Chef Server 11.1.3 Security Release


#1

Chef Server 11.1.3 Security Release

Enterprise Chef Server 11.1.3 is a security release to address a PostgreSQL
configuration error. The defect allows any local user on the system hosting
the Chef Server’s PostgreSQL components full access to databases. We advise
all Chef Server users to update to this latest release which corrects the
error.

This error was discovered and reported by our friends at Gitlab.

Affected Versions
All versions of Open Source Chef Server 11 are affected.

Impact
An attacker with existing access to execute code on the Chef Server can
gain superuser access to PostgreSQL hosted on the system and eventually
gain root user privileges to the operating system.

You can check if your Chef Server is vulnerable to the defect by executing
the following command on the Chef server (if the Chef Server is configured
with separate front end and back end servers, this command should be
executed on a back end server):

/opt/chef-server/embedded/bin/psql -U opscode-pgsql –d template1 –c ‘\echo
security configuration defect present’

If you see the output security configuration defect present the defect
affects your server. Otherwise, you will see an error like psql: FATAL authentication failed for user, and this means the defect is not present
on that system.

Upgrade Instructions
Download
Download the latest version of the Open Source Chef Server from the Chef
downloads page.
https://www.getchef.com/chef/install

Upgrade
Follow the upgrade instructions on the Chef Documentation site for
upgrading a Chef 11 server.
http://docs.opscode.com/upgrade_server_open_source.html#upgrade-to-newer-versions-of-chef-server-11

Let me know if you have any questions,
Joseph