[Pkg-puppet-devel] Bug#877390: Fwd: facter: Potential leak of IAM instance profile role authentication information stored in fact
Russell Maclean
russ at graphenic.com.au
Sun Oct 1 10:07:54 UTC 2017
Package: facter
Version: 2.2.0-1
Severity: critical
Tags: security upstream
Justification: root security hole
Dear Maintainer,
Due to https://tickets.puppetlabs.com/browse/FACT-800, Facter caches IAM
role AKID/SAKID and Token under ec2_metadata fact. Facts are stored under
/var/lib/puppet/yaml/facts/$nodename.yaml however facts can be reported by
report processors to less authorised systems potentially allowing abuse of
authentication information against AWS API.
All current Jessie Puppet systems store this authentication information
under the ec2_metadata fact on disk and reported via any custom or Puppet
report processing.
Debian Release: 8.9
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages facter depends on:
ii bind9-host [host] 1:9.9.5.dfsg-9+deb8u12
ii net-tools 1.60-26+b1
ii ruby 1:2.1.5+deb8u2
ii ruby-json 1.8.1-1+b2
ii ruby2.1 [ruby-interpreter] 2.1.5-2+deb8u3
Versions of packages facter recommends:
ii dmidecode 2.12-3
ii pciutils 1:3.2.1-3
ii virt-what 1.14-1
facter suggests no packages.
-- no debconf information
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-puppet-devel/attachments/20171001/78aaa4f3/attachment.html>
More information about the Pkg-puppet-devel
mailing list