Enterprise Chef 11.1.3 is a security release that includes an updated version of OpenSSL that patches CVE-2014-0160, also known as the Heartbleed bug. All installs of Enterprise Chef should be upgraded immediately. The result of this bug is a trivial exploit that allows an attacker to read secrets from the memory of a compromised server. These secrets can include any of the information stored within your Chef Server – usernames, passwords, node data, databags, etc. The severity of this exploit cannot be overstated. Please follow the upgrade instructions below carefully to ensure that your Enterprise Chef install is fully patched.
To download the latest version of Enterprise Chef, please contact your sales representative.
First, follow the upgrade instructions on the Chef Documentation site (linked below):
- Standalone Installs: http://docs.opscode.com/upgradeserverstandalone.html
- HA Installs: http://docs.opscode.com/upgradeserverha.html
- WARNING – take special care to note the known issues with HA upgrades: http://docs.opscode.com/upgradeserverhanotes.html#known-issues
NOTE – Besides upgrading OpenSSL, this is the most important step in closing the vulnerability of the Heartbleed bug. The SSL certificates, as well as any of the secrets stored on your Chef Server, should be considered compromised to the network to which the Chef Server was available. Here are the steps needed to regenerate your SSL certificates:
Regenerate your SSL certificates by following the instructions on the Chef Documentation site here: http://docs.opscode.com/serversecurity.html#regenerate-ssl-certificates
Congratulations! Your Enterprise Chef install is now safe from the Heartbleed bug and any exploited SSL secrets can no longer be used to monitor your Chef traffic.
- Changing Secrets – While your Enterprise Chef install is now patched and safe from the Heartbleed bug, it is still possible that arbitrary data from your Chef install was compromised. Depending on your comfort level with the defense around your Enterprise Chef server, you may want to change user passwords and any other sensitive data that wasn’t encrypted via an out-of-band mechanism.
- Chef Client – Chef does authentication and authorization by signing each request, so you don’t have to worry about regenerating your client credentials.
The following items are new for Enterprise Chef 11.1.3 and/or are changes from previous versions:
- [core] Erlang r15b03-01 w/ multiple stability and bug fixes
- [core] Chef 11.10.4 (was 11.6.0)
- [ocerchef] Added hooks for opscode-analytics actions service
The following items are the set of bug fixes that have been applied since Enterprise Chef 11.1.2:
- [opscode-omnibus] Increased postgresql maxconnections to a default of 350 to handle 4 node clusters.
- [opscode-account] Fix for LDAP user creation failure.
- [opscode-omnibus] Manage /var/log/opscode permissions even with non 0022 umask.
The following items are the set of security fixes that have been applied since Enterprise Chef 11.1.2:
- [opscode-webui] Patch for Denial of Service Vulnerability in Action View when using render :text (CVE-2014-0082)
- [opscode-webui] Patch for Denial of Service Vulnerability in Action View (CVE-2013-6414)
- [opscode-webui] Patch for Reflective XSS Vulnerability in Ruby on Rails (CVE-2013-4491)
- [libcurl] Patch for wrong re-use of connections (CVE-2014-0138)
- [libcurl] Patch for address wildcard certificate validation (CVE-2014-0139)
- [libcurl] Patch for not verifying certs for TLS to IP address / Darwinssl (CVE-2014-1563)
- [libcurl] Patch for not verifying certs for TLS to IP address / Winssl (CVE-2014-2522)
- [openssl] Patch for heartbeat extension exposing process memory (CVE-2014-0160)
- [libyaml] Patch for arbitrary code execution vulnerability (CVE-2014-2525)