Puppet Enterprise 3.x < 3.8.1 Multiple Vulnerabilities (Logjam)

High Nessus Plugin ID 84960

Synopsis

A web application on the remote host is affected by multiple vulnerabilities.

Description

According to its self-reported version number, the Puppet Enterprise application running on the remote host is 3.x prior to 3.8.1. It is, therefore, affected by the following vulnerabilities :

- An XML external entity injection (XXE) flaw exists in the Apache ActiveMQ component due to a faulty configuration that allows an XML parser to accept XML external entities from untrusted sources. A remote attacker, by sending crafted XML data, can exploit this to disclose arbitrary files. (CVE-2014-3600)

- An authentication bypass vulnerability exists in the Apache ActiveMQ component due to a flaw in the LDAPLoginModule implementation. A remote attacker can exploit this to bypass authentication mechanisms.
(CVE-2014-3612)

- Multiple cross-site scripting vulnerabilities exist in the administrative console of Apache ActiveMQ that allow a remote attacker to inject arbitrary HTML or web scripts. (CVE-2014-8110)

- An invalid free memory error exists due to improper validation of user-supplied input when a DTLS peer receives application data between ChangeCipherSpec and Finished messages. A remote attacker can exploit this to corrupt memory, resulting in a denial of service or the execution of arbitrary code. (CVE-2014-8176)

- A denial of service vulnerability exists when processing an ECParameters structure due to an infinite loop that occurs when a specified curve is over a malformed binary polynomial field. A remote attacker can exploit this to perform a denial of service against any system that processes public keys, certificate requests, or certificates. This includes TLS clients and TLS servers with client authentication enabled. (CVE-2015-1788)

- A denial of service vulnerability exists due to improper validation of the content and length of the ASN1_TIME string by the X509_cmp_time() function. A remote attacker can exploit this, via a malformed certificate and CRLs of various sizes, to cause a segmentation fault, resulting in a denial of service condition. TLS clients that verify CRLs are affected. TLS clients and servers with client authentication enabled may be affected if they use custom verification callbacks.
(CVE-2015-1789)

- A NULL pointer dereference flaw exists in the PKCS#7 parsing code due to incorrect handling of missing inner 'EncryptedContent'. This allows a remote attacker, via specially crafted ASN.1-encoded PKCS#7 blobs with missing content, to cause a denial of service condition or other potential unspecified impacts. (CVE-2015-1790)

- A double-free error exists due to a race condition that occurs when a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket. (CVE-2015-1791)

- A denial of service vulnerability exists in the CMS code due to an infinite loop that occurs when verifying a signedData message. A remote attacker can exploit this to cause a denial of service condition. (CVE-2015-1792)

- A double-free memory flaw exists in PostgreSQL due to a timeout interrupt occurring partway in the session shutdown sequence. A remote attacker, by closing an SSL session when the authentication timeout expires, can exploit this flaw to cause a denial of service.
(CVE-2015-3165)

- An out-of-memory condition exists in the printf() functions in PostgreSQL due to a failure to check for errors. A remote attacker can exploit this to access sensitive information. (CVE-2015-3166)

- A flaw exists in contrib/pgcrypto in PostgreSQL due to cases of decryption reporting other error message texts, which a remote attacker can use to recover keys from other systems. (CVE-2015-3167)

- A man-in-the-middle vulnerability, known as Logjam, exists due to a flaw in the SSL/TLS protocol. A remote attacker can exploit this flaw to downgrade connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. (CVE-2015-4000)

Solution

Upgrade to Puppet Enterprise version 3.8.1 or later.

See Also

http://www.nessus.org/u?f903b0fa

http://www.nessus.org/u?50c9bedd

https://www.postgresql.org/about/news/1587/

https://puppet.com/security/cve/CVE-2015-4000

https://puppet.com/security/cve/openssl-june-2015-vulnerability-fix

https://www.openssl.org/news/secadv/20150611.txt

https://weakdh.org/

Plugin Details

Severity: High

ID: 84960

File Name: puppet_enterprise_activemq_psql_ssl.nasl

Version: 1.10

Type: remote

Family: CGI abuses

Published: 2015/07/23

Updated: 2018/11/15

Dependencies: 66233

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:puppetlabs:puppet

Exploit Available: false

Exploit Ease: No exploit is required

Patch Publication Date: 2015/06/18

Vulnerability Publication Date: 2010/02/17

Reference Information

CVE: CVE-2014-3600, CVE-2014-3612, CVE-2014-8110, CVE-2014-8176, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792, CVE-2015-3165, CVE-2015-3166, CVE-2015-3167, CVE-2015-4000

BID: 72510, 72511, 72513, 74733, 74787, 74789, 74790, 75154, 75156, 75157, 75158, 75159, 75161