Chef 10.16.6 Security Release
We've released version 10.16.6 of Chef. The only change in this release is that chef-server-api and chef-server-webui have changed their dependency on the extlib gem to require at least version 0.9.16. This change patches a potential vulnerability similar to the vulnerability recently disclosed and fixed in rails.
chef (client/solo), chef-solr, and chef-expander are unchanged from 10.16.4.
The CVE-2013-0156 vulnerability discovered in rails allows arbitrary code execution on an affected server. The vulnerable code is in rails's ActiveSupport library. Though the current versions of Chef server use Merb instead of rails, Merb uses an ActiveSupport fork called extlib that includes the same vulnerability to provide many of the same features as ActiveSupport. According to the currently available information about the vulnerability, there are several additional conditions that must be satisfied for the vulnerability to be exploitable. Without further research, we cannot determine if merb or chef-server meet those conditions. We are therefore assuming that chef-server is vulnerable and urging everyone to upgrade or patch as soon as possible. Though it is unlikely that a "vanilla" exploit designed to exploit rails applications would work against chef-server, it may be possible to create a custom exploit for merb applications or chef-server in particular.
There are several options for upgrading, depending on your version and chosen method of installation.
If you've installed chef-server via gems (this includes the chef-solo based bootstrap) you can run:
gem install chef-server chef-expander chef-solr
And then restart chef-server-api and chef-server-webui.
If you are running an older version of chef-server (0.9.x), you can update extlib by running:
gem install extlib
And then restarting chef-server-api and chef-server-webui.
We've published version 0.9.16 of extlib to apt.opscode.com. You can update via the normal apt upgrade process. In addition, we've notified Debian and Ubuntu of the issue, so there should be updated packages available from them soon.
The Debian bug report is available here.
The ubuntu bug report is available here.
We'd like to thank Dan Kubb for patching extlib and bringing this issue to our attention, he is this release's MVP.
Now that this is public, we’ve added an entry in our bug database: CHEF-3754