[chef] Re: Re: Chef server & heartbleed

[Daniel DeLeo < >]

We’ve been discussing this and reading up about more results from researchers 
investigating heartbleed, and we now think your client keys could be exposed 
via the following scenario:  

* client registers with the validation key, server generates private key and 
returns it.
* attacker leaks memory from last request and pieces together the key

We will update our blog posts with this information and instructions on ways 
to rekey your clients tomorrow.

By the way, chef-client 11.12 includes the ability for clients to generate 
private keys on their own, by setting `local_key_generation` to true in 
client.rb. This will eventually be the default setting, but for now you have 
to opt-in. This would have prevented the need to rekey all your clients.  

--  
Daniel DeLeo


On Wednesday, April 9, 2014 at 5:01 PM, Michael Hart wrote:

> Thanks Stephen and team! I’ve upgraded and filippo.io/Heartbleed 
> (http://filippo.io/Heartbleed) claims I’m good.  
>  
> One question, your blog post states that "Chef does authentication and 
> authorization by signing each request, so you don’t have to worry about 
> regenerating your client credentials”. Does that mean the client.pem files 
> that are generated for each client are safe and do not need to be 
> regenerated?  
>  
> thanks  
> mike
>  
> --  
> Michael Hart
> Arctic Wolf Networks
> M: 226-388-4773
>  
>  
>  
>  
>  
> On Apr 9, 2014, at 6:41 PM, Stephen Delano 
> <
 
>  
> (mailto:
 )>
>  wrote:  
> > The upgrade instructions now linked in the blog post at 
> > http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/ ;
> > mention that a restart is required after the upgrade. Thanks for pointing 
> > this out.  
> >  
> > Here are the instructions if you don't want to be clicking around: 
> > http://docs.opscode.com/upgrade_server_open_source.html#upgrade-to-newer-versions-of-chef-server-11
> >   
> >  
> > Cheers,  
> > Stephen
> >  
> >  
> >  
> > On Wed, Apr 9, 2014 at 3:17 PM, Tucker 
> > <
 
> >  
> > (mailto:
 )>
> >  wrote:
> > > Two more comments and then I'm done, I swear:  
> > >  
> > > * "chef-server-ctl reconfigure" doesn't reload the openssl libs. You 
> > > have to do a restart. The blog post should mention that.  
> > > * Confirmed fixed after a restart.
> > >  
> > > Thanks!  
> > >  
> > >  
> > > On Wed, Apr 9, 2014 at 3:13 PM, Tucker 
> > > <
 
> > >  
> > > (mailto:
 )>
> > >  wrote:
> > > > Installing using rpm works but that makes yum sad.  
> > > >  
> > > >  
> > > > On Wed, Apr 9, 2014 at 3:08 PM, Tucker 
> > > > <
 
> > > >  
> > > > (mailto:
 )>
> > > >  wrote:
> > > > > Perhaps I'm crazy but I've tested this on two servers and the 
> > > > > package looks bad:  
> > > > >  
> > > > > # yum install 
> > > > > https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/chef-server-11.0.12-1.el6.x86_64.rpm
> > > > >   
> > > > > Loaded plugins: fastestmirror
> > > > > Loading mirror speeds from cached hostfile
> > > > > Setting up Install Process
> > > > > chef-server-11.0.12-1.el6.x86_64.rpm | 197 MB 00:16  
> > > > > Examining 
> > > > > /var/tmp/yum-root-abmR0f/chef-server-11.0.12-1.el6.x86_64.rpm: 
> > > > > chef-server-11.0.12-1.el6.x86_64
> > > > > Cannot install package chef-server-11.0.12-1.el6.x86_64. It is 
> > > > > obsoleted by installed package chef-server-11.0.10-1.el6.x86_64
> > > > > Error: Nothing to do
> > > > >  
> > > > >  
> > > > >  
> > > > >  
> > > > > On Wed, Apr 9, 2014 at 1:56 PM, Stephen Delano 
> > > > > <
 
> > > > >  
> > > > > (mailto:
 )>
> > > > >  wrote:
> > > > > > Builds of the Open Source Chef Server are ready to download now. 
> > > > > > They should be available via http://getchef.com/chef/install. ;
> > > > > > I'll be posting a blog post for all the server releases in a just 
> > > > > > a few minutes. Cheers!  
> > > > > >  
> > > > > >  
> > > > > > On Wed, Apr 9, 2014 at 1:21 PM, Michael Glenney 
> > > > > > <
 
> > > > > >  
> > > > > > (mailto:
 )>
> > > > > >  wrote:
> > > > > > > Let me clarify. RHEL 6 only. 6.4 or .5 and above. RHEL5 is fine
> > > > > > >  
> > > > > > > Sent from my iPhone  
> > > > > > >  
> > > > > > > On Apr 9, 2014, at 1:19 PM, Michael Glenney 
> > > > > > > <
 
