CVE-2014-3250

Published: 11 December 2017

The default vhost configuration file in Puppet before 3.6.2 does not include the SSLCARevocationCheck directive, which might allow remote attackers to obtain sensitive information via a revoked certificate when a Puppet master runs with Apache 2.4.

Priority

Low

CVSS 3 base score: 6.5

Status

Package Release Status
puppet
Launchpad, Ubuntu, Debian
Upstream
Released (3.7.0-1)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Ignored

Patches:
Upstream: https://github.com/puppetlabs/puppet/commit/b02af7e05d9b9a3bc23474933d8d7f6cd6191158
Upstream: https://github.com/puppetlabs/puppet/commit/bcc6dc3207b81ab10e17c63737d18618dca05c1b
Upstream: https://github.com/puppetlabs/puppet/commit/f4b479f36648576c39d8ef441d3127aa1b613189

Notes

AuthorNote
sbeattie
triggered under apache 2.4 only
mdeslaur
later Debian packages don't enable SSLCARevocationCheck by
default, just simply add it as a commented-out example to the
config file. We are not going to fix this in Ubuntu 14.04 LTS.
If this is required, it can simply be added to the local
configuration.

References