Security Release: Chef Server and Analytics (POODLE and OpenSSL Vulnerabilites)

Today we are announcing security releases of all supported versions of Chef Server, Enterprise Chef, and Chef Analytics.

These releases address two separate issues:

* POODLE SSLv3 attack, which allows allow a remote attacker to extract plaintext of targeted data within an SSL connection
* CVE-2014-3513 and CVE-2014-3567, which expose a potential DoS attack vector.

Chef Server, Enterprise Chef, and Chef Analytics have been updated to disable SSLv3 by default, and they include the latest OpenSSL library security update. While it remains possible to configure your Chef Server installation to support SSLv3, this is considered deprecated within the Chef family of products. SSLv3 support will be completely removed in future releases.

If you are unable to perform this upgrade immediately, we strongly recommend that you apply the remediation posted in our earlier post.

## Releases

#### Chef Server / Enterprise Chef

If you have set “nginx[‘enable_non_ssl’] = true“ as outlined in the mitigation steps for Enterprise Chef 11.2, please remove that option from “private-chef.rb“ after applying this update. You may also remove the setting for “nginx[‘ssl_protocols’]“ if you added it for purposes of remediation.

* Chef Server 12.0.0-rc.5Upgrade Docs
* Chef Server 11.1.6Upgrade Docs
* Enterprise Chef 11.2.3Upgrade Docs
* Enterprise Chef 1.4.15Upgrade Docs

#### Premium Features

If you have Premium Feature packages installed you must perform a “reconfigure“ of each after updating Chef Server/Enterprise Chef. Details can be found in the install procedures documented here.

Of the supported Chef Premium Features, only Analytics requires a package update:

* Analytics 1.0.4

Marc Paradise

Marc has over 19 years of experience in software design, development and delivery, and has been with Chef since 2011. Other interests include writing, distributed computing, hardware hacking, container technology, and a myriad of other accumulated pastimes. Marc only talks about himself in the third person when writing biographical blurbs.