Amazon Linux AMI : puppet Multiple Vulnerabilities (ALAS-2013-219)

This script is Copyright (C) 2013 Tenable Network Security, Inc.


Synopsis :

The remote Amazon Linux AMI host is missing a security update.

Description :

Puppet Module Tool (PMT), as used in Puppet 2.7.x before 2.7.23 and
3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x
before 3.0.1, installs modules with weak permissions if those
permissions were used when the modules were originally built, which
might allow local users to read or modify those modules depending on
the original permissions. (CVE-2013-4956)

Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x
before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x
before 3.0.1, allows remote attackers to execute arbitrary Ruby
programs from the master via the resource_type service. NOTE: this
vulnerability can only be exploited utilizing unspecified 'local file
system access' to the Puppet Master.

See also :

http://www.nessus.org/u?54e20187

Solution :

Run 'yum update puppet' to update your system.

Risk factor :

Medium / CVSS Base Score : 5.1
(CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)

Family: Amazon Linux Local Security Checks

Nessus Plugin ID: 70223 ()

Bugtraq ID:

CVE ID: CVE-2013-4761
CVE-2013-4956