Chef Confirms No Products Affected by Backdoored RubyGems

At Chef, we have a cross-functional security team who evaluates and responds to potential security incidents. Because a significant portion of our code uses Ruby and Ruby libraries (known as “gems”), we have been paying close attention to the reports of malicious code insertion into several gems. Shortly after the news of the compromise became public we started a comprehensive audit to understand if Chef products were impacted.

No shipped Chef artifacts contain the affected gems. 

Every release we produce stores a manifest containing the version of every external dependency. We were able to scan product manifests to confirm we never consumed the malicious gems.

Curious how we did this? Read on! Looking to see if your other Ruby apps are impacted? We can help!

How We Evaluated Product Releases

We started with ensuring builds in the current and stable channels do not include the malicious libraries. Each build produces a manifest of what software and libraries are included within the build artifact. The manifests for each build are stored as JSON alongside the artifact in our internal artifact repository.

We used the artifact repository’s API to query what artifacts were produced during the time frame rest-client had malicious versions published. The manifests for these builds were retrieved with the following command. 

> curl "https://<repository>/api/search/dates?dateFields=created&from=2019-08-13T00:00:00.000Z&to=2019-08-20T00:00:00.000Z&repos=omnibus-current-local,omnibus-stable-local" \
| jq '.results[] | .uri' \
| grep "metadata.json" \
| xargs -P6 curl --silent \
| jq '.downloadUri' \
 | xargs -n1 -P12 curl --silent -O
> ls -l *.metadata.json | wc -l

We’ve downloaded the manifests for the 165 packages built between August 13, 2019 and August 20, 2019. We scanned each manifest for inclusion of rest-client 1.6.10-13.

> grep --with-filename --only-matching -E " includes rest-client 1\.6\.1\d+?" *.json

None. No matches, so no packages include rest-client 1.6.10-13.

Investigation of the malicious rest-client versions discovered 10 other malicious gems published to RubyGems as far back as July 8, 2019. In an abundance of caution, we performed a similar query of the artifacts produced since July and retrieve their manifests.

> ls -l *.metadata.json | wc -l

There have been about 2,000 packages produced since July 8, 2019. We scanned the manifests with a slightly more complicated regex. 

> grep --no-filename --only-matching -E " includes (bitcoin_vanity|lita_coin|coming-soon|omniauth_amazon|cron_parser|coin_base|blockchain_wallet|awesome-bot|doge-coin|capistrano-colors) \d+?\.\d+?\.\d+?" *.metadata.json
 | sort
 | uniq

If you have any questions about this issue please visit us in our Community Slack. But now know you can rest assured that this CVE didn’t affect you through Chef.

Posted in:

Galen Emery

I am Galen, the Lead Compliance and Security Architect for Chef. My professional life has been built upon automating everything I can, and am responsible for helping security and compliance teams understand how to secure systems within the DevOps model. I currently live in San Diego, CA but am originally from Seattle, WA with time spent in DC working with the federal government. I have extensive experience in Windows, Cloud Migrations, Chef, Compliance and Security. I hold an active CISSP.