

Oracle Fusion Middleware の Oracle HTTP Server 11.1.1.7.0

Canonical

Ubuntu 11.10

Ubuntu 12.04 LTS

Ubuntu 12.10

Puppet

Puppet 2.7.21 未満の 2.7.x

Puppet 3.1.1 未満の 3.1.x

Puppet Enterprise 2.7.2 未満の 2.7.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2013-1654	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1654
National Vulnerability Database (NVD)
2	CVE-2013-1654	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1654
Puppet
3	CVE-2013-1654	https://puppetlabs.com/security/cve/cve-2013-1654/

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-noinfo	https://www.ipa.go.jp/security/vuln/CWE.html#CWEnoinfo

ベンダー情報

No	Name	URL
Debian セキュリティ勧告
1	DSA-2643-1 puppet	http://www.debian.org/security/2013/dsa-2643
opensuse-security-announce
2	SUSE-SU-2013:0618	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html
opensuse-updates
3	openSUSE-SU-2013:0641	http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html
Oracle Critical Patch Update
4	Oracle Critical Patch Update Advisory - January 2014	http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
5	Text Form of Oracle Critical Patch Update - January 2014 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujan2014verbose-1972951.html
Red Hat Security Advisory
6	RHSA-2013:0710	http://rhn.redhat.com/errata/RHSA-2013-0710.html
SECURITY BLOG
7	January 2014 Critical Patch Update Released	https://blogs.oracle.com/security/entry/january_2014_critical_patch_update
Ubuntu Security Notice
8	USN-1759-1	http://www.ubuntu.com/usn/usn-1759-1/

Change Log

No	Changed Details	Date of change
0	[2013年03月25日] 掲載 [2013年04月23日] ベンダ情報：レッドハット (RHSA-2013:0710) を追加ベンダ情報：openSUSE (openSUSE-SU-2013:0641) を追加ベンダ情報：openSUSE (SUSE-SU-2013:0618) を追加 [2014年01月22日] 影響を受けるシステム：オラクル (Oracle Critical Patch Update Advisory - January 2014) の情報を追加ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - January 2014) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - January 2014 Risk Matrices) を追加ベンダ情報：オラクル (January 2014 Critical Patch Update Released) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2013-1654

Summary	Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, and Puppet Enterprise 2.7.x before 2.7.2, does not properly negotiate the SSL protocol between client and master, which allows remote attackers to conduct SSLv2 downgrade attacks against SSLv3 sessions via unspecified vectors.
Publication Date	March 21, 2013, 1:55 a.m.
Registration Date	Jan. 26, 2021, 3:36 p.m.
Last Update	Nov. 21, 2024, 10:50 a.m.

Affected software configurations

Configuration2		or higher	or less	more than	less than
cpe:2.3:a:puppet:puppet_enterprise:3.1.0:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:puppetlabs:puppet:2.7.0:-:enterprise:::::*
cpe:2.3:a:puppetlabs:puppet:2.7.1:-:enterprise:::::*

Configuration4	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:11.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:12.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html
2	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html
3	http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html
4	http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html
5	http://rhn.redhat.com/errata/RHSA-2013-0710.html
6	http://rhn.redhat.com/errata/RHSA-2013-0710.html
7	http://secunia.com/advisories/52596	Vendor Advisory
8	http://secunia.com/advisories/52596	Vendor Advisory
9	http://ubuntu.com/usn/usn-1759-1
10	http://ubuntu.com/usn/usn-1759-1
11	http://www.debian.org/security/2013/dsa-2643
12	http://www.debian.org/security/2013/dsa-2643
13	http://www.securityfocus.com/bid/64758
14	http://www.securityfocus.com/bid/64758
15	https://puppetlabs.com/security/cve/cve-2013-1654/	Vendor Advisory
16	https://puppetlabs.com/security/cve/cve-2013-1654/	Vendor Advisory

Common Vulnerabilities List