Chef Releases for OpenSSL (CVE-2014-0224) Vulnerability

On Thursday June 5th at approximately 14:00 UTC, the CHEF engineering team was made aware of [OpenSSL CVE-2014-0224](https://www.openssl.org/news/secadv_20140605.txt). A bug in the OpenSSL framework could permit a [MITM attack](http://en.wikipedia.org/wiki/Man-in-the-middle_attack) under certain circumstances using a carefully constructed request. Due to the nature of this vulnerabilty, we recommend that you upgrade your installations immediately. Here are the […]

Read More

Chef Server 11.1.1 Release

Open Source Chef Server 11.1.1 is a security release that includes an updated version of OpenSSL that patches CVE-2014-0224. All installs of Open Source Chef should be upgraded immediately. This bug permits an attacker to execute an undetectable MITM attack on an otherwise secure connection. As a result, the attacker could read or alter any […]

Read More

Enterprise Chef Server 11.1.6 Release

Enterprise Chef Server 11.1.6 is a security release that includes an updated version of OpenSSL that patches [CVE-2014-0224](https://www.openssl.org/news/secadv_20140605.txt). All installs of Enterprise Chef should be upgraded immediately. This bug permits an attacker to execute an undetectable MITM attack on an otherwise secure connection. As a result, the attacker could read or alter any traffic between […]

Read More

Enterprise Chef 1.4.11 Release

Enterprise Chef Server 1.4.11 is a security release that includes an updated version of OpenSSL that patches [CVE-2014-0224](https://www.openssl.org/news/secadv_20140605.txt). All installs of Enterprise Chef should be upgraded immediately. This bug permits an attacker to execute an undetectable MITM attack on an otherwise secure connection. As a result, the attacker could read or alter any traffic between […]

Read More

Security @Adobe Details Chef-Automated Security Testing

Our good friends at Adobe have been awesome about providing technical insight into their use of Chef in the past. Yesterday, their lead security strategist Peleus Uhley, continued this trend with a very informative blog detailing Chef-automated security testing in Adobe’s private cloud infrastructure. Peleus writes: “At Adobe, we’re constantly hiring third party security consultants […]

Read More

Important Hosted Chef Security Notice

Dear Customers, On Wednesday morning we became aware of a misconfiguration of an exception handler for the Hosted Chef Management Console that caused username and password information for a small subset of our users to be leaked via email internally at Chef. We have fixed the issue that was at the source of the exposure, […]

Read More