Is this a critical security issue?
Describe the Bug
Upon updating our compiler to 8.13.0, we noticed failed runs on a substantial percentage of our nodes. Not all of them were affected, but those which were continuously failed to get a catalog, erroring out with a Java exception from the puppet server, and a >1k line stacktrace (attached). The cause appears to be a custom function calling into openssl functions from Ruby - specifically, it attempts to validate X.509 keys by attempting to instantiate a private key object based on them:
Puppet::Functions.create_function(:'x509::validate_key') do
dispatch :validate_key do
param 'X509::PEM::Key', :pem
param 'X509::Algorithm', :type
end
def validate_key(pem, type)
require 'openssl'
if type == 'rsa'
begin
OpenSSL::PKey::RSA.new(pem)
rescue => e
raise Puppet::ParseError, "RSA private key invalid: #{e}"
end
else
begin
OpenSSL::PKey::EC.new(pem)
rescue => e
raise Puppet::ParseError, "ECC private key invalid: #{e}"
end
end
end
end
This causes the following exception:
java.lang.NoSuchMethodError: 'org.bouncycastle.asn1.ASN1Primitive org.bouncycastle.asn1.sec.ECPrivateKey.getParameters()'
with the stack trace attached. Notably, this only occurs with the EC functions, there is no mention of errors relating to RSA anywhere in our logs.
Expected Behavior
The Ruby code continues to work, and nodes can request their catalogs from the compiler.
Steps to Reproduce
- Create a custom function using Ruby's openssl library to load an EC private key
- Attempt to request a catalog using this function from openvox-server 8.13.0
Environment
Version: 8.13.0
Platform: Debian 12
Additional Context
We suspect this to be related to the update of the bouncycastle dep in version 8.13.
Relevant log output
stacktrace_puppetserver.txt
Is this a critical security issue?
Describe the Bug
Upon updating our compiler to 8.13.0, we noticed failed runs on a substantial percentage of our nodes. Not all of them were affected, but those which were continuously failed to get a catalog, erroring out with a Java exception from the puppet server, and a >1k line stacktrace (attached). The cause appears to be a custom function calling into openssl functions from Ruby - specifically, it attempts to validate X.509 keys by attempting to instantiate a private key object based on them:
This causes the following exception:
java.lang.NoSuchMethodError: 'org.bouncycastle.asn1.ASN1Primitive org.bouncycastle.asn1.sec.ECPrivateKey.getParameters()'
with the stack trace attached. Notably, this only occurs with the EC functions, there is no mention of errors relating to RSA anywhere in our logs.
Expected Behavior
The Ruby code continues to work, and nodes can request their catalogs from the compiler.
Steps to Reproduce
Environment
Version: 8.13.0
Platform: Debian 12
Additional Context
We suspect this to be related to the update of the bouncycastle dep in version 8.13.
Relevant log output
stacktrace_puppetserver.txt