CVE-2011-3872
N/A
N/A
Summary
Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterprise (PE) Users 1.0, 1.1, and 1.2 before 1.2.4, when signing an agent certificate, adds the Puppet master's certdnsnames values to the X.509 Subject Alternative Name field of the certificate, which allows remote attackers to spoof a Puppet master via a man-in-the-middle (MITM) attack against an agent that uses an alternate DNS name for the master, aka "AltNames Vulnerability."
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- http://secunia.com/advisories/46550
- http://www.ubuntu.com/usn/USN-1238-2
- http://puppetlabs.com/blog/important-security-announcement-altnames-vulnerability/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/70970
- http://secunia.com/advisories/46578
- https://puppet.com/security/cve/cve-2011-3872
- http://secunia.com/advisories/46934
- http://groups.google.com/group/puppet-announce/browse_thread/thread/e7edc3a71348f3e1
- http://www.securityfocus.com/bid/50356
- http://secunia.com/advisories/46964
- http://www.ubuntu.com/usn/USN-1238-1
References
- http://secunia.com/advisories/46550
- http://www.ubuntu.com/usn/USN-1238-2
- http://puppetlabs.com/blog/important-security-announcement-altnames-vulnerability/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/70970
- http://secunia.com/advisories/46578
- https://puppet.com/security/cve/cve-2011-3872
- http://secunia.com/advisories/46934
- http://groups.google.com/group/puppet-announce/browse_thread/thread/e7edc3a71348f3e1
- http://www.securityfocus.com/bid/50356
- http://secunia.com/advisories/46964
- http://www.ubuntu.com/usn/USN-1238-1
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.