Woman viewing code on laptop and desktop computers.
December 10, 2021

Puppet and Log4j Remote Code Execution Vulnerabilities

Security & Compliance
How to & Use Cases

By and

Log4j is a Java-based logging framework that is used in many applications and is prone to remote code execution (RCE) vulnerabilities, which have become increasingly common and impacted many companies. It is essential to be aware of these vulnerabilities and take appropriate measures to protect against them.

Puppet IT automation tools are designed to simplify the process of managing large-scale infrastructure and quickly identify and address security and compliance issues, which includes Log4j vulnerability mitigation.

To ensure all Puppet users have the best possible protection from Log4j vulnerabilities, the Puppet team has taken some proactive steps to address them. This includes regularly reviewing and updating the Log4j library used in Puppet, providing users with guidance on minimizing the risk of Log4j vulnerabilities, and releasing a Puppet Enterprise Log4j module to help users monitor and audit their Log4j configurations. The Puppet team is also actively engaged in the open-source community to ensure that any new or emerging Log4j vulnerabilities are addressed quickly and efficiently.

This article covers the impact of Log4j remote code execution vulnerabilities on Puppet products, what security measures our team has taken against them, and what you should do now to protect your systems.

Table of Contents:

Puppet and Log4j Vulnerabilities: The Latest Updates

January 21, 2022 Update: On January 20, 2022, Puppet released Puppet Comply version 2.2.2, updating the Log4j library to 2.17.0.

December 29, 2021 Update:On December 28, a new vulnerability was identified in Log4j through versions 2.17.0. This is identified as CVE-2021-44832. Puppet has determined that none of our products are vulnerable to being exploited by this issue. The Log4j configuration in our product cannot be modified by users which is a requirement for this vulnerability to be exploited. Puppet will include an update to Log4j as part of the regular release cadence.

December 20, 2021 Update:On December 20, in response to a new Log4j vulnerability CVE-2021-45105, we released Continuous Delivery for Puppet Enterprise version 4.10.5 with Apache Log4j 2.17.0.

December 17, 2021 Update:The severity of CVE-2021-45046, the fix to address CVE-2021-44228 in Apache Log4j 2.15.0, has been changed from medium to critical. In response, we have released Continuous Delivery for Puppet Enterprise (CD for PE) version 4.10.4 with Apache Log4j 2.16.0. We still do not believe that CD for PE is vulnerable given the Log4j configuration and mitigation, but want to provide our users with the most up-to-date software possible as the situation evolves.

If you are a Continuous Delivery for PE customer running version 3.x, we emphasize this version is not eligible for Puppet-delivered remediation. Our guidance continues to be to upgrade to version 4.x. If you continue to use 3.x, the mitigation steps provided may help. We strongly suggest you actively monitor your servers.

December 16, 2021 Update:The content of this blog was updated on December 16th to acknowledge that the pattern matching layout in Continuous Delivery for Puppet Enterprise (CD for PE) 4.10.3 does not use a Context Lookup or Thread Context Map Pattern described in CVE-2021-45046. As such, this CVE is currently not exploitable in the latest release of CD for PE, version 4.10.3. We are actively working on our next release of CD for PE which will include Apache log4j 2.16.0 and will be released as soon as safely possible.

December 15, 2021 Update:The content of this blog was updated on December 15th to acknowledge that Puppet Comply may also be vulnerable to CVE-2021-44228 due to a third-party component that provides key functionality to the product. Puppet Comply does not use Log4j directly. Further details below.

Puppet and Log4j Vulnerabilities: What's the Impact?

Puppet Enterprise, Puppetserver, and Puppet agents have not been impacted by the Log4j RCE vulnerabilities. Continuous Delivery for Puppet Enterprise (CD for PE), however, has been impacted by CVE-2021-44228.

A release update and mitigation steps for Continuous Delivery for Puppet Enterprise version 4.x, is now available. Partial mitigation steps for Continuous Delivery for Puppet Enterprise version 3.x, which reached end of life earlier this year, can be found in the FAQ. For Continuous Delivery for PE customers running version 3.x, our guidance continues to be to upgrade to version 4.x. If you continue to use 3.x, the mitigation steps provided may help. We strongly suggest you actively monitor your servers.

An FAQ outlining the path forward for CD for PE customers on versions 3.x and 4.x is available.

How Has Puppet Comply Been Impacted By Log4j Vulnerabilities?

Puppet was alerted that a third-party component that provides key functionality to Puppet Comply was impacted. The Puppet Comply server is not vulnerable and Puppet Comply does not use Log4j directly. Only the Puppet Comply third-party assessor uses the vulnerable package but given its limited scope, the potential for exploitation is reduced.

On January 20, Puppet released Comply v. 2.2.2 which addresses all known vulnerabilities that can potentially be exploited in the product.

Should you have additional questions, please reach out to your TAM, or contact Support.

Contact Support

Sarah Hullender

Sarah Hullender

Senior Engineering Product Manager, Puppet by Perforce

Sarah Hullender is Senior Engineering Product Manager.
Diego Lapiduz

Diego Lapiduz

Senior Director, Product Security, Puppet by Perforce

Diego Lapiduz is Senior Director, Product Security.