Chef Server 11.0.12 Release

Chef Server 11.0.12 is a security release that includes an updated version of OpenSSL that patches CVE-2014-0160, also known as the Heartbleed bug. All installs of Chef Server should be upgraded immediately. The result of this bug is a trivial exploit that allows an attacker to read secrets from the memory of a compromised server. These secrets can include any of the information stored within your Chef Server – usernames, passwords, node data, databags, etc. The severity of this exploit cannot be understated. Please follow the upgrade instructions below carefully to ensure that your Chef Server install is fully patched.

Upgrade Instructions

Download:

To download the latest version of Chef Server, visit https://www.getchef.com/chef/install

Upgrade:

First, follow the upgrade instructions on the Chef Documentation site here: http://docs.opscode.com/upgradeserveropen_source.html#upgrade-to-newer-versions-of-chef-server-11

Regenerating Certificates:

NOTE – Besides upgrading OpenSSL, this is the most important step in closing the vulnerability of the Heartbleed bug. The SSL certificates, as well as any of the secrets stored on your Chef Server, should be considered compromised to the network to which the Chef Server was available. Here are the steps needed to regenerate your SSL certificates:

Regenerate your SSL certificates by following the instructions on the Chef Documentation site here: http://docs.opscode.com/opensource/serversecurity.html#regenerate-ssl-certificates

Next Steps:

  • Changing Secrets – While your Chef Server install is now patched and safe from the Heartbleed bug, it is still possible that arbitrary data from your Chef install was compromised. Depending on your comfort level with the defense around your Chef Server, you may want to change user passwords and any other sensitive data that wasn’t encrypted via an out-of-band mechanism.
  • Chef Client – Chef does authentication and authorization by signing each request, so you don’t have to worry about regenerating your client credentials.

Release Notes

Security Fixes

The following items are the set of security fixes that have been applied since Chef Server 11.0.11:
  • [libcurl] Patch for wrong re-use of connections (CVE-2014-0138)
  • <li>[libcurl] Patch for address wildcard certificate validation (CVE-2014-0139)</li>
    
    <li>[libcurl] Patch for not verifying certs for TLS to IP address / Darwinssl (CVE-2014-1563)</li>
    
    <li>[libcurl] Patch for not verifying certs for TLS to IP address / Winssl (CVE-2014-2522)</li>
    
    <li>[openssl] Patch for heartbeat extension exposing process memory (CVE-2014-0160)</li>
    
    <li>[libyaml] Patch for arbitrary code execution vulnerability (CVE-2014-2525)</li>
    

Posted in release, Uncategorized
  • Mark

    Could you provide a link to the said upgrade documentation on your site. “First, follow the upgrade instructions on the Chef Documentation site.” I could only find documentation on upgrading from version 10 to 11.

    • Stephen Delano

      Hi Mark, we’re getting those docs up ASAP. The process for upgrades the Open Source Chef Server is really simple. First, install the package via RPM or DPKG. After that, chef-server-ctl reconfigure will update all of the relevant config. Just to make sure everything comes back up cleanly, finish up with a chef-server-ctl restart.

  • Julio

    Is this package for the open source chef server or the enterprise version?

    • Stephen Delano

      Hi Julio,

      This package is for the Open Source Chef Server. If you’re looking for Enterprise Chef packages, you can contact your sales representative. They’ve got all the links ready for distribution immediately.

  • Tejay Cardon

    After following these instructions and restarting chef with chef-server-ctl, I’m still able to exploit the chef server nginx process, suggesting that either the patch failed, or the upgrade process didn’t actually get me upgraded. How do I verify the version of chef server that is running?

    • Rui Covelo

      Hi Tejay,

      I got the same issue too. That’s probably because nginx was not restarted by sudo chef-server-ctl restart. What I did, after upgrading my system openssl, was explicitly killing the nginx server that chef relies on and then restarting chef.