Vulnerability Name:

CVE-2012-1987 (CCN-74795)

Assigned:2012-04-11
Published:2012-04-11
Updated:2019-07-11
Summary:Unspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys to (1) cause a denial of service (memory consumption) via a REST request to a stream that triggers a thread block, as demonstrated using CVE-2012-1986 and /dev/random; or (2) cause a denial of service (filesystem consumption) via crafted REST requests that use "a marshaled form of a Puppet::FileBucket::File object" to write to arbitrary file locations.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P)
2.6 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-noinfo
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2012-1987

Source: FEDORA
Type: UNKNOWN
FEDORA-2012-5999

Source: FEDORA
Type: UNKNOWN
FEDORA-2012-6055

Source: FEDORA
Type: UNKNOWN
FEDORA-2012-6674

Source: MISC
Type: Vendor Advisory
http://projects.puppetlabs.com/issues/13552

Source: MISC
Type: Vendor Advisory
http://projects.puppetlabs.com/issues/13553

Source: CONFIRM
Type: UNKNOWN
http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15

Source: CCN
Type: Puppet Labs Web site
CVE-2012-1987 (Denial of Service)

Source: CONFIRM
Type: Vendor Advisory
http://puppetlabs.com/security/cve/cve-2012-1987/

Source: CONFIRM
Type: UNKNOWN
http://puppetlabs.com/security/cve/cve-2012-1987/hotfixes/

Source: CCN
Type: RHSA-2012-1542
Moderate: CloudForms Commons 1.1 security update

Source: CCN
Type: SA48743
Puppet Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
48743

Source: SECUNIA
Type: Vendor Advisory
48748

Source: SECUNIA
Type: Vendor Advisory
48789

Source: SECUNIA
Type: Vendor Advisory
49136

Source: UBUNTU
Type: UNKNOWN
USN-1419-1

Source: DEBIAN
Type: UNKNOWN
DSA-2451

Source: DEBIAN
Type: DSA-2451
puppet -- several vulnerabilities

Source: OSVDB
Type: UNKNOWN
81308

Source: CCN
Type: OSVDB ID: 81308
Puppet Marshalled Puppet::FileBucket::File Object REST Request Parsing Remote DoS

Source: BID
Type: UNKNOWN
52975

Source: CCN
Type: BID-52975
Puppet Multiple Security Vulnerabilities

Source: XF
Type: UNKNOWN
puppet-rest-dos(74795)

Source: XF
Type: UNKNOWN
puppet-rest-dos(74795)

