Chef Manage 2.4.5 Security Release

Chef Manage 2.4.5 is now available for download[1].

This release patches a remote execution vulnerability accessible through the user account creation process. This vulnerability has been present in Chef Manage since release 2.1.0 on 2015/11/19.

If you are unable to update at this time, we recommend disabling new user sign up n your Chef Manage instances until the update can be applied. You can do this by editing the file /etc/chef-manage/manage.rb and adding the following line:

disable_sign_up true

Save the change, then run:

sudo chef-manage-ctl reconfigure
1 Like

UPDATE: This vulnerability has been registered with the National Vulnerability Database (NVD) as CVE-2017-7174

If you using Chef Manage from the AWS Marketplace or Azure Marketplace

We HIGHLY recommend you run:

yum update chef-marketplace -y

And then run

chef-marketplace-ctl upgrade -s

Soo Choi
Senior Product Manager, Cloud Strategy
San Francisco, CA
(m) 703.981.0673