OpenSSL Vulnerability CVE-2015-0291 and Chef

tl;dr: Don’t worry about it.

OpenSSL Vulnerability CVE–2015–0291 and Chef

On March 19th, 2015, the OpenSSL team released a new high severity security advisory. In addition, the OpenSSL team also upgraded the severity of an already-published advisory, CVE–2015–0204, to high severity status. Simultaneous to the publication of this new high severity security advisory, the OpenSSL team also made available new versions of the OpenSSL code containing fixes for these vulnerabilities.

After reviewing the vulnerabilities described in these security advisories, the team at CHEF has determined that Chef products are not at immediate risk as a result of the OpenSSL vulnerabilities disclosed today.

Recommendation to users

Because OpenSSL 1.0.2. is the only version of OpenSSL vulnerable to the exploit described in CVE–2015–0291, Chef users do not need to take immediate action in response to this discolsure, because Chef products do not include OpenSSL 1.0.2.

Further analysis

OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE–2015–0291)

There are no Chef products that include OpenSSL 1.0.2. As a result, Chef products are not affected by the vulnerability disclosed in high severity bulletin CVE–2015–0291 (OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE–2015–0291).

“Freak,” RSA silently downgrades to EXPORT_RSA [Client] (CVE–2015–0204)

No Chef products are configured to support export ciphers. As a result, Chef products are not affected by the vulnerability disclosed in high severity bulletin CVE–2015–0204 (RSA silently downgrades to EXPORT_RSA[Client]).

CHEF Response Plan

Though there is no immediate danger, Chef will still release new versions of several products starting today that will include updated versions of OpenSSL. Users can update to these on their own schedule, but are not required to upgrade to protect against CVE–2015–0291.

Summary

Chef users do not need to take any immediate action in response to the newly published OpenSSL high severity security advisory. Chef products are not vulnerable to CVE–2015–0291, or CVE–2015–0204. Chef will include the newly-released patches to OpenSSL in future releases on the previously planned product release schedule.

Please let us know if you have any questions or concerns.

Thanks,
--Charles

Charles Johnson — Product Engineer