Chef Server 11.0.6 and 10.24.0 Released

This release includes a few important security fixes.

Solr Security Fix

The default solr configuration has some tunables that are enabled for updating data and debugging that provide a remote attack surface. The configuration in this release disables those features.

Chef 11

Omnibus packaging makes this easy:

  • Download the new package and install it
  • Run sudo chef-server-ctl reconfigure

Chef 10

If you have an existing Chef 10 Server installation, you’ll need to use the chef-solr-installer tool after installation to replace the configuration and then rebuild the search indexes.

sudo gem install chef-solr –no-rdoc –no-ri
sudo chef-solr-installer -c /etc/chef/solr.rb -u chef
sudo /etc/init.d/chef-solr restart
knife index rebuild

If you’re on an older Chef Server 10 release and can’t upgrade, edit /var/lib/chef/solr/home/conf/solrconfig.xml with the changes detailed in CHEF-3984 and restart chef-solr. Do not run chef-solr-installer, as that will overwrite this file.

Release Notes

Chef 11.0.6 Server

Multiple Rails related security fixes are included in the WebUI that were recently released in the Chef 10 WebUI. They are detailed in the release notes below.

Mike Javorski improved search on Chef 11 to be able to search for attributes with forward slashes.

Special thanks to Michael Della Bitta for responsibly disclosing the security issue related to the solr configuration. You’re the Chef Server 11.0.6 MVP for having our back.

Security concerns can always be raised with us directly by mailing [email protected].

  • [CHEF-2760] – Knife is unable to search for attributes with forward slashes
  • [CHEF-3888] – chef-server-webui is susceptible to rack vulnerability
  • [CHEF-3894] – solr config allows remote read access to files on disk

Chef 10.24.0

Because we’re already rebuilding the search indexes, we included an increase to the maxFieldLength setting in the solr configuration, which solves CHEF-2346 for most people.

A tip of the hat to famous Chef MVP Matthew Kent for his patch to the solr configuration to increase maxFieldLength.

We’d also like to give the Chef 10.24.0 MVP to Anthony Goddard. Anthony has been a Chef contributor and advocate for years, leading many others to Chef along the way. He most recent wrote knife-ghost, a tool for populating your /etc/hosts file from a knife search. Thanks Ant!

  • [CHEF-2346] – beware of solr maxFieldLength option ! It will stop indexing nodes with a lot of attributes
  • [CHEF-3888] – chef-server-webui is susceptible to rack vulnerability
  • [CHEF-3894] – solr config allows remote read access to files on disk

Related vulnerabilities

  • [CVE-2013-0276] Circumvention of attr_protected
  • [CVE-2013-0277] Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0
  • [CVE-2013-0269] Denial of Service and Unsafe Object Creation Vulnerability in JSON
  • [CVE-2013-0263] Rack::Session::Cookie vulnerability in Rack
  • [CVE-2013-0262] Rack PATH_INFO environment variable vulnerability

Bryan McLellan