Rack vulnerabilities in chef-server-webui in Chef Server 11

Chef Infra (archive)
1

We believe that the chef-server-webui in Chef Server 11 is vulnerable to recently announced security vulnerabilities in Rack [1]. The Chef 10 webui does not run on rails. We recommend that Chef 11 Server users shut down the webui to prevent any expoitation.

To do so, create ‘/etc/chef-server/chef-server.rb’ and add this line to it:

webui_enable false

Then run ‘sudo chef-server-ctl reconfigure’

On Monday we will release a new Chef Server 11 package that upgrades Rack to 1.4.5 to resolve this issue. The webui will be configured to not start by default in Monday’s release and subsequent releases and we are deprecating it. The chef-server-webui will not be included in the Chef 12 Server open-source release.

Bryan McLellan | opscode | technical program manager, open source
© 206.607.7108 | (t) @btmspox | (b) http://blog.loftninjas.org

[1] http://rack.github.com/

2

Is the intention that starting with chef 12 server, the webui will be a
value add of the hosted/private offerings?

On Sat, Feb 9, 2013 at 11:40 AM, Bryan McLellan btm@opscode.com wrote:

We believe that the chef-server-webui in Chef Server 11 is vulnerable to
recently announced security vulnerabilities in Rack [1]. The Chef 10 webui
does not run on rails. We recommend that Chef 11 Server users shut down the
webui to prevent any expoitation.

To do so, create '/etc/chef-server/chef-server.rb' and add this line to it:

webui_enable false

Then run 'sudo chef-server-ctl reconfigure'

On Monday we will release a new Chef Server 11 package that upgrades Rack
to 1.4.5 to resolve this issue. The webui will be configured to not start
by default in Monday's release and subsequent releases and we are
deprecating it. The chef-server-webui will not be included in the Chef 12
Server open-source release.

Bryan McLellan | opscode | technical program manager, open source
(c) 206.607.7108 | (t) @btmspox | (b) http://blog.loftninjas.org

[1] http://rack.github.com/

3

This seems like a odd idea to me given the only time I used the webui was when I was first playing with chef. It allows a new user who is unsure to verify his actions in a friendly ui.

Someone who has explored the benefits of chef are more likely to become a paying member. This is even more true given the recent announcement of commercial support for the open source platform.

Joshua

On Feb 9, 2013, at 9:53 AM, Jesse Campbell hikeit@gmail.com wrote:

Is the intention that starting with chef 12 server, the webui will be a value add of the hosted/private offerings?

On Sat, Feb 9, 2013 at 11:40 AM, Bryan McLellan btm@opscode.com wrote:

We believe that the chef-server-webui in Chef Server 11 is vulnerable to recently announced security vulnerabilities in Rack [1]. The Chef 10 webui does not run on rails. We recommend that Chef 11 Server users shut down the webui to prevent any expoitation.

To do so, create '/etc/chef-server/chef-server.rb' and add this line to it:

webui_enable false

Then run 'sudo chef-server-ctl reconfigure'

On Monday we will release a new Chef Server 11 package that upgrades Rack to 1.4.5 to resolve this issue. The webui will be configured to not start by default in Monday's release and subsequent releases and we are deprecating it. The chef-server-webui will not be included in the Chef 12 Server open-source release.

Bryan McLellan | opscode | technical program manager, open source
(c) 206.607.7108 | (t) @btmspox | (b) http://blog.loftninjas.org

[1] http://rack.github.com/

4

I agree with Joshua. If there was no UI, we wouldn't have gone with chef.
Granted, we use UI less
and less everyday, but without it, we wouldn't have started with chef.

On Sat, Feb 9, 2013 at 10:12 AM, Joshua Miller jassinpain@gmail.com wrote:

This seems like a odd idea to me given the only time I used the webui was
when I was first playing with chef. It allows a new user who is unsure to
verify his actions in a friendly ui.

Someone who has explored the benefits of chef are more likely to become a
paying member. This is even more true given the recent announcement of
commercial support for the open source platform.

