Chef Releases for OpenSSL (CVE-2014-0224) Vulnerability

On Thursday June 5th at approximately 14:00 UTC, the CHEF engineering team was made aware of OpenSSL CVE-2014-0224. A bug in the OpenSSL framework could permit a MITM attack under certain circumstances using a carefully constructed request. Due to the nature of this vulnerabilty, we recommend that you upgrade your installations immediately.

Here are the steps you need to take to fully address this vulnerability:

– **Upgrade to the latest version of the Chef Client** – the latest version of the Chef Client packages are updated with a patched version of OpenSSL.
– **Upgrade to the latest version of the Chef Server** – the latest version of the Chef Server packages (all flavors) are updated with a patched version of OpenSSL.
– **Change your secrets** – depending on your comfort level of the defenses around your Chef Server, you may want to change user passwords, secret keys, or any other sensitive data that was not encrypted via an out-of-band mechanism.

## Client Releases
Chef Client 10.32.4
Chef Client 11.12.6

## Server Releases
Enterprise Chef Server 11.1.6
Enterprise Chef Server 1.4.11
Open Source Chef Server 11.1.1

## Enterprise Add-ons
Just as the Heartbleed vulnerability, the Enterprise Add-ons do contain a compromised version of OpenSSL. However, those services piggyback on the Nginx HTTP proxy that ships with Enterprise Chef to do SSL negotiation. These services (such as Chef Manage, Chef Reporting, and Chef Push Server) do not require a patched version outside of Enterprise Chef. Nonetheless, we have shipped updated Chef Manage and Chef Reporting addons, and will have a Pushy update released shortly to ensure all Enterprise addons are on the latest version of OpenSSL.

Ian Garrison