Open Source Chef Server 11.1.1 is a security release that includes an updated version of OpenSSL that patches CVE-2014-0224. All installs of Open Source Chef should be upgraded immediately. This bug permits an attacker to execute an undetectable MITM attack on an otherwise secure connection. As a result, the attacker could read or alter any traffic between the client and the server. This would include secret data such as usernames, passwords, node data, data bags, etc. The severity of this exploit cannot be overstated. Please follow the upgrade instructions below carefully to ensure that your Open Source Chef install is fully patched.
Download the latest version of the Open Source Chef Server from the Chef downloads page.
Follow the upgrade instructions on the Chef Documentation site for upgrading a Chef 11 Server.
- Change Secrets – as an extra precaution, you may want to change any secrets (such as usernames, passwords, encrypted data bags) that may have been sent between the client and the server. If an attacker was executing this attack he/she would be able to see this data in “plain-text”. If you need help with any of these steps, please contact support.
The following items are the set of security fixes that have been applied since Chef Server 11.1.0:
- Address vulnerabilities CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-3470 https://www.openssl.org/news/secadv_20140605.txt