Good day Chefs! As some of you may know, CVE-2014-0160 (“Heartbleed”) announced a vulnerability in certain versions of OpenSSL. Chef uses OpenSSL in its platforms (both hosted and on premise). We take the security of our software and your data very seriously. The team immediately began investigating the level of potential risk in Chef, and have determined that:
- The Hosted Enterprise Chef API is not affected by this vulnerability. While we do have nodes that are affected internally, they are not exposed to the Internet, and are being patched now.
- Enterprise Chef and Open Source Chef are both vulnerable, and we are working on patch releases today, along with instructions for re-generating the potentially compromised SSL certificates.
- Add-ons to Enterprise Chef (Manage, Push, and Reporting) do not expose the vulnerability to users of Enterprise Chef, though they are packaged with vulnerable versions of OpenSSL. New versions of these add-ons with patched versions of OpenSSL will be released shortly after the Enterprise Chef release.
- Chef Client is vulnerable when connecting to compromised servers via SSL. In this scenario a compromised server can send heartbeat requests and can read process memory of Chef Client which might include sensitive information. New versions of Chef Client 11.12.0 and 10.32.0 will be released ASAP.
- api.berkshelf.com is affected. The Berkshelf API is hosted on Heroku, and was affected. We are in the process of working with the other Berkshelf maintainers to get a new certificate generated and loaded.
Updates and releases will be posted on this blog as they become available. Chef is dedicated to resolving security issues promptly, while remaining open and honest with our customers. Please check back often and if you require assistance please contact firstname.lastname@example.org or if you have security concerns email@example.com.