Oracle Solaris Third-Party Patch Update : puppet (multiple_vulnerabilities_in_puppet)

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote Solaris system is missing a security patch for third-party
software.

Description :

The remote Solaris system is missing necessary patches to address
security updates :

- Unspecified vulnerability in Puppet 2.7.x before 2.7.23
and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x
before 2.8.3 and 3.0.x before 3.0.1, allows remote
attackers to execute arbitrary Ruby programs from the
master via the resource_type service. NOTE: this
vulnerability can only be exploited utilizing
unspecified 'local file system access' to the Puppet
Master. (CVE-2013-4761)

- Puppet Module Tool (PMT), as used in Puppet 2.7.x before
2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise
2.8.x before 2.8.3 and 3.0.x before 3.0.1, installs
modules with weak permissions if those permissions were
used when the modules were originally built, which might
allow local users to read or modify those modules
depending on the original permissions. (CVE-2013-4956)

See also :

http://www.nessus.org/u?b5f8def1
http://www.nessus.org/u?677c82df

Solution :

Upgrade to Solaris 11.2.

Risk factor :

Medium / CVSS Base Score : 5.1
(CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)

Family: Solaris Local Security Checks

Nessus Plugin ID: 80744 ()

Bugtraq ID:

CVE ID: CVE-2013-4761
CVE-2013-4956

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now