Blog-Icon_1_100x385

Enterprise Chef Server 1.4.13 Release

Enterprise Chef Server 1.4.3 is a security release to address a PostgreSQL configuration error. The defect allows any local user on the system hosting the Chef Server’s PostgreSQL components full access to databases. We advise all Chef Server users to update to this latest release which corrects the error.

Affected Versions

All versions of Enterprise Chef Server 1.4 are affected.

Impact

An attacker with existing access to execute code on the Chef Server can gain superuser access to PostgreSQL hosted on the system and eventually gain root user privileges to the operating system.

You can check if your Chef Server is vulnerable to the defect by executing the following command on the Chef server (if the Chef Server is configured with separate front end and back end servers, this command should be executed on a back end server):

/opt/opscode/embedded/bin/psql -U opscode-pgsql –d template1 –c '\echo security configuration defect present'

If you see the output `security configuration defect present` the defect affects your server. Otherwise, you will see an error like `psql: FATAL authentication failed for user`, and this means the defect is not present on that system.

Upgrade Instructions

Download
Contact your sales representative for a link to download the patched version of Enterprise Chef.

Upgrade
Follow the upgrade instructions on the Chef Documentation site:
* Standalone Installations
* HA Installations

Adam Edwards

Former Chef Employee