Chef Client Windows Patches for OpenSSL CVE-2014-0224 Vulnerability

Ohai Chefs, We have just released Chef Client versions 11.12.8-2 and 10.32.2-3 which includes the mitigation for the recently reported OpenSSL vulnerability [CVE-2014-0224](https://www.openssl.org/news/secadv_20140605.txt). Note that after installing these builds, if you check the OpenSSL version using `OpenSSL::OPENSSL_VERSION` you will see `OpenSSL 1.0.0k 5 Feb 2013`. This is because we are using pre-compiled binaries for windows […]

Read More

Chef Releases for OpenSSL (CVE-2014-0224) Vulnerability

On Thursday June 5th at approximately 14:00 UTC, the CHEF engineering team was made aware of [OpenSSL CVE-2014-0224](https://www.openssl.org/news/secadv_20140605.txt). A bug in the OpenSSL framework could permit a [MITM attack](http://en.wikipedia.org/wiki/Man-in-the-middle_attack) under certain circumstances using a carefully constructed request. Due to the nature of this vulnerabilty, we recommend that you upgrade your installations immediately. Here are the […]

Read More

Chef Server 11.1.1 Release

Open Source Chef Server 11.1.1 is a security release that includes an updated version of OpenSSL that patches CVE-2014-0224. All installs of Open Source Chef should be upgraded immediately. This bug permits an attacker to execute an undetectable MITM attack on an otherwise secure connection. As a result, the attacker could read or alter any […]

Read More

Enterprise Chef Server 11.1.6 Release

Enterprise Chef Server 11.1.6 is a security release that includes an updated version of OpenSSL that patches [CVE-2014-0224](https://www.openssl.org/news/secadv_20140605.txt). All installs of Enterprise Chef should be upgraded immediately. This bug permits an attacker to execute an undetectable MITM attack on an otherwise secure connection. As a result, the attacker could read or alter any traffic between […]

Read More

Enterprise Chef 1.4.11 Release

Enterprise Chef Server 1.4.11 is a security release that includes an updated version of OpenSSL that patches [CVE-2014-0224](https://www.openssl.org/news/secadv_20140605.txt). All installs of Enterprise Chef should be upgraded immediately. This bug permits an attacker to execute an undetectable MITM attack on an otherwise secure connection. As a result, the attacker could read or alter any traffic between […]

Read More

Security @Adobe Details Chef-Automated Security Testing

Our good friends at Adobe have been awesome about providing technical insight into their use of Chef in the past. Yesterday, their lead security strategist Peleus Uhley, continued this trend with a very informative blog detailing Chef-automated security testing in Adobe’s private cloud infrastructure. Peleus writes: “At Adobe, we’re constantly hiring third party security consultants […]

Read More