Chef Security Releases: 11.12.8 & 10.32.2-2

Ohai Chefs,

Today we are releasing Chef Client 11.12.8 & 10.32.2-2 which include an updated version of OpenSSL that patches CVE-2014-0224. All installs of Chef Client should be upgraded immediately. This bug permits an attacker to execute an undetectable MITM attack on an otherwise secure connection. As a result, the attacker could read or alter any traffic between the client and the server. This would include secret data such as usernames, passwords, node data, data bags, etc. The severity of this exploit cannot be overstated. Please follow the upgrade instructions below carefully to ensure that your Chef Client install is fully patched.

For information about the windows packages that contain the fix for this vulnerability please check out this.

Upgrade Instructions

As usual you can get these releases with our install script:

curl -L | sudo bash -s -- -v 10.32.2 
curl -L | sudo bash -s -- -v 11.12.8

Extra Precautions

As an extra precaution, you may want to change any secrets (such as usernames, passwords, encrypted data bags) that may have been sent between the client and the server. If an attacker was executing this attack he/she would be able to see this data in “plain-text”. Please reach out to us if you are having any troubles with these releases.


Serdar Sutay