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2012:0608

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2012:0835

Vulnerable Configuration:Configuration 1:
  • cpe:/a:puppet:puppet:2.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.6.2:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.6.3:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.6.4:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.6.5:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.6.6:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.6.7:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.6.8:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.6.9:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.6.10:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.6.11:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.6.12:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.6.13:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.6.14:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/a:puppet:puppet:2.7.2:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.7.3:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.7.4:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.7.5:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.7.6:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.7.7:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.7.8:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.7.9:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.7.10:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.7.11:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet_enterprise:2.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.7.0:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.7.1:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/a:puppet:puppet_enterprise:1.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet_enterprise:1.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet_enterprise:1.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet_enterprise:1.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet_enterprise:1.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet_enterprise:2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet_enterprise:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet_enterprise:2.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:puppetlabs:puppet_enterprise_users:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:puppetlabs:puppet_enterprise_users:1.1:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:puppet:puppet:2.7.4:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.6.10:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.7.10:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.7.5:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.6.13:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.6.11:*:*:*:*:*:*:*
  • OR cpe:/a:puppet:puppet:2.6.0:*:*:*:*:*:*:*
  • AND
  • cpe:/o:redhat:linux_advanced_workstation:2.1::itanium:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:42426
    P
    		Security update for mokutil (Moderate)
    2022-08-03
    oval:org.opensuse.security:def:20121987
    V
    		CVE-2012-1987
    2022-05-20
    oval:org.opensuse.security:def:31754
    P
    		Security update for libsndfile (Important)
    2022-01-05
    oval:org.opensuse.security:def:26167
    P
    		Security update for php72 (Moderate)
    2021-11-19
    oval:org.opensuse.security:def:31703
    P
    		Security update for MozillaFirefox (Important)
    2021-11-17
    oval:org.opensuse.security:def:26145
    P
    		Security update for the Linux Kernel (Important)
    2021-10-12
    oval:org.opensuse.security:def:32196
    P
    		Security update for python-urllib3 (Moderate)
    2021-09-29
    oval:org.opensuse.security:def:26110
    P
    		Security update for aspell (Important)
    2021-08-25
    oval:org.opensuse.security:def:32982
    P
    		Security update for java-1_8_0-openjdk (Important)
    2021-08-20
    oval:org.opensuse.security:def:32151
    P
    		Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)
    2021-07-27
    oval:org.opensuse.security:def:32943
    P
    		Security update for caribou (Important)
    2021-06-10
    oval:org.opensuse.security:def:42683
    P
    		puppet-2.7.26-0.5.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:36276
    P
    		puppet-2.7.26-0.5.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:32109
    P
    		Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)
    2021-06-04
    oval:org.opensuse.security:def:32095
    P
    		Security update for libxml2 (Important)
    2021-05-19
    oval:org.opensuse.security:def:26029
    P
    		Security update for the Linux Kernel (Important)
    2021-04-15
    oval:org.opensuse.security:def:31743
    P
    		Security update for python (Moderate)
    2021-03-16
    oval:org.opensuse.security:def:31742
    P
    		Security update for git (Important)
    2021-03-09
    oval:org.opensuse.security:def:26198
    P
    		Security update for avahi (Moderate)
    2021-02-23
    oval:org.opensuse.security:def:32261
    P
    		Security update for krb5-appl (Important)
    2021-02-19
    oval:org.opensuse.security:def:32239
    P
    		Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)
    2021-02-10
    oval:org.opensuse.security:def:32200
    P
    		Security update for python3 (Important)
    2021-02-08
    oval:org.opensuse.security:def:36019
    P
    		puppet-2.6.18-0.4.2 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:25772
    P
    		Security update for gstreamer-0_10-plugins-bad (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26300
    P
    		Security update for gimp (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25837
    P
    		Security update for ImageMagick (Important)
    2020-12-01
    oval:org.opensuse.security:def:26504
    P
