Security Releases: Chef Server and Premium Features (insecure file ownership) [feedly]

----
Security Releases: Chef Server and Premium Features (insecure file ownership)
// Chef Blog

Today we are announcing security releases of all supported versions of the Chef Server, Enterprise Chef, and Chef Software-built premium features. These releases address package ownership issues on Debian-based platforms that result in Omnibus-built packages installing with contents owned by UID and GID 999 or 1001. This vulnerability allows a non-root attacker to modify or replace the on-disk package contents, which are subsequently executed by the root user. For more information on this vulnerability, please visit our blog post on Omnibus Security Releases.

If you have deployed your Chef Server on a Debian-based platform, we recommend that you upgrade the server and associated premium features as soon as possible. If you're unable to do so right now, see below for instructions on how to remediate the problem on your currently deployed server.

Releases

Chef Server / Enterprise Chef

• Chef Server 12.0.0-rc.4 – Upgrade Docs
• Chef Server 11.1.5 – Upgrade Docs
• Enterprise Chef 11.2.2 – Upgrade Docs
• Enterprise Chef 1.4.14 – Upgrade Docs

Premium Features

After upgrading packages for premium features, make sure to run the necessary reconfigure commands as documented in the install procedures here.

• Management Console 1.6.2
• Analytics 1.0.2
• Reporting 1.1.6
• Push Jobs Server 1.1.3 (not affected)
• Chef High Availability 1.0.0-rc.2
• Chef Replication 1.0.0-rc.3

Remediation

If you are unable to upgrade your Chef Server and/or premium features right away, we recommend that you apply the following remediation steps to mitigate the package content ownership vulnerability.

Chef Server 12

sudo chown -Rh 0:0 /opt/opscode
sudo chown opscode:opscode /opt/opscode/embedded/nginx/*_temp
sudo chef-server-ctl reconfigure

Open Source Chef Server 11

sudo chown -Rh 0:0 /opt/chef-server
sudo chown chef_server:chef_server
/opt/chef-server/embedded/*_temp
sudo chef-server-ctl reconfigure

Enterprise Chef 11

sudo chown -Rh 0:0 /opt/opscode
sudo chown opscode:opscode /opt/opscode/embedded/nginx/*_temp
sudo private-chef-ctl reconfigure

Enterprise Chef 1.4

sudo chown -Rh 0:0 /opt/opscode
sudo chown opscode:opscode /opt/opscode/embedded/*_temp
sudo private-chef-ctl reconfigure

Management Console

sudo chown -Rh 0:0 /opt/opscode-manage
sudo opscode-manage-ctl reconfigure

Analytics

sudo chown -Rh 0:0 /opt/opscode-analytics
sudo chown opscode:opscode /opt/opscode-analytics/embedded/*_temp
sudo opscoode-analytics-ctl reconfigure

Reporting

sudo chown -Rh 0:0 /opt/opscode-reporting
sudo opscode-reporting-ctl reconfigure

Chef High Availability

sudo chown -Rh 0:0 /opt/chef-ha

Chef Replication

sudo chown -Rh 0:0 /opt/chef-sync
sudo chef-sync-ctl reconfigure

----

Shared via my feedly reader

Sent from my iPhone