Ohai Chefs! Today we’re releasing patched versions of Open Source Chef Server and Enterprise Chef that address the OpenSSL security vulnerability CVE-2014-0160, also known as Heartbleed. We recommend that you upgrade your Chef Server install immediately. You will need to take the following steps to fully address the OpenSSL vulnerability:
- Upgrade to the Latest Version of the Chef Server – The latest version of the Chef Server is updated with a patched version of OpenSSL.
- Regenerate the Chef Server’s SSL Keys – Besides upgrading OpenSSL, this is the most important step in closing the vulnerability of the Heartbleed bug. The SSL certificates, as well as any of the secrets stored on your Chef Server, should be considered compromised to the network to which the Chef Server was available.
- Change Your Secrets – While your Chef Server install is now patched and safe from the Heartbleed bug, it is still possible that arbitrary data from your Chef install was compromised. Depending on your comfort level with the defense around your Chef Server, you may want to change user passwords and any other sensitive data that wasn’t encrypted via an out-of-band mechanism.
The Enterprise add-ons for Enterprise Chef also ship with a compromised version of OpenSSL, however those services piggyback on the Nginx HTTP proxy that ships with Enterprise Chef to do SSL negotiation. This means that these services (Chef Manage, Chef Reporting, Chef Push Server) don’t require a patched version outside of Enterprise Chef. We will, however, be shipping new packages for these add-ons shortly to ensure that they are on the latest version of OpenSSL.