Joshua

On Feb 9, 2013, at 9:53 AM, Jesse Campbell hikeit@gmail.com wrote:

Is the intention that starting with chef 12 server, the webui will be a
value add of the hosted/private offerings?

On Sat, Feb 9, 2013 at 11:40 AM, Bryan McLellan btm@opscode.com wrote:

We believe that the chef-server-webui in Chef Server 11 is vulnerable to
recently announced security vulnerabilities in Rack [1]. The Chef 10 webui
does not run on rails. We recommend that Chef 11 Server users shut down the
webui to prevent any expoitation.

To do so, create '/etc/chef-server/chef-server.rb' and add this line to
it:

webui_enable false

Then run 'sudo chef-server-ctl reconfigure'

On Monday we will release a new Chef Server 11 package that upgrades Rack
to 1.4.5 to resolve this issue. The webui will be configured to not start
by default in Monday's release and subsequent releases and we are
deprecating it. The chef-server-webui will not be included in the Chef 12
Server open-source release.

Bryan McLellan | opscode | technical program manager, open source
(c) 206.607.7108 | (t) @btmspox | (b) http://blog.loftninjas.org

[1] http://rack.github.com/

--
..Senthil

"If there's anything more important than my ego around, I want it
caught and shot now."
- Douglas Adams.

5

I'm not sure how I successfully disabled the webui this morning, but
other Opscode folks tell me the correct
/etc/chef-server/chef-server.rb entry to disable the webui is this:

chef_server_webui['enable'] = false

Then run 'sudo chef-server-ctl reconfigure'

On Sat, Feb 9, 2013 at 12:53 PM, Jesse Campbell hikeit@gmail.com wrote:

Is the intention that starting with chef 12 server, the webui will be a
value add of the hosted/private offerings?

Not exactly. Opscode Hosted and Private Chef (OHC + OPC) have had a
separate webui from Open Source for a long time. As we recently
announced [1], we've rewritten the OHC/OPC webui and added support for
new OPC features (and OHC where applicable) like activity reporting
and push client runs. So yes, there is a big value-add there, but
that's not why we're deprecating it.

In the history of the Open Source chef-server-webui project there have
only been 20 contributions with 37 commits (since August 2009). That's
less than one a month if you spread it out. We breathed a little life
into it by porting it from merb to rails3 but it is a completely
different project from our webui, so there's nothing to trickle down
to it. In the face of multiple security patches in under a week, most
people not using it, and very few developing it, it is more of a
liability than a feature.

Now, if anyone was about to say, "I love the webui, wanted to work on
it and just found a ton of spare time," we should talk about long-term
possibilities.

Bryan

[1] http://www.opscode.com/press-releases/opscode-announces-next-generation-of-private-chef-for-the-enterprise/

6

...

Well ... no web-ui is a showstopper for us.

We have a lot of
people working with it, mainly doing attribute edition and role/node
association.

Peolple involved for this are quite unable to work with
command line tools :confused:

I "wish" to find time to add ldap/AD support for
web-ui authentication but I can't for now.

Learning web-ui will be
discontinued is really sad for me as I spent time to spread chef usage
within my company and this only point will be a wall on the road.

Moreover and talking only for myself (but that may apply elsewhere):
this is the typical choice to give a cold shower toward any company
'trying' an open source project to see if it will fit or not.

In
brief: I've the feeling I did loose 3 or 4 months working and talking
about chef here as I know it won't be deployed more widely without a
web-ui.

Regards.

Le 2013-02-10 03:26, Bryan McLellan a écrit :

I'm not sure how I successfully disabled the webui this morning, but

other Opscode folks tell me the correct

/etc/chef-server/chef-server.rb entry to disable the webui is this:

chef_server_webui['enable'] = false

Then run 'sudo chef-server-ctl
reconfigure'

On Sat, Feb 9, 2013 at 12:53 PM, Jesse Campbell
hikeit@gmail.com wrote:

Is the intention that starting with chef
12 server, the webui will be a value add of the hosted/private
offerings?

Not exactly. Opscode Hosted and Private Chef (OHC + OPC)
have had a
separate webui from Open Source for a long time. As we
recently
announced [1], we've rewritten the OHC/OPC webui and added
support for
new OPC features (and OHC where applicable) like activity
reporting
and push client runs. So yes, there is a big value-add
there, but
that's not why we're deprecating it.

