CVE-2014-3251

Description

The MCollective aes_security plugin, as used in Puppet Enterprise before 3.3.0 and Mcollective before 2.5.3, does not properly validate new server certificates based on the CA certificate, which allows local users to establish unauthorized Mcollective connections via unspecified vectors related to a race condition.

How to fix CVE-2014-3251

To remediate CVE-2014-3251, upgrade the affected package to a fixed version below.

• Debian/mcollective—upgrade to 2.6.0+dfsg-1 or later

Is CVE-2014-3251 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2.6.0+dfsg-1

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-3251