System Archaeology Through Testing

As you may be aware, I have been working on a Chef audit-mode cookbook that implements the CIS Benchmarks. I recently added coverage for Ubuntu 14.04. In this post, I want to share a discovery about OS-level configuration that is inherently against the recommendation from the benchmark, and the way users can remediate this using […]

Read More

Security Release: Chef Server 12.0.8 and Enterprise Chef 11.3.1

Ohai Chefs! Chef Server 12.0.8 and Enterprise Chef 11.3.1 are available for immediate download. This release addresses the following vulnerabilities: CVE-2013-2028 CVE-2013-4547 CVE-2014-0088 CVE-2014-0133 CVE-2014-3556 CVE-2014-3616 This corresponds to chef-server issue 142, “Update Embedded Openresty NGINX”. Additional Changes Chef Server 12.0.8 has been further updated as follows: The Chef Server 12.0.8 release is the first […]

Read More

OpenSSL Vulnerability CVE-2015-0291 and Chef

On March 19th, 2015, the OpenSSL team released a new high severity security advisory. In addition, the OpenSSL team also upgraded the severity of an already-published advisory, CVE-2015-0204, to high severity status. Simultaneous to the publication of this new high severity security advisory, the OpenSSL team also made available new versions of the OpenSSL code […]

Read More

Joint Webinar: DevSecOps – Taking a DevOps Approach to Security

Can Dev-”Sec”-Ops really exist? On Thursday, March 19 we’re partnering with Alert Logic to present a must-attend webinar for anyone wanting to debate how to adopt a continuous delivery model to security. More organizations are embracing DevOps and automation to realize compelling business benefits, such as more frequent feature releases, increased application stability, and more productive resource […]

Read More

Security Release: Chef Server 12.0.1 and Enterprise Chef Server 11.2.6

Available for immediate download are Chef Server 12.0.1 and Enterprise Chef Server 11.2.6. This release addresses CVE-2014-8144, a CSRF vulnerability found in doorkeeper, a gem used by the oc-id service that ships with the Chef Server. This release updates oc-id to the latest version, 0.4.4, which contains the patched doorkeeper gem. Open Source Chef Server 11 […]

Read More

Security Release: Chef Server and Analytics (POODLE and OpenSSL Vulnerabilites)

Today we are announcing security releases of all supported versions of Chef Server, Enterprise Chef, and Chef Analytics. These releases address two separate issues: * POODLE SSLv3 attack, which allows allow a remote attacker to extract plaintext of targeted data within an SSL connection * CVE-2014-3513 and CVE-2014-3567, which expose a potential DoS attack vector. […]

Read More