Vulnerability CVE-2012-1987

Vulnerability Name:

CVE-2012-1987 (CCN-74795)

Assigned:

2012-04-11

Published:

2012-04-11

Updated:

2019-07-11

Summary:

Unspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys to (1) cause a denial of service (memory consumption) via a REST request to a stream that triggers a thread block, as demonstrated using CVE-2012-1986 and /dev/random; or (2) cause a denial of service (filesystem consumption) via crafted REST requests that use "a marshaled form of a Puppet::FileBucket::File object" to write to arbitrary file locations.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P)
2.6 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

CWE-noinfo

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2012-1987

Source: FEDORA
Type: UNKNOWN
FEDORA-2012-5999

Source: FEDORA
Type: UNKNOWN
FEDORA-2012-6055

Source: FEDORA
Type: UNKNOWN
FEDORA-2012-6674

Source: MISC
Type: Vendor Advisory
http://projects.puppetlabs.com/issues/13552

Source: MISC
Type: Vendor Advisory
http://projects.puppetlabs.com/issues/13553

Source: CONFIRM
Type: UNKNOWN
http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15

Source: CCN
Type: Puppet Labs Web site
CVE-2012-1987 (Denial of Service)

Source: CONFIRM
Type: Vendor Advisory
http://puppetlabs.com/security/cve/cve-2012-1987/

Source: CONFIRM
Type: UNKNOWN
http://puppetlabs.com/security/cve/cve-2012-1987/hotfixes/

Source: CCN
Type: RHSA-2012-1542
Moderate: CloudForms Commons 1.1 security update

Source: CCN
Type: SA48743
Puppet Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
48743

Source: SECUNIA
Type: Vendor Advisory
48748

Source: SECUNIA
Type: Vendor Advisory
48789

Source: SECUNIA
Type: Vendor Advisory
49136

Source: UBUNTU
Type: UNKNOWN
USN-1419-1

Source: DEBIAN
Type: UNKNOWN
DSA-2451

Source: DEBIAN
Type: DSA-2451
puppet -- several vulnerabilities

Source: OSVDB
Type: UNKNOWN
81308

Source: CCN
Type: OSVDB ID: 81308
Puppet Marshalled Puppet::FileBucket::File Object REST Request Parsing Remote DoS

Source: BID
Type: UNKNOWN
52975

Source: CCN
Type: BID-52975
Puppet Multiple Security Vulnerabilities

Source: XF
Type: UNKNOWN
puppet-rest-dos(74795)

Source: XF
Type: UNKNOWN
puppet-rest-dos(74795)

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2012:0608

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2012:0835

Vulnerable Configuration:

Configuration 1:

cpe:/a:puppet:puppet:2.6.0:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.1:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.2:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.3:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.4:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.5:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.6:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.7:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.8:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.9:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.10:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.11:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.12:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.13:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.14:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:puppet:puppet:2.7.2:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.3:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.4:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.5:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.6:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.7:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.8:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.9:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.10:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.11:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet_enterprise:2.5.0:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.0:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.1:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:puppet:puppet_enterprise:1.2.0:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet_enterprise:1.2.1:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet_enterprise:1.2.2:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet_enterprise:1.2.3:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet_enterprise:1.2.4:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet_enterprise:2.0.0:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet_enterprise:2.0.1:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet_enterprise:2.0.2:*:*:*:*:*:*:*

OR cpe:/a:puppetlabs:puppet_enterprise_users:1.0:*:*:*:*:*:*:*

OR cpe:/a:puppetlabs:puppet_enterprise_users:1.1:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:puppet:puppet:2.7.4:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.10:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.10:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.5:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.13:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.11:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.0:*:*:*:*:*:*:*

