Chef & Rails CVE-2014-3482

At 17:11 UTC, the Rails security team publicized CVE-2014-3482 and CVE-2014-3483. In short, this vulnerability is related to the PostgreSQL adapater in ActiveRecord. A bug in the SQL quoting code could allow an attacker to carefully craft a request and execute a SQL injection. Only applications which query against bitstring or range type columns were vulnerable.

After a careful investigation of our various services, both internal and external, we concluded that no Chef Software products are vulnerable to CVE-2014-3482/3.

We take security very seriously at Chef Software. In accordance with our responsible disclosure policy, please email security (at) getchef.com to bring vulnerabilities to our attention.

Posted in:

Seth Vargo

Seth Vargo is a Release Engineer and Awesome Community Chef at CHEF. When he is not forcing Jenkins to bend to his will, Seth is contributing to Chef core, writing cookbooks, or working on new open source tooling. Seth is the author or core team member for Berkshelf, Fauxhai, ChefSpec, Strainer and more. Seth was the original author of #learnchef and drinks a lot of Diet Coke. Seth regularly hangs out on IRC, Twitter, and GitHub. You can find him under the single moniker "@sethvargo" almost everywhere on the Internet.