Critical CVEs fixed with Minio update in Chef Automate 4.12.40

By

By

What was the issue? 

Chef Automate version 4.11.0 and below were using a dependent package of Minio, which was susceptible to the following critical CVEs: 

Considering the usage of Minio in distributed environments, there was a high probability of the API key landing in the hands of bad actors. This would have allowed data to be modified or appended and granted administrator access to unauthorized accounts. 

How has it been fixed? 

A custom package based on an open-source version of Minio has been developed to ensure that users with lower privileges cannot access the API key to modify or append irrelevant data. The updated version of custom Minio package solves the following critical CVEs: 

Chef Automate version 4.12.40 and above have this fix. 

What should customer do? 

To protect unauthorised access of API key to potential bad actors and users with lower privileges, please update your Chef Automate application to the latest version. 

The latest version of Chef Automate is 4.12.40. 

Ankur Mundhra

Ankur Mundhra is a Senior Product Manager at Progress Chef.

Kallol Roy

Kallol Roy is the Software Engineering Manager at Progress Chef

Categories

INTERNET US

Company
Using Chef
Legal
Connect with us
Contact Us

Chef is part of the Progress product portfolio. Progress is the leading provider of application development and digital experience technologies.

Copyright © 2024 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.

Progress, Telerik, Ipswitch, Chef, Kemp, Flowmon, MarkLogic, Semaphore and certain product names used herein are trademarks or registered trademarks of Progress Software Corporation and/or one of its subsidiaries or affiliates in the U.S. and/or other countries. See Trademarks for appropriate markings.

Do Not Sell or Share My Personal Information

Powered by Progress Sitefinity