NVD Vulnerability Detail

CVE-2012-1987

Summary	Unspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys to (1) cause a denial of service (memory consumption) via a REST request to a stream that triggers a thread block, as demonstrated using CVE-2012-1986 and /dev/random; or (2) cause a denial of service (filesystem consumption) via crafted REST requests that use "a marshaled form of a Puppet::FileBucket::File object" to write to arbitrary file locations.
Publication Date	May 30, 2012, 5:55 a.m.
Registration Date	Jan. 28, 2021, 2:57 p.m.
Last Update	Nov. 21, 2024, 10:38 a.m.

CVSS2.0 : LOW
Score	3.5
Vector	AV:N/AC:M/Au:S/C:N/I:N/A:P
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	中
攻撃前の認証要否(Au)	単一
機密性への影響(C)	なし
完全性への影響(I)	なし
可用性への影響(A)	低
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:puppet:puppet:2.6.0:::::::*
cpe:2.3:a:puppet:puppet:2.6.1:::::::*
cpe:2.3:a:puppet:puppet:2.6.2:::::::*
cpe:2.3:a:puppet:puppet:2.6.3:::::::*
cpe:2.3:a:puppet:puppet:2.6.4:::::::*
cpe:2.3:a:puppet:puppet:2.6.5:::::::*
cpe:2.3:a:puppet:puppet:2.6.6:::::::*
cpe:2.3:a:puppet:puppet:2.6.7:::::::*
cpe:2.3:a:puppet:puppet:2.6.8:::::::*
cpe:2.3:a:puppet:puppet:2.6.9:::::::*
cpe:2.3:a:puppet:puppet:2.6.10:::::::*
cpe:2.3:a:puppet:puppet:2.6.11:::::::*
cpe:2.3:a:puppet:puppet:2.6.12:::::::*
cpe:2.3:a:puppet:puppet:2.6.13:::::::*
cpe:2.3:a:puppet:puppet:2.6.14:::::::*

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:puppetlabs:puppet:2.7.0:::::::*
cpe:2.3:a:puppetlabs:puppet:2.7.1:::::::*
cpe:2.3:a:puppet:puppet:2.7.2:::::::*
cpe:2.3:a:puppet:puppet:2.7.3:::::::*
cpe:2.3:a:puppet:puppet:2.7.4:::::::*
cpe:2.3:a:puppet:puppet:2.7.5:::::::*
cpe:2.3:a:puppet:puppet:2.7.6:::::::*
cpe:2.3:a:puppet:puppet:2.7.7:::::::*
cpe:2.3:a:puppet:puppet:2.7.8:::::::*
cpe:2.3:a:puppet:puppet:2.7.9:::::::*
cpe:2.3:a:puppet:puppet:2.7.10:::::::*
cpe:2.3:a:puppet:puppet:2.7.11:::::::*
cpe:2.3:a:puppet:puppet_enterprise:2.5.0:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:puppetlabs:puppet_enterprise_users:1.0:::::::*
cpe:2.3:a:puppetlabs:puppet_enterprise_users:1.1:::::::*
cpe:2.3:a:puppet:puppet_enterprise:1.2.0:::::::*
cpe:2.3:a:puppet:puppet_enterprise:2.0.0:::::::*
cpe:2.3:a:puppet:puppet_enterprise:2.0.1:::::::*
cpe:2.3:a:puppet:puppet_enterprise:2.0.2:::::::*
cpe:2.3:a:puppet:puppet_enterprise:1.2.1:::::::*
cpe:2.3:a:puppet:puppet_enterprise:1.2.2:::::::*
cpe:2.3:a:puppet:puppet_enterprise:1.2.3:::::::*
cpe:2.3:a:puppet:puppet_enterprise:1.2.4:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.html
2	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.html
3	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079289.html
4	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079289.html
5	http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080003.html
6	http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080003.html
7	http://projects.puppetlabs.com/issues/13552	Vendor Advisory
8	http://projects.puppetlabs.com/issues/13552	Vendor Advisory
9	http://projects.puppetlabs.com/issues/13553	Vendor Advisory
10	http://projects.puppetlabs.com/issues/13553	Vendor Advisory
11	http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15
12	http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15
13	http://puppetlabs.com/security/cve/cve-2012-1987/	Vendor Advisory
14	http://puppetlabs.com/security/cve/cve-2012-1987/	Vendor Advisory
15	http://puppetlabs.com/security/cve/cve-2012-1987/hotfixes/
16	http://puppetlabs.com/security/cve/cve-2012-1987/hotfixes/
17	http://secunia.com/advisories/48743	Vendor Advisory
18	http://secunia.com/advisories/48743	Vendor Advisory
19	http://secunia.com/advisories/48748	Vendor Advisory
20	http://secunia.com/advisories/48748	Vendor Advisory
21	http://secunia.com/advisories/48789	Vendor Advisory
22	http://secunia.com/advisories/48789	Vendor Advisory
23	http://secunia.com/advisories/49136	Vendor Advisory
24	http://secunia.com/advisories/49136	Vendor Advisory
25	http://ubuntu.com/usn/usn-1419-1
26	http://ubuntu.com/usn/usn-1419-1
27	http://www.debian.org/security/2012/dsa-2451
28	http://www.debian.org/security/2012/dsa-2451
29	http://www.osvdb.org/81308
30	http://www.osvdb.org/81308
31	http://www.securityfocus.com/bid/52975
32	http://www.securityfocus.com/bid/52975
33	https://exchange.xforce.ibmcloud.com/vulnerabilities/74794
34	https://exchange.xforce.ibmcloud.com/vulnerabilities/74794
35	https://hermes.opensuse.org/messages/14523305
36	https://hermes.opensuse.org/messages/14523305
37	https://hermes.opensuse.org/messages/15087408
38	https://hermes.opensuse.org/messages/15087408

