The OpenSSL project recently announced a serious security vulnerability in OpenSSL affecting versions 1.0.1 and 1.0.2, currently referred to as "Heartbleed." This vulnerability (CVE-2014-0160) allows unauthorized users access to private data such as encrypted traffic and the secret keys used to identify servers.
The security of Puppet infrastructure depends on OpenSSL being secure, so there are steps you must take to ensure your Puppet infrastructure is secure.
Puppet Labs has not shipped a vulnerable version of OpenSSL in Puppet or Puppet Enterprise. In many cases, however, Puppet and Puppet Enterprise rely on versions of OpenSSL shipped as part of an operating system. You can check which OSs are affected in our second-day blog post.
Many organizations will need to regenerate their Puppet-related Certificate Authority and all Puppet-related SSL certificates in their public key infrastructure. You may also need to update OpenSSL as vendors release updates to address this vulnerability.
We have released step-by-step documentation for remediating the vulnerability, linked below.
Edit as of 6:00 p.m. (Pacific), 10 April 2014
You'll find the most updated versions of the remediation documentation for Heartbleed on this page: [Remediation for Recovering from the Heartbleed Bug](Visit the Puppet Labs Heartbleed Remediation Overview page
Note: This documentation was tested against Puppet Enterprise 2.8.5 and 3.2.1. Our belief is that these instructions will work with all 2.x and 3.x releases of Puppet Enterprise.
- Puppet Enterprise 3.x: Regenerating Certs and Security Credentials in Split Puppet Enterprise Deployments
- Puppet Enterprise 3.x: Regenerating Certs and Security Credentials in Monolithic Puppet Enterprise Deployments
- Puppet Enterprise 2.x: Regenerating Certs and Security Credentials in Split Puppet Enterprise Deployments
- Puppet Enterprise 2.x: Regenerating Certs and Security Credentials in Monolithic Puppet Enterprise Deployments
- SSL for Open Source Puppet: Regenerating All Certificates in a Puppet Deployment
We are notifying users via email. Authorized Puppet Enterprise support users can log in to the customer support portal for any needed support. If you’re using Puppet or a trial version of Puppet Enterprise, watch for updates to the Puppet Users Google Group and the Puppet Enterprise Users group.
We’ll continue to stay on top of developments, and update you here on the blog, in our documentation, and on the mailing lists.
For more information about Heartbleed, go to http://heartbleed.com/.