CVE-2017-2292
published 2017-06-30CVE-2017-2292: Versions of MCollective prior to 2.10.4 deserialized YAML from agents without calling safe_load, allowing the potential for arbitrary code execution on the…
PriorityP350critical9CVSS 3.0
AVNACLPRHUINSCCHIHAL
EPSS
2.18%
80.1th percentile
Versions of MCollective prior to 2.10.4 deserialized YAML from agents without calling safe_load, allowing the potential for arbitrary code execution on the server. The fix for this is to call YAML.safe_load on input. This has been tested in all Puppet-supplied MCollective plugins, but there is a chance that third-party plugins could rely on this insecure behavior.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | mcollective | < mcollective 2.12.0+dfsg-1 (bookworm) | mcollective 2.12.0+dfsg-1 (bookworm) |
| puppet | mcollective | <= 2.10.3 | — |
| puppet | mcollective | >= 0 < 2.12.0+dfsg-1 | 2.12.0+dfsg-1 |
| puppet | mcollective | >= 0 < 2.12.0+dfsg-1 | 2.12.0+dfsg-1 |
CVSS provenance
nvdv3.09.0CRITICALCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.0CRITICAL
vendor_debian9.0CRITICAL
vendor_redhat9.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
mcollective: RCE via YAML deserialization
vendor_redhat·2017-05-11·CVSS 9.0
CVE-2017-2292 [CRITICAL] CWE-502 mcollective: RCE via YAML deserialization
mcollective: RCE via YAML deserialization
Versions of MCollective prior to 2.10.4 deserialized YAML from agents without calling safe_load, allowing the potential for arbitrary code execution on the server. The fix for this is to call YAML.safe_load on input. This has been tested in all Puppet-supplied MCollective plugins, but there is a chance that third-party plugins could rely on this insecure behavior.
Package: ruby193-mcollective (Red Hat OpenShift Enterprise 2) - Will not fix
Debian
CVE-2017-2292: mcollective - Versions of MCollective prior to 2.10.4 deserialized YAML from agents without ca...
vendor_debian·2017·CVSS 9.0
CVE-2017-2292 [CRITICAL] CVE-2017-2292: mcollective - Versions of MCollective prior to 2.10.4 deserialized YAML from agents without ca...
Versions of MCollective prior to 2.10.4 deserialized YAML from agents without calling safe_load, allowing the potential for arbitrary code execution on the server. The fix for this is to call YAML.safe_load on input. This has been tested in all Puppet-supplied MCollective plugins, but there is a chance that third-party plugins could rely on this insecure behavior.
Scope: local
bookworm: resolved (fixed in 2.12.0+dfsg-1)
bullseye: resolved (fixed in 2.12.0+dfsg-1)
GHSA
GHSA-9hgj-f7f3-cph7: Versions of MCollective prior to 2
ghsa_unreviewed·2022-05-17
CVE-2017-2292 [CRITICAL] CWE-502 GHSA-9hgj-f7f3-cph7: Versions of MCollective prior to 2
Versions of MCollective prior to 2.10.4 deserialized YAML from agents without calling safe_load, allowing the potential for arbitrary code execution on the server. The fix for this is to call YAML.safe_load on input. This has been tested in all Puppet-supplied MCollective plugins, but there is a chance that third-party plugins could rely on this insecure behavior.
OSV
CVE-2017-2292: Versions of MCollective prior to 2
osv·2017-06-30·CVSS 9.0
CVE-2017-2292 [CRITICAL] CVE-2017-2292: Versions of MCollective prior to 2
Versions of MCollective prior to 2.10.4 deserialized YAML from agents without calling safe_load, allowing the potential for arbitrary code execution on the server. The fix for this is to call YAML.safe_load on input. This has been tested in all Puppet-supplied MCollective plugins, but there is a chance that third-party plugins could rely on this insecure behavior.
No detection rules found.
Bugzilla
CVE-2017-2292 mcollective: RCE via YAML deserialization
bugzilla·2017-07-12·CVSS 9.0
CVE-2017-2292 [CRITICAL] CVE-2017-2292 mcollective: RCE via YAML deserialization
CVE-2017-2292 mcollective: RCE via YAML deserialization
Versions of MCollective prior to 2.10.4 deserialized YAML from agents without calling safe_load, allowing the potential for arbitrary code execution on the server. The fix for this is to call YAML.safe_load on input. This has been tested in all Puppet-supplied MCollective plugins, but there is a chance that third-party plugins could rely on this insecure behavior.
External References:
https://puppet.com/security/cve/cve-2017-2292
Upstream patch:
https://github.com/puppetlabs/marionette-collective/commit/e0e741889f5adeb8f75387037106b0d28a9099b0
Discussion:
Created mcollective tracking bugs for this issue:
Affects: epel-6 [bug 1470088]
Affects: fedora-all [bug 1470087]
Created ruby193-mcollective tracking bugs for this issue:
Bugzilla
CVE-2017-2292 mcollective: RCE via YAML deserialization [epel-6]
bugzilla·2017-07-12·CVSS 9.0
CVE-2017-2292 [CRITICAL] CVE-2017-2292 mcollective: RCE via YAML deserialization [epel-6]
CVE-2017-2292 mcollective: RCE via YAML deserialization [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for the 'fedpkg update' re
Bugzilla
CVE-2017-2292 mcollective: RCE via YAML deserialization [fedora-all]
bugzilla·2017-07-12·CVSS 9.0
CVE-2017-2292 [CRITICAL] CVE-2017-2292 mcollective: RCE via YAML deserialization [fedora-all]
CVE-2017-2292 mcollective: RCE via YAML deserialization [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedor
Bugzilla
CVE-2017-7507 gnutls: Crash upon receiving well-formed status_request extension
bugzilla·2017-05-23·CVSS 7.5
CVE-2017-7507 [HIGH] CVE-2017-7507 gnutls: Crash upon receiving well-formed status_request extension
CVE-2017-7507 gnutls: Crash upon receiving well-formed status_request extension
It was found that GnuTLS would crash when receiving a client hello message with status_request extension that has a non-empty responder_id_list.
Discussion:
Acknowledgments:
Name: Hubert Kario (Red Hat QE BaseOS Security team)
---
Created gnutls tracking bugs for this issue:
Affects: fedora-all [bug 1459795]
Created gnutls30 tracking bugs for this issue:
Affects: epel-6 [bug 1459797]
Created mingw-gnutls tracking bugs for this issue:
Affects: epel-7 [bug 1459796]
Affects: fedora-all [bug 1459798]
---
External References:
https://www.gnutls.org/security.html#GNUTLS-SA-2017-4
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2017:2292 https://acce
2017-06-30
Published