In the history of
the Open Source chef-server-webui project there have
only been 20
contributions with 37 commits (since August 2009). That's
less than
one a month if you spread it out. We breathed a little life
into it by
porting it from merb to rails3 but it is a completely
different
project from our webui, so there's nothing to trickle down
to it. In
the face of multiple security patches in under a week, most
people not
using it, and very few developing it, it is more of a
liability than a
feature.

Now, if anyone was about to say, "I love the webui, wanted
to work on
it and just found a ton of spare time," we should talk
about long-term
possibilities.

Bryan

[1]
http://www.opscode.com/press-releases/opscode-announces-next-generation-of-private-chef-for-the-enterprise/
[1]

Links:

[1]
http://www.opscode.com/press-releases/opscode-announces-next-generation-of-private-chef-for-the-enterprise/

7

I have to say I agree with others like Tensibai, Senthilvel and Joshua that
chef without webui is a major negative to me.

a basic webui that allows for easy checking of basic status and node
editing is needed for a lot of us to show this isn't some black art to
other sysadmins and managers and that it is something they can get behind.

On 10 February 2013 02:26, Bryan McLellan btm@loftninjas.org wrote:

I'm not sure how I successfully disabled the webui this morning, but
other Opscode folks tell me the correct
/etc/chef-server/chef-server.rb entry to disable the webui is this:

chef_server_webui['enable'] = false

Then run 'sudo chef-server-ctl reconfigure'

On Sat, Feb 9, 2013 at 12:53 PM, Jesse Campbell hikeit@gmail.com wrote:

Is the intention that starting with chef 12 server, the webui will be a
value add of the hosted/private offerings?

Not exactly. Opscode Hosted and Private Chef (OHC + OPC) have had a
separate webui from Open Source for a long time. As we recently
announced [1], we've rewritten the OHC/OPC webui and added support for
new OPC features (and OHC where applicable) like activity reporting
and push client runs. So yes, there is a big value-add there, but
that's not why we're deprecating it.

In the history of the Open Source chef-server-webui project there have
only been 20 contributions with 37 commits (since August 2009). That's
less than one a month if you spread it out. We breathed a little life
into it by porting it from merb to rails3 but it is a completely
different project from our webui, so there's nothing to trickle down
to it. In the face of multiple security patches in under a week, most
people not using it, and very few developing it, it is more of a
liability than a feature.

Now, if anyone was about to say, "I love the webui, wanted to work on
it and just found a ton of spare time," we should talk about long-term
possibilities.

Bryan

[1]
http://www.opscode.com/press-releases/opscode-announces-next-generation-of-private-chef-for-the-enterprise/

8

Another +1 for the WebUI. We use it all the time. I'd argue it's my
predominant way of interacting with chef for that matter. About the
only thing I do from the command line is cookbook stuff. I know I'm not
the only one that I absolutely hates editing json. knife node edit
pisses me off almost every time I use it, through syntax mistakes etc. etc.

Paul

On 2/11/2013 4:13 AM, Mat Davies wrote:

I have to say I agree with others like Tensibai, Senthilvel and Joshua
that chef without webui is a major negative to me.

a basic webui that allows for easy checking of basic status and node
editing is needed for a lot of us to show this isn't some black art to
other sysadmins and managers and that it is something they can get behind.

On 10 February 2013 02:26, Bryan McLellan <btm@loftninjas.org
mailto:btm@loftninjas.org> wrote:

I'm not sure how I successfully disabled the webui this morning, but
other Opscode folks tell me the correct
/etc/chef-server/chef-server.rb entry to disable the webui is this:

chef_server_webui['enable'] = false

Then run 'sudo chef-server-ctl reconfigure'

On Sat, Feb 9, 2013 at 12:53 PM, Jesse Campbell <hikeit@gmail.com
<mailto:hikeit@gmail.com>> wrote:
> Is the intention that starting with chef 12 server, the webui
will be a
> value add of the hosted/private offerings?