Common Vulnerabilities List

JVN Vulnerability Information

Puppet および Puppet Enterprise におけるサービス運用妨害 (DoS) の脆弱性

Title	Puppet および Puppet Enterprise におけるサービス運用妨害 (DoS) の脆弱性
Summary	Puppet および Puppet Enterprise には、サービス運用妨害 (メモリ破損またはファイルシステム破損) 状態となる脆弱性が存在します。
Possible impacts	エージェントの SSL キーを持つリモート認証されたユーザにより、スレッドブロックを誘発するストリームへの REST リクエストを介して、サービス運用妨害 (メモリ破損) 状態にされる、または、任意の場所に格納されたファイルへの書き込みに "Puppet::FileBucket::File オブジェクトが整列されたフォーム (marshaled form of a Puppet::FileBucket::File object)" を使用する巧妙に細工された REST リクエストを介して、サービス運用妨害 (ファイルシステム破損) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	May 29, 2012, midnight
Registration Date	May 31, 2012, 2:50 p.m.
Last Update	July 26, 2012, 1:57 p.m.

Affected System

Puppet

Puppet 2.6.15 未満の 2.6.x

Puppet 2.7.13 未満の 2.7.x

Puppet Enterprise 1.1

Puppet Enterprise 1.2.x

Puppet Enterprise 2.0.x

Puppet Enterprise 2.5.1 未満の 2.5.x

Puppet Enterprise 1.0

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2012-1987	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1987
National Vulnerability Database (NVD)
2	CVE-2012-1987	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1987
Puppet
3	CVE-2012-1987	http://puppetlabs.com/security/cve/cve-2012-1987/

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-noinfo	https://www.ipa.go.jp/security/vuln/CWE.html#CWEnoinfo

