Detections
Analytics

Puppet Enterprise 3.x < 3.8.1 Multiple Vulnerabilities (Logjam)

critical Nessus Plugin ID 84960

Language:

Synopsis

A web application on the remote host is affected by multiple vulnerabilities.

Description

According to its self-reported version number, the Puppet Enterprise application running on the remote host is 3.x prior to 3.8.1. It is, therefore, affected by the following vulnerabilities :

 - An XML external entity injection (XXE) flaw exists in the Apache ActiveMQ component due to a faulty configuration that allows an XML parser to accept XML external entities from untrusted sources. A remote attacker, by sending crafted XML data, can exploit this to disclose arbitrary files. (CVE-2014-3600)

 - An authentication bypass vulnerability exists in the Apache ActiveMQ component due to a flaw in the LDAPLoginModule implementation. A remote attacker can exploit this to bypass authentication mechanisms.
 (CVE-2014-3612)

 - Multiple cross-site scripting vulnerabilities exist in the administrative console of Apache ActiveMQ that allow a remote attacker to inject arbitrary HTML or web scripts. (CVE-2014-8110)

 - An invalid free memory error exists due to improper validation of user-supplied input when a DTLS peer receives application data between ChangeCipherSpec and Finished messages. A remote attacker can exploit this to corrupt memory, resulting in a denial of service or the execution of arbitrary code. (CVE-2014-8176)

 - A denial of service vulnerability exists when processing an ECParameters structure due to an infinite loop that occurs when a specified curve is over a malformed binary polynomial field. A remote attacker can exploit this to perform a denial of service against any system that processes public keys, certificate requests, or certificates. This includes TLS clients and TLS servers with client authentication enabled. (CVE-2015-1788)

 - A denial of service vulnerability exists due to improper validation of the content and length of the ASN1_TIME string by the X509_cmp_time() function. A remote attacker can exploit this, via a malformed certificate and CRLs of various sizes, to cause a segmentation fault, resulting in a denial of service condition. TLS clients that verify CRLs are affected. TLS clients and servers with client authentication enabled may be affected if they use custom verification callbacks.
 (CVE-2015-1789)

 - A NULL pointer dereference flaw exists in the PKCS#7 parsing code due to incorrect handling of missing inner 'EncryptedContent'. This allows a remote attacker, via specially crafted ASN.1-encoded PKCS#7 blobs with missing content, to cause a denial of service condition or other potential unspecified impacts. (CVE-2015-1790)

 - A double-free error exists due to a race condition that occurs when a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket. (CVE-2015-1791)

 - A denial of service vulnerability exists in the CMS code due to an infinite loop that occurs when verifying a signedData message. A remote attacker can exploit this to cause a denial of service condition. (CVE-2015-1792)

 - A double-free memory flaw exists in PostgreSQL due to a timeout interrupt occurring partway in the session shutdown sequence. A remote attacker, by closing an SSL session when the authentication timeout expires, can exploit this flaw to cause a denial of service.
 (CVE-2015-3165)

 - An out-of-memory condition exists in the printf() functions in PostgreSQL due to a failure to check for errors. A remote attacker can exploit this to access sensitive information. (CVE-2015-3166)

 - A flaw exists in contrib/pgcrypto in PostgreSQL due to cases of decryption reporting other error message texts, which a remote attacker can use to recover keys from other systems. (CVE-2015-3167)

 - A man-in-the-middle vulnerability, known as Logjam, exists due to a flaw in the SSL/TLS protocol. A remote attacker can exploit this flaw to downgrade connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. (CVE-2015-4000)

Solution

Upgrade to Puppet Enterprise version 3.8.1 or later.

See Also

http://www.nessus.org/u?f903b0fa

http://www.nessus.org/u?50c9bedd

https://www.postgresql.org/about/news/1587/

https://puppet.com/security/cve/CVE-2015-4000

https://puppet.com/security/cve/openssl-june-2015-vulnerability-fix

https://www.openssl.org/news/secadv/20150611.txt

https://weakdh.org/

Plugin Details

Severity: Critical

ID: 84960

File Name: puppet_enterprise_activemq_psql_ssl.nasl

Version: 1.15

Type: remote

Family: CGI abuses

Published: 7/23/2015

Updated: 12/5/2022

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2015-3166

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:puppetlabs:puppet

Required KB Items: puppet/rest_port

Exploit Ease: No exploit is required

Patch Publication Date: 6/18/2015

Vulnerability Publication Date: 2/17/2010

Reference Information

CVE: CVE-2014-3600, CVE-2014-3612, CVE-2014-8110, CVE-2014-8176, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792, CVE-2015-3165, CVE-2015-3166, CVE-2015-3167, CVE-2015-4000

BID: 72510, 72511, 72513, 74733, 74787, 74789, 74790, 75154, 75156, 75157, 75158, 75159, 75161