Not exactly. Opscode Hosted and Private Chef (OHC + OPC) have had a
separate webui from Open Source for a long time. As we recently
announced [1], we've rewritten the OHC/OPC webui and added support for
new OPC features (and OHC where applicable) like activity reporting
and push client runs. So yes, there is a big value-add there, but
that's not why we're deprecating it.

In the history of the Open Source chef-server-webui project there have
only been 20 contributions with 37 commits (since August 2009). That's
less than one a month if you spread it out. We breathed a little life
into it by porting it from merb to rails3 but it is a completely
different project from our webui, so there's nothing to trickle down
to it. In the face of multiple security patches in under a week, most
people not using it, and very few developing it, it is more of a
liability than a feature.

Now, if anyone was about to say, "I love the webui, wanted to work on
it and just found a ton of spare time," we should talk about long-term
possibilities.

Bryan

[1]
http://www.opscode.com/press-releases/opscode-announces-next-generation-of-private-chef-for-the-enterprise/
9

If you get a json editor that runs either in the shell or in a window, you
can run knife node edit with -e followed by the editor of your choice...

-jesse

On Mon, Feb 11, 2013 at 11:44 AM, Paul Graydon paul@paulgraydon.co.ukwrote:

Another +1 for the WebUI. We use it all the time. I'd argue it's my
predominant way of interacting with chef for that matter. About the only
thing I do from the command line is cookbook stuff. I know I'm not the
only one that I absolutely hates editing json. knife node edit pisses me
off almost every time I use it, through syntax mistakes etc. etc.

Paul

On 2/11/2013 4:13 AM, Mat Davies wrote:

I have to say I agree with others like Tensibai, Senthilvel and Joshua
that chef without webui is a major negative to me.

a basic webui that allows for easy checking of basic status and node
editing is needed for a lot of us to show this isn't some black art to
other sysadmins and managers and that it is something they can get behind.

On 10 February 2013 02:26, Bryan McLellan btm@loftninjas.org wrote:

I'm not sure how I successfully disabled the webui this morning, but
other Opscode folks tell me the correct
/etc/chef-server/chef-server.rb entry to disable the webui is this:

chef_server_webui['enable'] = false

Then run 'sudo chef-server-ctl reconfigure'

On Sat, Feb 9, 2013 at 12:53 PM, Jesse Campbell hikeit@gmail.com
wrote:

Is the intention that starting with chef 12 server, the webui will be a
value add of the hosted/private offerings?

Not exactly. Opscode Hosted and Private Chef (OHC + OPC) have had a
separate webui from Open Source for a long time. As we recently
announced [1], we've rewritten the OHC/OPC webui and added support for
new OPC features (and OHC where applicable) like activity reporting
and push client runs. So yes, there is a big value-add there, but
that's not why we're deprecating it.

In the history of the Open Source chef-server-webui project there have
only been 20 contributions with 37 commits (since August 2009). That's
less than one a month if you spread it out. We breathed a little life
into it by porting it from merb to rails3 but it is a completely
different project from our webui, so there's nothing to trickle down
to it. In the face of multiple security patches in under a week, most
people not using it, and very few developing it, it is more of a
liability than a feature.

Now, if anyone was about to say, "I love the webui, wanted to work on
it and just found a ton of spare time," we should talk about long-term
possibilities.

Bryan

[1]
http://www.opscode.com/press-releases/opscode-announces-next-generation-of-private-chef-for-the-enterprise/

10

I agree with the others of the importance of the web ui. For me though,
it's a selling point to my management right now for getting Private Chef if
open source Chef doesn't have a web ui at all. If we were deciding what
free open source automation solution to use, I don't think not having a web
ui would impact our decision because even Puppet doesn't have a web ui for
the free open source version.
Of course, the web ui is all open source, so AFAIK, nothing is stopping
anyone from grabbing the code and continuing development and maintenance on
it. I suspect, that's what will end up happening anyway.

John

On Mon, Feb 11, 2013 at 1:30 PM, Jesse Campbell hikeit@gmail.com wrote:

If you get a json editor that runs either in the shell or in a window, you
can run knife node edit with -e followed by the editor of your choice...

