Chef Blogs

Chef Analytics 1.1.1 security release

David Parfitt | Posted on | release | Releases

### Description

We shipped Analytics `1.1.0` with a development configuration setting enabled that disabled authentication on the endpoints used to create and modify rules and notification aliases. This meant that rules could be created or modified without having to be logged in as a valid chef user.

We have released version `1.1.1` of Chef Analytics, available now on the Chef analytics download page to resolve this issue.

### Does this vulnerability affect my installation?

This vulnerability only affects Chef analytics `1.1.0`. Chef analytics `1.0.x` versions are not affected.

If the file `/opt/opscode-analytics/embedded/service/notifier_config/sys.config` contains the following offending entry, then your Analytics installation is vulnerable.

{accept_insecure, true}

### Verifying integrity

To manually examine all your rules and aliases in the Analytics database (Postgres):

$ su – chef-pgsql
$ psql notifier_config
psql (9.2.9)
Type “help” for help.

notifier_config=# \x
notifier_config=# select * from rules;
— Ensure the content of each rule. A malicious entry may appear with an empty modified_by column.

notifier_config=# select * from aliases;
— A malicious entry could route notifications to a different host.

— A malicious entry may appear with an empty modified_by column.

— Ensure that all values for each row are correct.

If you find an entry that you believe is malicious, you can delete it directly from the database. Note the table (either rules or aliases) and the ID field for the row in the database. Here is an example of deleting a rule:

notifier_config=# select * from rules;
-[ RECORD 1 ]————————————-
id | 3393ee14-8c66-4ed9-ac19-d1cbedf89fcb
name | New Rule Group 1
org_name | ponyville
modified_by | applejack
modified_at | 2015-01-26 23:23:17+00
rule | rules ‘New Rule Group 1’
| rule on action
| when
| true
| then
| noop()
| end
| end
priority | 0
active | t
notifier_config=# delete from rules where id = ‘3393ee14-8c66-4ed9-ac19-d1cbedf89fcb’;
DELETE 1

### Resolution

The simplest resolution is to upgrade to `1.1.1`. The only change is the one to fix this issue.

If you cannot upgrade, the issue can be resolved by modifying the file `/etc/opscode-analytics/opscode-analytics.rb`, and setting the value of `accept_insecure` from `true` to `false`:

notifier_config[‘accept_insecure’] = false

Once this change has been made, Chef Analytics needs to be reconfigured via:

opscode-analytics-ctl reconfigure

If you have any questions or need help during the process, please contact the Chef support team.

The Chef Analytics team