On January 28th, 2016, the OpenSSL team released a new high severity security advisory. Simultaneous to the publication of this new high severity security advisory, the OpenSSL team also made available new versions of the OpenSSL code containing fixes for the vulnerabilities described in these advisories. After reviewing the vulnerabilities described in these security advisories, the team at CHEF has determined that Chef products are not at immediate risk as a result of the OpenSSL vulnerabilities disclosed today.
Recommendation to users
Because OpenSSL 1.0.2. is the only version of OpenSSL vulnerable to the exploit described in CVE-2016-0701, Chef users do not need to take immediate action in response to this discolsure, because Chef products do not include OpenSSL 1.0.2.
OpenSSL 1.0.2 DH small subgroups (CVE-2016-0701)
There are no Chef products that include OpenSSL 1.0.2. As a result, Chef products are not affected by the vulnerability disclosed in high severity bulletin CVE-2016-0701 (OpenSSL 1.0.2 DH small subgroups (CVE-2016-0701)).
SSLv2 doesn’t block disabled ciphers (CVE-2015-3197)
Chef products currently include OpenSSL 1.0.1, which is vulnerable to the low severity exploit described in CVE-2015-3197. The OpenSSL Software Foundation notes that “low severity vulnerabilities will be noted in the changelog and commit messages, but they may not trigger new releases.”
Chef Response Plan
There is no immediate response necessary for Chef users as a result of the vulnerabilities disclosed in the newly published OpenSSL high severity security advisory.
Chef users do not need to take any immediate action in response to the newly published OpenSSL high severity security advisory. Chef products are not vulnerable to CVE-2016-0701. Chef will include the newly-released patches to OpenSSL in future releases on the previously planned product release schedule.