-jesse

On Mon, Feb 11, 2013 at 11:44 AM, Paul Graydon paul@paulgraydon.co.ukwrote:

Another +1 for the WebUI. We use it all the time. I'd argue it's my
predominant way of interacting with chef for that matter. About the only
thing I do from the command line is cookbook stuff. I know I'm not the
only one that I absolutely hates editing json. knife node edit pisses me
off almost every time I use it, through syntax mistakes etc. etc.

Paul

On 2/11/2013 4:13 AM, Mat Davies wrote:

I have to say I agree with others like Tensibai, Senthilvel and Joshua
that chef without webui is a major negative to me.

a basic webui that allows for easy checking of basic status and node
editing is needed for a lot of us to show this isn't some black art to
other sysadmins and managers and that it is something they can get behind.

On 10 February 2013 02:26, Bryan McLellan btm@loftninjas.org wrote:

I'm not sure how I successfully disabled the webui this morning, but
other Opscode folks tell me the correct
/etc/chef-server/chef-server.rb entry to disable the webui is this:

chef_server_webui['enable'] = false

Then run 'sudo chef-server-ctl reconfigure'

On Sat, Feb 9, 2013 at 12:53 PM, Jesse Campbell hikeit@gmail.com
wrote:

Is the intention that starting with chef 12 server, the webui will be a
value add of the hosted/private offerings?

Not exactly. Opscode Hosted and Private Chef (OHC + OPC) have had a
separate webui from Open Source for a long time. As we recently
announced [1], we've rewritten the OHC/OPC webui and added support for
new OPC features (and OHC where applicable) like activity reporting
and push client runs. So yes, there is a big value-add there, but
that's not why we're deprecating it.

In the history of the Open Source chef-server-webui project there have
only been 20 contributions with 37 commits (since August 2009). That's
less than one a month if you spread it out. We breathed a little life
into it by porting it from merb to rails3 but it is a completely
different project from our webui, so there's nothing to trickle down
to it. In the face of multiple security patches in under a week, most
people not using it, and very few developing it, it is more of a
liability than a feature.

Now, if anyone was about to say, "I love the webui, wanted to work on
it and just found a ton of spare time," we should talk about long-term
possibilities.

Bryan

[1]
http://www.opscode.com/press-releases/opscode-announces-next-generation-of-private-chef-for-the-enterprise/

--
John Alberts

11

Hi,

On Sun, Feb 10, 2013 at 1:26 PM, Bryan McLellan btm@loftninjas.org wrote:

Is the intention that starting with chef 12 server, the webui will be a
value add of the hosted/private offerings?

Not exactly. Opscode Hosted and Private Chef (OHC + OPC) have had a
separate webui from Open Source for a long time. As we recently
announced [1], we've rewritten the OHC/OPC webui and added support for
new OPC features (and OHC where applicable) like activity reporting
and push client runs. So yes, there is a big value-add there, but
that's not why we're deprecating it.

In the history of the Open Source chef-server-webui project there have
only been 20 contributions with 37 commits (since August 2009). That's
less than one a month if you spread it out. We breathed a little life
into it by porting it from merb to rails3 but it is a completely
different project from our webui, so there's nothing to trickle down
to it. In the face of multiple security patches in under a week, most
people not using it, and very few developing it, it is more of a
liability than a feature.

While I can imagine that a certain point of view from within opscode
the business would see it as a liability, that is not my view. At
least where I am, we would have been unlikely to have adopted it if it
had not had the web-ui. While our workflow is largely divorced from
the web ui we still use it to some limited degree to inspect the node
configuration data.

I am also actively training and advocating to others and it becomes a
lot harder sell if chef were to drop the web ui. I know that some
groups have adopted chef over other options because the perception was
that the other products were crippleware. I would hate to see chef
fall into this same category.

While many of us don't directly contribute to your bottom line, we do
help out with the marketing and sometimes the ecosystem. I know that i
may come at a cost to maintain something you don't use but I suspect
it is cheaper than paying a marketing group to make up the differece.

--
Cheers,

Peter Donald