Chef Server 11.0.12 is a security release that includes an updated version of OpenSSL that patches CVE-2014-0160, also known as the Heartbleed bug. All installs of Chef Server should be upgraded immediately. The result of this bug is a trivial exploit that allows an attacker to read secrets from the memory of a compromised server. These secrets can include any of the information stored within your Chef Server – usernames, passwords, node data, databags, etc. The severity of this exploit cannot be understated. Please follow the upgrade instructions below carefully to ensure that your Chef Server install is fully patched.
To download the latest version of Chef Server, visit https://www.getchef.com/chef/install
First, follow the upgrade instructions on the Chef Documentation site here: http://docs.opscode.com/upgrade_server_open_source.html#upgrade-to-newer-versions-of-chef-server-11
NOTE – Besides upgrading OpenSSL, this is the most important step in closing the vulnerability of the Heartbleed bug. The SSL certificates, as well as any of the secrets stored on your Chef Server, should be considered compromised to the network to which the Chef Server was available. Here are the steps needed to regenerate your SSL certificates:
Regenerate your SSL certificates by following the instructions on the Chef Documentation site here: http://docs.opscode.com/open_source/server_security.html#regenerate-ssl-certificates
- Changing Secrets – While your Chef Server install is now patched and safe from the Heartbleed bug, it is still possible that arbitrary data from your Chef install was compromised. Depending on your comfort level with the defense around your Chef Server, you may want to change user passwords and any other sensitive data that wasn’t encrypted via an out-of-band mechanism.
- Chef Client – Chef does authentication and authorization by signing each request, so you don’t have to worry about regenerating your client credentials.
The following items are the set of security fixes that have been applied since Chef Server 11.0.11:
- [libcurl] Patch for wrong re-use of connections (CVE-2014-0138)
- [libcurl] Patch for address wildcard certificate validation (CVE-2014-0139)
- [libcurl] Patch for not verifying certs for TLS to IP address / Darwinssl (CVE-2014-1563)
- [libcurl] Patch for not verifying certs for TLS to IP address / Winssl (CVE-2014-2522)
- [openssl] Patch for heartbeat extension exposing process memory (CVE-2014-0160)
- [libyaml] Patch for arbitrary code execution vulnerability (CVE-2014-2525)