> > > > > > >  
> > > > > > > (mailto:
 )>
> > > > > > >  wrote:
> > > > > > >  
> > > > > > > > That's not the case. RHEL OpenSSL was certainly affected. We 
> > > > > > > > received errata and had to patch.
> > > > > > > >  
> > > > > > > > Sent from my iPhone  
> > > > > > > >  
> > > > > > > > On Apr 9, 2014, at 10:44 AM, JOHN HASTY 
> > > > > > > > <
 
> > > > > > > >  
> > > > > > > > (mailto:
 )>
> > > > > > > >  wrote:
> > > > > > > >  
> > > > > > > > > At our scrum this morning, our security person said that no 
> > > > > > > > > RHEL official version of OpenSSL contains the 
> > > > > > > > > vulnerability. So unless someone compiled it from source 
> > > > > > > > > code, it should be good.
> > > > > > > > >  
> > > > > > > > > The bad news is that the latest Fedora installations do 
> > > > > > > > > have it.
> > > > > > > > >  
> > > > > > > > >  
> > > > > > > > >  
> > > > > > > > > JOHN HASTY
> > > > > > > > > Software as a Service - DevOps
> > > > > > > > > Software Group  
> > > > > > > > >  
> > > > > > > > >  
> > > > > > > > > Phone: 1-512-804-9968 (tel:1-512-804-9968)
> > > > > > > > > E-mail: 
> > > > > > > > > 
 
> > > > > > > > >  
> > > > > > > > > (mailto:
 )
> > > > > > > > >   
> > > > > > > > > <32787972.gif>
> > > > > > > > >  
> > > > > > > > > 2407 S Congress Ave Ste E-350
> > > > > > > > > Austin, TX 78704
> > > > > > > > > United States  
> > > > > > > > >  
> > > > > > > > > <graycol.gif>Tucker ---04/09/2014 11:29:30 AM---Any update 
> > > > > > > > > on this? The blog has chef client updates but I've yet to 
> > > > > > > > > see anything on server.
> > > > > > > > >  
> > > > > > > > > From: Tucker 
> > > > > > > > > <
 
> > > > > > > > >  
> > > > > > > > > (mailto:
 )>
> > > > > > > > > To: 
> > > > > > > > > "
 
> > > > > > > > >  
> > > > > > > > > (mailto:
 )"
> > > > > > > > >  
> > > > > > > > > <
 
> > > > > > > > >  
> > > > > > > > > (mailto:
 )>,
> > > > > > > > >   
> > > > > > > > > Date: 04/09/2014 11:29 AM
> > > > > > > > > Subject: [chef] Re: Re: Chef server & heartbleed
> > > > > > > > >  
> > > > > > > > >  
> > > > > > > > >  
> > > > > > > > > Any update on this? The blog has chef client updates but 
> > > > > > > > > I've yet to see anything on server.
> > > > > > > > >  
> > > > > > > > >  
> > > > > > > > > On Tue, Apr 8, 2014 at 8:15 AM, Adam Jacob 
> > > > > > > > > <
 
> > > > > > > > >  
> > > > > > > > > (mailto:
 )>
> > > > > > > > >  wrote:  
> > > > > > > > > Cutting releases today. Full announcement soon.  
> > > > > > > > > On Apr 8, 2014 8:14 AM, "Daniel Givens" 
> > > > > > > > > <
 
> > > > > > > > >  
> > > > > > > > > (mailto:
 )>
> > > > > > > > >  wrote:  
> > > > > > > > > It looks like openssl in the latest Chef server package for 
> > > > > > > > > Ubuntu (haven’t checked EL) is vulnerable to the 
> > > > > > > > > Heartbleed[1] exploit. Any word on when an update will be 
> > > > > > > > > made available?
> > > > > > > > >  
> > > > > > > > > Thanks!
> > > > > > > > >  
> > > > > > > > > Daniel
> > > > > > > > >  
> > > > > > > > > [1] http://heartbleed.com/  ;
> > > > > > > > >  
> > > > > > > > >  
> > > > > > > > > --  
> > > > > > > > >  
> > > > > > > > > --tucker  
> > > > > >  
> > > > > >  
> > > > > >  
> > > > > > --  
> > > > > > Stephen Delano
> > > > > > Software Development Engineer
> > > > > > Opscode, Inc.
> > > > > > 1008 Western Avenue
> > > > > > Suite 601
> > > > > > Seattle, WA 98104  
> > > > >  
> > > > >  
> > > > >  
> > > > > --  
> > > > >  
> > > > > --tucker  
> > > >  
> > > >  
> > > > --  
> > > >  
> > > > --tucker  
> > >  
> > >  
> > > --  
> > >  
> > > --tucker  
> >  
> >  
> > --  
> > Stephen Delano
> > Software Development Engineer
> > Opscode, Inc.
> > 1008 Western Avenue
> > Suite 601
> > Seattle, WA 98104  
>