AND

cpe:/o:redhat:linux_advanced_workstation:2.1::itanium:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:42426	P	Security update for mokutil (Moderate)	2022-08-03
oval:org.opensuse.security:def:20121987	V	CVE-2012-1987	2022-05-20
oval:org.opensuse.security:def:31754	P	Security update for libsndfile (Important)	2022-01-05
oval:org.opensuse.security:def:26167	P	Security update for php72 (Moderate)	2021-11-19
oval:org.opensuse.security:def:31703	P	Security update for MozillaFirefox (Important)	2021-11-17
oval:org.opensuse.security:def:26145	P	Security update for the Linux Kernel (Important)	2021-10-12
oval:org.opensuse.security:def:32196	P	Security update for python-urllib3 (Moderate)	2021-09-29
oval:org.opensuse.security:def:26110	P	Security update for aspell (Important)	2021-08-25
oval:org.opensuse.security:def:32982	P	Security update for java-1_8_0-openjdk (Important)	2021-08-20
oval:org.opensuse.security:def:32151	P	Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)	2021-07-27
oval:org.opensuse.security:def:32943	P	Security update for caribou (Important)	2021-06-10
oval:org.opensuse.security:def:42683	P	puppet-2.7.26-0.5.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:36276	P	puppet-2.7.26-0.5.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:32109	P	Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)	2021-06-04
oval:org.opensuse.security:def:32095	P	Security update for libxml2 (Important)	2021-05-19
oval:org.opensuse.security:def:26029	P	Security update for the Linux Kernel (Important)	2021-04-15
oval:org.opensuse.security:def:31743	P	Security update for python (Moderate)	2021-03-16
oval:org.opensuse.security:def:31742	P	Security update for git (Important)	2021-03-09
oval:org.opensuse.security:def:26198	P	Security update for avahi (Moderate)	2021-02-23
oval:org.opensuse.security:def:32261	P	Security update for krb5-appl (Important)	2021-02-19
oval:org.opensuse.security:def:32239	P	Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)	2021-02-10
oval:org.opensuse.security:def:32200	P	Security update for python3 (Important)	2021-02-08
oval:org.opensuse.security:def:36019	P	puppet-2.6.18-0.4.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:25772	P	Security update for gstreamer-0_10-plugins-bad (Moderate)	2020-12-01
oval:org.opensuse.security:def:26300	P	Security update for gimp (Moderate)	2020-12-01
oval:org.opensuse.security:def:25837	P	Security update for ImageMagick (Important)	2020-12-01
oval:org.opensuse.security:def:26504	P	Security update for chromium (Important)	2020-12-01
oval:org.opensuse.security:def:31485	P	Security update for python (Important)	2020-12-01
oval:org.opensuse.security:def:33200	P	lvm2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25853	P	Security update for gtk2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:26344	P	Security update for mbedtls (Moderate)	2020-12-01
oval:org.opensuse.security:def:25901	P	Security update for flash-player (Important)	2020-12-01
oval:org.opensuse.security:def:26543	P	expat on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:31486	P	Security update for python (Moderate)	2020-12-01
oval:org.opensuse.security:def:33239	P	puppet on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25910	P	Security update for gstreamer-0_10-plugins-base (Low)	2020-12-01
oval:org.opensuse.security:def:26982	P	libxslt on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26557	P	gnome-screensaver on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:31497	P	Security update for python-lxml	2020-12-01
oval:org.opensuse.security:def:32352	P	Security update for squid3 (Important)	2020-12-01
oval:org.opensuse.security:def:25994	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:27017	P	puppet on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26601	P	libsamplerate on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:31571	P	Security update for strongswan (Moderate)	2020-12-01
oval:org.opensuse.security:def:32408	P	Security update for wget (Moderate)	2020-12-01
oval:org.opensuse.security:def:25568	P	Security update for samba (Moderate)	2020-12-01
oval:org.opensuse.security:def:27239	P	man on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32457	P	Security update for xorg-x11-libX11 (Moderate)	2020-12-01
oval:org.opensuse.security:def:25569	P	Security update for tomcat (Important)	2020-12-01
oval:org.opensuse.security:def:26251	P	Security update for zziplib (Moderate)	2020-12-01
oval:org.opensuse.security:def:27274	P	puppet on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:31795	P	Security update for MozillaFirefox, mozilla-nspr, mozilla-nss (Important)	2020-12-01
oval:org.opensuse.security:def:32305	P	Security update for python (Important)	2020-12-01
oval:org.opensuse.security:def:31828	P	Security update for bind (Important)	2020-12-01
oval:org.opensuse.security:def:32496	P	coolkey on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25580	P	Security update for LibVNCServer (Important)	2020-12-01
oval:org.opensuse.security:def:26247	P	Security update for bluez (Moderate)	2020-12-01
oval:org.opensuse.security:def:25825	P	Security update for ImageMagick (Important)	2020-12-01
oval:org.opensuse.security:def:26402	P	Security update for irssi (Moderate)	2020-12-01
oval:org.opensuse.security:def:31852	P	Recommended udpate for SUSE Manager Client Tools (Low)	2020-12-01
oval:org.opensuse.security:def:31960	P	Security update for gtk2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:32518	P	gd on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25644	P	Security update for taglib (Low)	2020-12-01
oval:org.opensuse.security:def:26286	P	Security update for libcdio (Low)	2020-12-01
oval:org.opensuse.security:def:25826	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:26455	P	Security update for chromium (Important)	2020-12-01
oval:org.opensuse.security:def:31939	P	Security update for glibc (Important)	2020-12-01
oval:org.opensuse.security:def:32052	P	Security update for kvm (Important)	2020-12-01
oval:org.opensuse.security:def:32562	P	libpoppler-glib4 on GA media (Moderate)	2020-12-01
oval:org.mitre.oval:def:17851	P	USN-1419-1 -- puppet vulnerabilities	2014-06-30
oval:org.mitre.oval:def:18378	P	DSA-2453-1 gajim - several	2014-06-23
oval:org.mitre.oval:def:18629	P	DSA-2451-1 puppet - several	2014-06-23
oval:org.mitre.oval:def:20130	P	DSA-2453-2 gajim - regression	2014-06-23

BACK