    		Security update for chromium (Important)
    2020-12-01
    oval:org.opensuse.security:def:31485
    P
    		Security update for python (Important)
    2020-12-01
    oval:org.opensuse.security:def:33200
    P
    		lvm2 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25853
    P
    		Security update for gtk2 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26344
    P
    		Security update for mbedtls (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25901
    P
    		Security update for flash-player (Important)
    2020-12-01
    oval:org.opensuse.security:def:26543
    P
    		expat on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31486
    P
    		Security update for python (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:33239
    P
    		puppet on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25910
    P
    		Security update for gstreamer-0_10-plugins-base (Low)
    2020-12-01
    oval:org.opensuse.security:def:26982
    P
    		libxslt on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26557
    P
    		gnome-screensaver on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31497
    P
    		Security update for python-lxml
    2020-12-01
    oval:org.opensuse.security:def:32352
    P
    		Security update for squid3 (Important)
    2020-12-01
    oval:org.opensuse.security:def:25994
    P
    		Security update for ImageMagick (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27017
    P
    		puppet on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26601
    P
    		libsamplerate on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31571
    P
    		Security update for strongswan (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:32408
    P
    		Security update for wget (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25568
    P
    		Security update for samba (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27239
    P
    		man on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:32457
    P
    		Security update for xorg-x11-libX11 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25569
    P
    		Security update for tomcat (Important)
    2020-12-01
    oval:org.opensuse.security:def:26251
    P
    		Security update for zziplib (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27274
    P
    		puppet on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31795
    P
    		Security update for MozillaFirefox, mozilla-nspr, mozilla-nss (Important)
    2020-12-01
    oval:org.opensuse.security:def:32305
    P
    		Security update for python (Important)
    2020-12-01
    oval:org.opensuse.security:def:31828
    P
    		Security update for bind (Important)
    2020-12-01
    oval:org.opensuse.security:def:32496
    P
    		coolkey on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25580
    P
    		Security update for LibVNCServer (Important)
    2020-12-01
    oval:org.opensuse.security:def:26247
    P
    		Security update for bluez (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25825
    P
    		Security update for ImageMagick (Important)
    2020-12-01
    oval:org.opensuse.security:def:26402
    P
    		Security update for irssi (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31852
    P
    		Recommended udpate for SUSE Manager Client Tools (Low)
    2020-12-01
    oval:org.opensuse.security:def:31960
    P
    		Security update for gtk2 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:32518
    P
    		gd on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25644
    P
    		Security update for taglib (Low)
    2020-12-01
    oval:org.opensuse.security:def:26286
    P
    		Security update for libcdio (Low)
    2020-12-01
    oval:org.opensuse.security:def:25826
    P
    		Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:26455
    P
    		Security update for chromium (Important)
    2020-12-01
    oval:org.opensuse.security:def:31939
    P
    		Security update for glibc (Important)
    2020-12-01
    oval:org.opensuse.security:def:32052
    P
    		Security update for kvm (Important)
    2020-12-01
    oval:org.opensuse.security:def:32562
    P
    		libpoppler-glib4 on GA media (Moderate)
    2020-12-01
    oval:org.mitre.oval:def:17851
    P
    		USN-1419-1 -- puppet vulnerabilities
    2014-06-30
    oval:org.mitre.oval:def:18378
    P
    		DSA-2453-1 gajim - several
    2014-06-23
    oval:org.mitre.oval:def:18629
    P
    		DSA-2451-1 puppet - several
    2014-06-23
    oval:org.mitre.oval:def:20130
    P
    		DSA-2453-2 gajim - regression
    2014-06-23
    BACK
    puppet puppet 2.6.0
    puppet puppet 2.6.1
    puppet puppet 2.6.2
    puppet puppet 2.6.3
    puppet puppet 2.6.4
    puppet puppet 2.6.5
    puppet puppet 2.6.6
    puppet puppet 2.6.7
    puppet puppet 2.6.8
    puppet puppet 2.6.9
    puppet puppet 2.6.10
    puppet puppet 2.6.11
    puppet puppet 2.6.12
    puppet puppet 2.6.13
    puppet puppet 2.6.14
    puppet puppet 2.7.2
    puppet puppet 2.7.3
    puppet puppet 2.7.4
    puppet puppet 2.7.5
    puppet puppet 2.7.6
    puppet puppet 2.7.7
    puppet puppet 2.7.8
    puppet puppet 2.7.9
    puppet puppet 2.7.10
    puppet puppet 2.7.11
    puppet puppet enterprise 2.5.0
    puppetlabs puppet 2.7.0
    puppetlabs puppet 2.7.1
    puppet puppet enterprise 1.2.0
    puppet puppet enterprise 1.2.1
    puppet puppet enterprise 1.2.2
    puppet puppet enterprise 1.2.3
    puppet puppet enterprise 1.2.4
    puppet puppet enterprise 2.0.0
    puppet puppet enterprise 2.0.1
    puppet puppet enterprise 2.0.2
    puppetlabs puppet enterprise users 1.0
    puppetlabs puppet enterprise users 1.1
    puppetlabs puppet 2.7.4
    puppetlabs puppet 2.6.10
    puppetlabs puppet 2.7.10
    puppetlabs puppet 2.7.5
    puppetlabs puppet 2.6.13
    puppetlabs puppet 2.6.11
    puppetlabs puppet 2.6.0
    redhat linux advanced workstation 2.1