Get Puppet Enterprise First 10 nodes are free!
Try it now
Request a demo
Automate IT and infrastructure, manage complex workflows, and mitigate risk at scale.
Try the full-featured Puppet Enterprise for free on 10 nodes.
Puppet Comply Find and prevent compliance failures
Compliance EnforcementRemediate to stay in compliance
Continuous Delivery for Puppet Enterprise Build, test, and deploy infrastructure as code faster and easier
Content & Modules Pre-built scripts to automate common tasks
CentOS EOL Here’s how to secure your CentOS infrastructure – even after EOL.
Find thousands of component modules built by the community and guidance on using them in your own infrastructure.
Visit Puppet Forge >>
Open Source PuppetPerfect for individuals and small infrastructure
BoltAutomate tasks in orchestration workflows
See all open source projects >>
Contribute to open source projects >>
SECURITY MAIN > CVE 2011-3872
A bug in Puppet 0.24.0 through 2.7.5 causes Puppet to insert the puppet master's DNS alt names ("certdnsnames" in puppet.conf) into the X.509 Subject Alternative Name field of all certificates, rather than just the puppet master's certificate.
Since the puppet agent daemon can use the Subject Alternative Name field to identify its puppet master, your site may contain agent certificates that can be used in a Man in the Middle (MITM) attack to impersonate the puppet master.
If your puppet master's "certdnsnames" setting has never been set during the lifetime of your site's CA, you are protected and can safely ignore this vulnerability once you've upgraded your puppet master. Otherwise, you must mitigate this vulnerability by:
Although the above mitigation will completely protect your site, you may also wish to migrate to a new CA and invalidate and re-issue all of your site's certificates. This will provide longer-term protection, will prevent your site from being accidentally returned to a vulnerable state, and will let you resume using your preferred puppet master name.
Puppet Labs has released tools to assist in mitigating the vulnerability and migrating to a new CA.