Today we are announcing security releases of all supported versions of Chef Server, Enterprise Chef, and Chef Analytics.
These releases address two separate issues:
* POODLE SSLv3 attack, which allows allow a remote attacker to extract plaintext of targeted data within an SSL connection
* CVE-2014-3513 and CVE-2014-3567, which expose a potential DoS attack vector.
Chef Server, Enterprise Chef, and Chef Analytics have been updated to disable SSLv3 by default, and they include the latest OpenSSL library security update. While it remains possible to configure your Chef Server installation to support SSLv3, this is considered deprecated within the Chef family of products. SSLv3 support will be completely removed in future releases.
If you are unable to perform this upgrade immediately, we strongly recommend that you apply the remediation posted in our earlier post.
#### Chef Server / Enterprise Chef
If you have set “nginx[‘enable_non_ssl’] = true“ as outlined in the mitigation steps for Enterprise Chef 11.2, please remove that option from “private-chef.rb“ after applying this update. You may also remove the setting for “nginx[‘ssl_protocols’]“ if you added it for purposes of remediation.
#### Premium Features
If you have Premium Feature packages installed you must perform a “reconfigure“ of each after updating Chef Server/Enterprise Chef. Details can be found in the install procedures documented here.
Of the supported Chef Premium Features, only Analytics requires a package update: