Chef 10.16.6 Security Release

Posted on January 11, 2013 by Dan DeLeo 6 Comments ↓

Chef 10.16.6 Security Release

We've released version 10.16.6 of Chef. The only change in this release is that chef-server-api and chef-server-webui have changed their dependency on the extlib gem to require at least version 0.9.16. This change patches a potential vulnerability similar to the vulnerability recently disclosed and fixed in rails.

chef (client/solo), chef-solr, and chef-expander are unchanged from 10.16.4.

Background

The CVE-2013-0156 vulnerability discovered in rails allows arbitrary code execution on an affected server. The vulnerable code is in rails's ActiveSupport library. Though the current versions of Chef server use Merb instead of rails, Merb uses an ActiveSupport fork called extlib that includes the same vulnerability to provide many of the same features as ActiveSupport. According to the currently available information about the vulnerability, there are several additional conditions that must be satisfied for the vulnerability to be exploitable. Without further research, we cannot determine if merb or chef-server meet those conditions. We are therefore assuming that chef-server is vulnerable and urging everyone to upgrade or patch as soon as possible. Though it is unlikely that a "vanilla" exploit designed to exploit rails applications would work against chef-server, it may be possible to create a custom exploit for merb applications or chef-server in particular.

Upgrading

There are several options for upgrading, depending on your version and chosen method of installation.

Rubygems Upgrade

If you've installed chef-server via gems (this includes the chef-solo based bootstrap) you can run:

gem install chef-server chef-expander chef-solr

And then restart chef-server-api and chef-server-webui.

If you are running an older version of chef-server (0.9.x), you can update extlib by running:

gem install extlib

And then restarting chef-server-api and chef-server-webui.

Apt Upgrade

We've published version 0.9.16 of extlib to apt.opscode.com. You can update via the normal apt upgrade process. In addition, we've notified Debian and Ubuntu of the issue, so there should be updated packages available from them soon.

The Debian bug report is available here.

The ubuntu bug report is available here.

MVP

We'd like to thank Dan Kubb for patching extlib and bringing this issue to our attention, he is this release's MVP.

Update

Now that this is public, we’ve added an entry in our bug database: CHEF-3754

  • Mephux

    After upgrading via apt-get my chef-server-webui still shows version 10.16.4.

    • http://twitter.com/rts Ryan Schwartz

      “The only change in this release is that chef-server-api and chef-server-webui have changed their dependency on the extlib gem to require at least version 0.9.16.”

      Via apt-get (debian/ubuntu packaging), the chef-server-webui version won’t change. You should, however, see version 0.9.16-1 reported in the output of dpkg -l libextlib-ruby libextlib-ruby1.8

      • mephux

        ok, all looks well. Was confused by the versioning logic. Seems odd not to push a version change for each with such a major vulnerability. Anyway, thanks for the clarification.

        • http://jtimberman.housepub.org/ Joshua Timberman

          To clarify:

          Only the extlib library needs to be updated for the vulnerability. In order to ensure new RubyGems installations had the right version (0.9.16), new version of the gems had to be published with the gemspec updated.

          For the apt repository, we only needed to update the libextlib-ruby package, and apt will take care of the rest, so that was done first. We’ve since updated the apt repository with Chef 10.16.6 packages though, so you can get those updated too, but there shouldn’t be any actual code changes.

          • mephux

            Excellent – great work responding to this.

  • Vali

    on the windows instances, fog library is not installed anymore in 10.16.6 any reasons for that?

    where can we find a list with all changes occurred from one version to another?

  • Pingback: Chef 10.18.0 Released! | Opscode.com

Archives
Events
View All Events