Enterprise Chef 1.4.9 is a security release that includes an updated version of OpenSSL that patches CVE-2014-0160, also known as the Heartbleed bug. All installs of Enterprise Chef should be upgraded immediately. The result of this bug is a trivial exploit that allows an attacker to read secrets from the memory of a compromised server. These secrets can include any of the information stored within your Chef Server – usernames, passwords, node data, databags, etc. The severity of this exploit cannot be overstated. Please follow the upgrade instructions below carefully to ensure that your Enterprise Chef install is fully patched.
To download the latest version of Enterprise Chef, please contact your sales representative.
First, follow the upgrade instructions on the Chef Documentation site (linked below):
- Standalone Installs: http://docs.opscode.com/upgrade_server_standalone.html
- HA Installs: http://docs.opscode.com/upgrade_server_ha.html
NOTE – Besides upgrading OpenSSL, this is the most important step in closing the vulnerability of the Heartbleed bug. The SSL certificates, as well as any of the secrets stored on your Chef Server, should be considered compromised to the network to which the Chef Server was available. Here are the steps needed to regenerate your SSL certificates:
Regenerate your SSL certificates by following the instructions on the Chef Documentation site here: http://docs.opscode.com/server_security.html#regenerate-ssl-certificates
Congratulations! Your Enterprise Chef install is now safe from the Heartbleed bug and any exploited SSL secrets can no longer be used to monitor your Chef traffic.
- Changing Secrets – While your Enterprise Chef install is now patched and safe from the Heartbleed bug, it is still possible that arbitrary data from your Chef install was compromised. Depending on your comfort level with the defense around your Enterprise Chef server, you may want to change user passwords and any other sensitive data that wasn’t encrypted via an out-of-band mechanism.
- Chef Client – Chef does authentication and authorization by signing each request, so you don’t have to worry about regenerating your client credentials.
The following bug fixes have been applied since Enterprise Chef 1.4.8:
- [private-chef-cookbooks] Provide default value for jetty log path to fix dotfile deletion bug.
- [private-chef-ctl] private-chef-ctl password fixed to work correctly after a regression introduced in EC 1.4.6.
- [private-chef-cookbooks] Manage /var/log/opscode permissions even with non 0022 umask.
The following items are the set of security fixes that have been applied since Enterprise Chef 1.4.8:
- [opscode-webui] Incorporate patches to address several identified potential Denial of Service vulnerabilities in the Rails framework.
- [libcurl] Patch for wrong re-use of connections (CVE-2014-0138)
- [libcurl] Patch for address wildcard certificate validation (CVE-2014-0139)
- [libcurl] Patch for not verifying certs for TLS to IP address / Darwinssl (CVE-2014-1563)
- [libcurl] Patch for not verifying certs for TLS to IP address / Winssl (CVE-2014-2522)
- [openssl] Patch for heartbeat extension exposing process memory (CVE-2014-0160)
- [libyaml] Patch for arbitrary code execution vulnerability (CVE-2014-2525)