Security Releases: Chef Server and Premium Features (insecure file ownership)

Today we are announcing security releases of all supported versions of the Chef Server, Enterprise Chef, and Chef Software-built premium features. These releases address package ownership issues on Debian-based platforms that result in Omnibus-built packages installing with contents owned by UID and GID 999 or 1001. This vulnerability allows a non-root attacker to modify or replace the on-disk package contents, which are subsequently executed by the root user. For more information on this vulnerability, please visit our blog post on [Omnibus Security Releases](https://www.getchef.com/blog/?p=12922).

If you have deployed your Chef Server on a Debian-based platform, we recommend that you upgrade the server and associated premium features as soon as possible. If you’re unable to do so right now, see below for instructions on how to remediate the problem on your currently deployed server.

## Releases

#### Chef Server / Enterprise Chef

* [Chef Server 12.0.0-rc.4](http://downloads.getchef.com/chef-server/) – [Upgrade Docs](http://docs.getchef.com/server/upgrade_server.html#from-chef-server-oec)
* [Chef Server 11.1.5](https://www.getchef.com/download-open-source-chef-server-11/) – [Upgrade Docs](http://docs.getchef.com/open_source/upgrade_server_open_source.html#upgrade-to-chef-server-osc-11-1-4-or-higher)
* [Enterprise Chef 11.2.2](http://downloads.getchef.com/enterprise-chef/ubuntu/#/11.2.2) – [Upgrade Docs](http://docs.getchef.com/enterprise/#install-chef-server-oec)
* [Enterprise Chef 1.4.14](http://downloads.getchef.com/enterprise-chef/ubuntu/#/1.4.14) – [Upgrade Docs](http://docs.getchef.com/enterprise/#install-chef-server-oec)

#### Premium Features

After upgrading packages for premium features, make sure to run the necessary reconfigure commands as documented in the install procedures [here](http://docs.getchef.com/server/install_server.html).

* [Management Console 1.6.2](http://downloads.getchef.com/chef-manage/)
* [Analytics 1.0.2](http://downloads.getchef.com/analytics/)
* [Reporting 1.1.6](http://downloads.getchef.com/reporting/)
* [Push Jobs Server 1.1.3](http://downloads.getchef.com/push-jobs-server/) (not affected)
* [Chef High Availability 1.0.0-rc.2](http://downloads.getchef.com/chef-ha/)
* [Chef Replication 1.0.0-rc.3](http://downloads.getchef.com/chef-replication/)

## Remediation

If you are unable to upgrade your Chef Server and/or premium features right away, we recommend that you apply the following remediation steps to mitigate the package content ownership vulnerability.

#### Chef Server 12


sudo chown -Rh 0:0 /opt/opscode
sudo chown opscode:opscode /opt/opscode/embedded/nginx/*\_temp
sudo chef-server-ctl reconfigure

#### Open Source Chef Server 11


sudo chown -Rh 0:0 /opt/chef-server
sudo chown chef\_server:chef\_server
/opt/chef-server/embedded/*\_temp
sudo chef-server-ctl reconfigure

#### Enterprise Chef 11


sudo chown -Rh 0:0 /opt/opscode
sudo chown opscode:opscode /opt/opscode/embedded/nginx/*\_temp
sudo private-chef-ctl reconfigure

#### Enterprise Chef 1.4


sudo chown -Rh 0:0 /opt/opscode
sudo chown opscode:opscode /opt/opscode/embedded/*\_temp
sudo private-chef-ctl reconfigure

#### Management Console


sudo chown -Rh 0:0 /opt/opscode-manage
sudo opscode-manage-ctl reconfigure

#### Analytics


sudo chown -Rh 0:0 /opt/opscode-analytics
sudo chown opscode:opscode /opt/opscode-analytics/embedded/*\_temp
sudo opscoode-analytics-ctl reconfigure

#### Reporting


sudo chown -Rh 0:0 /opt/opscode-reporting
sudo opscode-reporting-ctl reconfigure

#### Chef High Availability

“`
sudo chown -Rh 0:0 /opt/chef-ha
“`

#### Chef Replication


sudo chown -Rh 0:0 /opt/chef-sync
sudo chef-sync-ctl reconfigure

Author Stephen Delano