Amazon Linux AMI : puppet (ALAS-2013-219)

This script is Copyright (C) 2013-2015 Tenable Network Security, Inc.


Synopsis :

The remote Amazon Linux AMI host is missing a security update.

Description :

Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x
before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x
before 3.0.1, allows remote attackers to execute arbitrary Ruby
programs from the master via the resource_type service. NOTE: this
vulnerability can only be exploited utilizing unspecified 'local file
system access' to the Puppet Master.

Puppet Module Tool (PMT), as used in Puppet 2.7.x before 2.7.23 and
3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x
before 3.0.1, installs modules with weak permissions if those
permissions were used when the modules were originally built, which
might allow local users to read or modify those modules depending on
the original permissions.

See also :

https://alas.aws.amazon.com/ALAS-2013-219.html

Solution :

Run 'yum update puppet' to update your system.

Risk factor :

Medium / CVSS Base Score : 5.1
(CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)

Family: Amazon Linux Local Security Checks

Nessus Plugin ID: 70223 ()

Bugtraq ID:

CVE ID: CVE-2013-4761
CVE-2013-4956

Ready to Scan Unlimited IPs & Run Compliance Checks?

Upgrade to Nessus Professional today!

Buy Now

Combine the Power of Nessus with the Ease of Cloud

Start your free Nessus Cloud trial now!

Begin Free Trial