Blog-L_News_3_1283x494

Chef Server 11.0.6 and 10.24.0 Released

By

This release includes a few important security fixes.

Solr Security Fix

The default solr configuration has some tunables that are enabled for updating data and debugging that provide a remote attack surface. The configuration in this release disables those features.

Chef 11

Omnibus packaging makes this easy:

  • Download the new package and install it
  • Run sudo chef-server-ctl reconfigure

Chef 10

If you have an existing Chef 10 Server installation, you’ll need to use the chef-solr-installer tool after installation to replace the configuration and then rebuild the search indexes.

[ruby]
sudo gem install chef-solr –no-rdoc –no-ri
sudo chef-solr-installer -c /etc/chef/solr.rb -u chef
sudo /etc/init.d/chef-solr restart
knife index rebuild
[/ruby]

If you’re on an older Chef Server 10 release and can’t upgrade, edit /var/lib/chef/solr/home/conf/solrconfig.xml with the changes detailed in CHEF-3984 and restart chef-solr. Do not run chef-solr-installer, as that will overwrite this file.

Release Notes

Chef 11.0.6 Server

Multiple Rails related security fixes are included in the WebUI that were recently released in the Chef 10 WebUI. They are detailed in the release notes below.

Mike Javorski improved search on Chef 11 to be able to search for attributes with forward slashes.

Special thanks to Michael Della Bitta for responsibly disclosing the security issue related to the solr configuration. You’re the Chef Server 11.0.6 MVP for having our back.

Security concerns can always be raised with us directly by mailing [email protected].

  • [CHEF-2760] – Knife is unable to search for attributes with forward slashes
  • [CHEF-3888] – chef-server-webui is susceptible to rack vulnerability
  • [CHEF-3894] – solr config allows remote read access to files on disk

Chef 10.24.0

Because we’re already rebuilding the search indexes, we included an increase to the maxFieldLength setting in the solr configuration, which solves CHEF-2346 for most people.

A tip of the hat to famous Chef MVP Matthew Kent for his patch to the solr configuration to increase maxFieldLength.

We’d also like to give the Chef 10.24.0 MVP to Anthony Goddard. Anthony has been a Chef contributor and advocate for years, leading many others to Chef along the way. He most recent wrote knife-ghost, a tool for populating your /etc/hosts file from a knife search. Thanks Ant!

  • [CHEF-2346] – beware of solr maxFieldLength option ! It will stop indexing nodes with a lot of attributes
  • [CHEF-3888] – chef-server-webui is susceptible to rack vulnerability
  • [CHEF-3894] – solr config allows remote read access to files on disk

Related vulnerabilities

  • [CVE-2013-0276] Circumvention of attr_protected
  • [CVE-2013-0277] Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0
  • [CVE-2013-0269] Denial of Service and Unsafe Object Creation Vulnerability in JSON
  • [CVE-2013-0263] Rack::Session::Cookie vulnerability in Rack
  • [CVE-2013-0262] Rack PATH_INFO environment variable vulnerability
Posted in:

Bryan McLellan

Categories

INTERNET US

Company
Using Chef
Legal
Connect with us
Contact Us

Chef is part of the Progress product portfolio. Progress is the leading provider of application development and digital experience technologies.

Copyright © 2024 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.

Progress, Telerik, Ipswitch, Chef, Kemp, Flowmon, MarkLogic, Semaphore and certain product names used herein are trademarks or registered trademarks of Progress Software Corporation and/or one of its subsidiaries or affiliates in the U.S. and/or other countries. See Trademarks for appropriate markings.

Do Not Sell or Share My Personal Information

Powered by Progress Sitefinity