ベンダー情報

No	Name	URL
Debian Security Advisory
1	DSA-2451-1	http://www.debian.org/security/2012/dsa-2451
Fedora Update Notification
2	FEDORA-2012-5999	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.html
3	FEDORA-2012-6055	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079289.html
4	FEDORA-2012-6674	http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080003.html
opensuse-updates
5	openSUSE-SU-2012:0608	http://lists.opensuse.org/opensuse-updates/2012-05/msg00012.html
6	openSUSE-SU-2012:0835	http://lists.opensuse.org/opensuse-updates/2012-07/msg00015.html
Puppet
7	Release Notes 2.6.15	http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15
8	Release Notes 2.7.13	http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.7.13
Ubuntu Security Notice
9	USN-1419-1	http://www.ubuntu.com/usn/usn-1419-1/

Change Log

No	Changed Details	Date of change
0	[2012年05月31日] 掲載 [2012年07月26日] ベンダ情報：Fedora Project (FEDORA-2012-5999) を追加ベンダ情報：Fedora Project (FEDORA-2012-6055) を追加ベンダ情報：Fedora Project (FEDORA-2012-6674) を追加ベンダ情報：openSUSE (openSUSE-SU-2012:0608) を追加ベンダ情報：openSUSE (openSUSE-SU-2012:0835) を追加	Feb. 17, 2018, 10:37 a.m.

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:puppet:puppet:2.6.0:::::::*
cpe:2.3:a:puppet:puppet:2.6.1:::::::*
cpe:2.3:a:puppet:puppet:2.6.2:::::::*
cpe:2.3:a:puppet:puppet:2.6.3:::::::*
cpe:2.3:a:puppet:puppet:2.6.4:::::::*
cpe:2.3:a:puppet:puppet:2.6.5:::::::*
cpe:2.3:a:puppet:puppet:2.6.6:::::::*
cpe:2.3:a:puppet:puppet:2.6.7:::::::*
cpe:2.3:a:puppet:puppet:2.6.8:::::::*
cpe:2.3:a:puppet:puppet:2.6.9:::::::*
cpe:2.3:a:puppet:puppet:2.6.10:::::::*
cpe:2.3:a:puppet:puppet:2.6.11:::::::*
cpe:2.3:a:puppet:puppet:2.6.12:::::::*
cpe:2.3:a:puppet:puppet:2.6.13:::::::*
cpe:2.3:a:puppet:puppet:2.6.14:::::::*

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:puppetlabs:puppet:2.7.0:::::::*
cpe:2.3:a:puppetlabs:puppet:2.7.1:::::::*
cpe:2.3:a:puppet:puppet:2.7.2:::::::*
cpe:2.3:a:puppet:puppet:2.7.3:::::::*
cpe:2.3:a:puppet:puppet:2.7.4:::::::*
cpe:2.3:a:puppet:puppet:2.7.5:::::::*
cpe:2.3:a:puppet:puppet:2.7.6:::::::*
cpe:2.3:a:puppet:puppet:2.7.7:::::::*
cpe:2.3:a:puppet:puppet:2.7.8:::::::*
cpe:2.3:a:puppet:puppet:2.7.9:::::::*
cpe:2.3:a:puppet:puppet:2.7.10:::::::*
cpe:2.3:a:puppet:puppet:2.7.11:::::::*
cpe:2.3:a:puppet:puppet_enterprise:2.5.0:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:puppetlabs:puppet_enterprise_users:1.0:::::::*
cpe:2.3:a:puppetlabs:puppet_enterprise_users:1.1:::::::*
cpe:2.3:a:puppet:puppet_enterprise:1.2.0:::::::*
cpe:2.3:a:puppet:puppet_enterprise:2.0.0:::::::*
cpe:2.3:a:puppet:puppet_enterprise:2.0.1:::::::*
cpe:2.3:a:puppet:puppet_enterprise:2.0.2:::::::*
cpe:2.3:a:puppet:puppet_enterprise:1.2.1:::::::*
cpe:2.3:a:puppet:puppet_enterprise:1.2.2:::::::*
cpe:2.3:a:puppet:puppet_enterprise:1.2.3:::::::*
cpe:2.3:a:puppet:puppet_enterprise:1.2.4:::::::*