CVE-2017-2295 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2017-2295 Interim 1 23 2024-07-27T00:57:10Z current 2021-05-30T13:50:06Z 2024-07-27T00:57:10Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2017-2295 Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-security-updates/2017-August/003123.html E-Mail link for SUSE-SU-2017:2113-1 https://lists.suse.com/pipermail/sle-security-updates/2018-March/003783.html E-Mail link for SUSE-SU-2018:0600-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/B5GJUVML2GV5YK2CZTNCIELTQXOEFL5O/#B5GJUVML2GV5YK2CZTNCIELTQXOEFL5O E-Mail link for openSUSE-SU-2017:1948-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Desktop 12 SP3 SUSE Linux Enterprise Desktop 12 SP4 SUSE Linux Enterprise Module for Advanced Systems Management 12 SUSE Linux Enterprise Server 11 SP1-TERADATA SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE Linux Enterprise Server 11 SP4 SUSE Linux Enterprise Server 11 SP4 LTSS SUSE Linux Enterprise Module for Advanced Systems Management 12 SUSE Linux Enterprise Module for Advanced Systems Management 12 SUSE Linux Enterprise Module for Advanced Systems Management 12 SUSE Linux Enterprise Module for Advanced Systems Management 12 SUSE Linux Enterprise Server for SAP Applications 11 SP4 SUSE Linux Enterprise Module for Advanced Systems Management 12 SUSE Linux Enterprise Module for Advanced Systems Management 12 SUSE Linux Enterprise Module for Advanced Systems Management 12 SUSE Linux Enterprise Module for Advanced Systems Management 12 puppet puppet-2.7.26-0.5.3.1 puppet-3.8.5-15.3.3 puppet-3.8.5-15.9.1 puppet-server-2.7.26-0.5.3.1 puppet-server-3.8.5-15.3.3 puppet-3.8.5-15.3.3 as a component of SUSE Linux Enterprise Desktop 12 SP2 puppet-3.8.5-15.3.3 as a component of SUSE Linux Enterprise Desktop 12 SP3 puppet-3.8.5-15.9.1 as a component of SUSE Linux Enterprise Desktop 12 SP4 puppet-3.8.5-15.3.3 as a component of SUSE Linux Enterprise Module for Advanced Systems Management 12 puppet-server-3.8.5-15.3.3 as a component of SUSE Linux Enterprise Module for Advanced Systems Management 12 puppet-2.7.26-0.5.3.1 as a component of SUSE Linux Enterprise Server 11 SP1-TERADATA puppet-server-2.7.26-0.5.3.1 as a component of SUSE Linux Enterprise Server 11 SP1-TERADATA puppet-2.7.26-0.5.3.1 as a component of SUSE Linux Enterprise Server 11 SP3-TERADATA puppet-server-2.7.26-0.5.3.1 as a component of SUSE Linux Enterprise Server 11 SP3-TERADATA puppet-2.7.26-0.5.3.1 as a component of SUSE Linux Enterprise Server 11 SP4 puppet-server-2.7.26-0.5.3.1 as a component of SUSE Linux Enterprise Server 11 SP4 puppet-2.7.26-0.5.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 puppet-server-2.7.26-0.5.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 puppet as a component of SUSE Linux Enterprise Server 11 SP4 LTSS Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML. CVE-2017-2295 SUSE Linux Enterprise Desktop 12 SP2:puppet-3.8.5-15.3.3 SUSE Linux Enterprise Desktop 12 SP3:puppet-3.8.5-15.3.3 SUSE Linux Enterprise Desktop 12 SP4:puppet-3.8.5-15.9.1 SUSE Linux Enterprise Module for Advanced Systems Management 12:puppet-3.8.5-15.3.3 SUSE Linux Enterprise Module for Advanced Systems Management 12:puppet-server-3.8.5-15.3.3 SUSE Linux Enterprise Server 11 SP1-TERADATA:puppet-2.7.26-0.5.3.1 SUSE Linux Enterprise Server 11 SP1-TERADATA:puppet-server-2.7.26-0.5.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:puppet-2.7.26-0.5.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:puppet-server-2.7.26-0.5.3.1 SUSE Linux Enterprise Server 11 SP4:puppet-2.7.26-0.5.3.1 SUSE Linux Enterprise Server 11 SP4:puppet-server-2.7.26-0.5.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:puppet-2.7.26-0.5.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:puppet-server-2.7.26-0.5.3.1 important 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H