Friday, September 19, 2014

Security Releases: Chef Client and Related Products (insecure file ownership) [feedly]



----
Security Releases: Chef Client and Related Products (insecure file ownership)
// Chef Blog

Today we are announcing security releases of all supported versions of the Chef Client, ChefDK, Chef Container and the Push Jobs client. These releases address package ownership issues on Debian-based platforms.

Platforms

  • Ubuntu Linux
  • Debian Linux

Description

Chef products installed from Debian-style .deb packages created files under /opt/<install_dir> with ownership by UID 999 or other UIDs instead of UID 0 (root). An unprivileged user with the matching UID would be able to change file contents to execute arbitrary commands as the user running the Chef product. Please see the accompanying blog post for more details on the underlying Omnibus installer issue.

We recommend remediation of chef-client before addressing the potential server-side or add-on issues. See also: Chef Server and Premium Feature Security Releases.

Affected Products and Remediation Steps

Chef Client

chef-client 10: AFFECTED: all releases from chef_10.28.0  through chef_10.34.2

chef-client 11: AFFECTED: all releases from chef_11.6.0.rc.0 through chef_11.16.0

Remediate the issue by upgrading to the latest release. For Chef 11, Use the omnibus installer, e.g., curl -L https://www.opscode.com/chef/install.sh | sudo bash

or use your package management framework to update to the versions below, or any subsequent release:

 

If you're unable to upgrade the package, fix the permissions in place.

Shell workaround: From a root shell, run:

chown -Rh 0:0 /opt/chef

Chef recipe: Include the following sample recipe in your base system configuration:

execute 'fix_chef_uid' do
  command 'chown -Rh 0:0 /opt/chef'
  not_if (File.stat('/opt/chef/bin').uid == 0)
end

ChefDK

chefdk: AFFECTED: all releases through 0.2.0

Remediate the issue by upgrading to the latest release. Use your package management framework to update to the version below, or any subsequent release:

chefdk 0.2.2 https://downloads.getchef.com/chef-dk

If you're unable to upgrade the package, fix the permissions in place.

Shell workaround: From a root shell, run:

chown -Rh 0:0 /opt/chefdk

Chef recipe: Include the following sample recipe in your base system configuration:

execute 'fix_chefdk_uid' do
  command 'chown -Rh 0:0 /opt/chefdk'
  not_if (File.stat('/opt/chefdk/bin').uid == 0)
end

Chef Container

chef-container: AFFECTED: all releases from 11.12.8

Remediate the issue by either a) correcting file ownerships in-place via Dockerfile RUN command or Chef recipe, or b) by rebuilding your Docker image to update to the patched Chef Container release:

  1. In your Dockerfile, put the following line directly after your FROM line: RUN chown -Rh 0:0 /opt/chef or one can use a simple Chef recipe as part of every system's base configuration, e.g.: execute 'fix_chef_uid' do
      command 'chown -Rh 0:0 /opt/chef'
      not_if (File.stat('/opt/chef/bin').uid == 0)
    end
  2. When you initialized your Docker Context with knife container docker init, you provided one or two values. The first value was the name of the image. In the commands below, this value will be referred to as YOUR_IMAGE_NAME. In the example knife container docker init myorg/myapp, YOUR_IMAGE_NAME would be myorg/myapp.The second value was the base image specified with the -f flag. If you did not specify this value, then you used the default value of chef/ubuntu-12.04:latest. In the commands below, this value will be referred to as BASE_IMAGE_NAME.To rebuild your Docker Image with the patched version of the Chef Container package, please run these three commands for each impacted image:
    1. docker pull BASE_IMAGE
    2. docker tag BASE_IMAGE YOUR_IMAGE_NAME
    3. knife container docker build YOUR_IMAGE_NAME
 

Push Jobs Client (Enterprise Chef or Private Chef only)

push-jobs-client: AFFECTED: all releases from 1.0.1 through 1.1.3

 

Remediate the issue by upgrading to the latest release. Use your package management framework to update to the version below, or any subsequent release:

opscode-push-jobs-client 1.1.4 http://downloads.getchef.com/push-jobs-client/

If you're unable to upgrade the package, fix the permissions in place.

Shell workaround: From a root shell, run:

chown -Rh 0:0 /opt/opscode-push-jobs-client

Chef recipe: Include the following sample recipe in your base system configuration:

execute 'fix_push_jobs_client_uid' do
  command 'chown -Rh 0:0 /opt/opscode-push-jobs-client'
  not_if (File.stat('/opt/opscode-push-jobs-client/bin').uid == 0)
end

Discussion

The post-build test suite will now include ownership and mode tests to prevent a future regression.

Credit

We'd like to extend our gratitude to Jacob Vosmaer and the team at GitLab for practicing responsible disclosure.
----

Shared via my feedly reader


Sent from my iPhone
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)