puzzle_blog

Chef and OpenSSL Security Advisory 1 March 2016

On March 1, 2016, the OpenSSL team released a new high severity security advisory. Simultaneously, the OpenSSL team also made available new versions of the OpenSSL code containing fixes for the vulnerabilities described in this advisory. After reviewing the vulnerabilities described in this security advisory, the team at Chef has determined that Chef products are not at immediate risk as a result of the OpenSSL vulnerabilities disclosed today.

Recommendation to Users

Chef’s products do not ship with SSLv2 enabled by default. Therefore, Chef’s products are not vulnerable to either of the high severity vulnerabilities described in the foregoing bulletin (CVE-2016-0800 and CVE-2016-0703).

Customers who have manually enabled SSLv2 should mitigate the vulnerabilities by disabling this protocol version. Please contact support if you require assistance doing this.

Future versions of Chef’s products will include the new versions of OpenSSL that explicitly disallow the use of SSLv2.

Further Analysis

Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)

Chef’s products do not ship with SSLv2 enabled and so are not vulnerable out of the box.

Double-free in DSA code (CVE-2016-0705)

Chef’s products are vulnerable to CVE-2016-0705; however, the vulnerability is considered low severity and rare, as per the advisory. Chef will update its products according to their regular release schedules to include OpenSSL 1.0.1s in order to mitigate this vulnerability.

Memory leak in SRP database lookups (CVE-2016-0798)

Chef’s products are vulnerable to CVE-2016-0798; however, the vulnerability is considered low severity and Chef’s products do not configure or use an SRP database.

BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)

Chef’s products are vulnerable to CVE-2016-0705; however, the vulnerability is considered low severity and rare, as per the advisory. Chef will update its products according to their regular release schedules to include OpenSSL 1.0.1s in order to mitigate this vulnerability.

Fix memory issues in BIO_*printf functions (CVE-2016-0799)

Chef’s products are vulnerable to CVE-2016-0799; however, the vulnerability is considered low severity and Chef’s products do not print or use ASN.1 formatted data. Chef will update its products according to their regular release schedules to include OpenSSL 1.0.1s in order to mitigate this vulnerability.

Side channel attack on modular exponentiation (CVE-2016-0702)

Chef’s products are vulnerable to CVE-2016-0702; however, the vulnerability is considered low severity, is only applicable to systems running on Intel Sandy Bridge processors, and “the ability to exploit this issue is limited as it relies on an attacker who has control of code in a thread running on the same hyper-threaded core as the victim thread which is performing decryptions.” Chef will update its products according to their regular release schedules to include OpenSSL 1.0.1s in order to mitigate this vulnerability.

Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703)

Chef’s products currently ship with OpenSSL 1.0.1r and this vulnerability was corrected in OpenSSL 1.0.1m, released March 19, 2015. Additionally, Chef’s products do not ship with SSLv2 enabled.

Bleichenbacher oracle in SSLv2 (CVE-2016-0704)

Chef’s products currently ship with OpenSSL 1.0.1r and this vulnerability was corrected in OpenSSL 1.0.1m, released March 19, 2015. Additionally, Chef’s products do not ship with SSLv2 enabled.

Posted in:

Julian Dunn

Julian is a former Chef employee