Security Release: Chef Server 12.0.1 and Enterprise Chef Server 11.2.6

Available for immediate download are Chef Server 12.0.1 and Enterprise Chef Server 11.2.6.

This release addresses CVE-2014-8144, a CSRF vulnerability found in doorkeeper, a gem used by the oc-id service that ships with the Chef Server. This release updates oc-id to the latest version, 0.4.4, which contains the patched doorkeeper gem.

Open Source Chef Server 11 is not affected by this vulnerability, as it does not include the oc-id service.

These releases do contain some minor code updates that do not affect user functionality. If you are curious, the full changelog for Chef Server 12.0.1 can be found here and the full changelog for Enterprise Chef Server 11.2.6 can be found here.


The fix can be applied by upgrading your existing Chef Server to the latest version.

Chef Server 12.0.1Upgrade Docs

Enterprise Chef Server 11.2.6Upgrade Docs

Should you have any issues or concerns, please reach out to Chef Support, file an issue against the chef-server repo, or seek out help in the #chef IRC room.


Mark Mzyk

Mark is an engineering manager at Chef, having accepted the position after having been a long time software engineer at Chef. In his time at Chef he's contributed code to almost every single Chef product. Now code dominates his life less, but he gets the joy of helping others create code that has a positive impact.