We are delighted to announce the availability of version 14.11.21 of Chef Infra Server.
Security
Elasticsearch 6.8.21
Updated Elasticsearch from 6.8.18 to 6.8.21 to resolve concerns regarding CVE-2021-44228 (Log4j remote code execution). Elastic has stated "Elasticsearch [is] not susceptible to remote code execution with this vulnerability". In the 6.8.21 release, Elastic has disabled JNDI lookups by setting log4j2.formatMsgNoLookups to true and by patching log4j to remove the JndiLookup class entirely.
Redis 5.0.14
Updated Redis from 5.0.7 to 5.0.14 to resolve the following CVEs:
- CVE-2021-41099
- CVE-2021-32762
- CVE-2021-32687
- CVE-2021-32675
- CVE-2021-32672
- CVE-2021-32628
- CVE-2021-32627
- CVE-2021-32626
- CVE-2021-32761
- CVE-2021-21309
OpenJDK 11.0.13+8
Updated OpenJDK from 11.0.11+7 to 11.0.13+8 to resolve the following CVEs:
- CVE-2021-35550
- CVE-2021-35565
- CVE-2021-35556
- CVE-2021-35559
- CVE-2021-35561
- CVE-2021-35564
- CVE-2021-35567
- CVE-2021-35578
- CVE-2021-35586
- CVE-2021-35603
Packaging
RHEL 8 Build ID
Chef Infra Server packages no longer install a build ID file that would prevent installing other Chef packages such as Infra Client.
Get the Build
You can download binaries directly from downloads.chef.io.