On March 1, 2016, the OpenSSL team released a new high severity security advisory. Simultaneously, the OpenSSL team also made available new versions of the OpenSSL code containing fixes for the vulnerabilities described in this advisory. After reviewing the vulnerabilities described in this security advisory, the team at Chef has determined that Chef products are not at immediate risk as a result of the OpenSSL vulnerabilities disclosed today.
Chef’s products do not ship with SSLv2 enabled by default. Therefore, Chef’s products are not vulnerable to either of the high severity vulnerabilities described in the foregoing bulletin (CVE-2016-0800 and CVE-2016-0703).
Customers who have manually enabled SSLv2 should mitigate the vulnerabilities by disabling this protocol version. Please contact support if you require assistance doing this.
Future versions of Chef’s products will include the new versions of OpenSSL that explicitly disallow the use of SSLv2.
Chef’s products do not ship with SSLv2 enabled and so are not vulnerable out of the box.
Chef’s products are vulnerable to CVE-2016-0705; however, the vulnerability is considered low severity and rare, as per the advisory. Chef will update its products according to their regular release schedules to include OpenSSL 1.0.1s in order to mitigate this vulnerability.
Chef’s products are vulnerable to CVE-2016-0798; however, the vulnerability is considered low severity and Chef’s products do not configure or use an SRP database.
Chef’s products are vulnerable to CVE-2016-0705; however, the vulnerability is considered low severity and rare, as per the advisory. Chef will update its products according to their regular release schedules to include OpenSSL 1.0.1s in order to mitigate this vulnerability.
Chef’s products are vulnerable to CVE-2016-0799; however, the vulnerability is considered low severity and Chef’s products do not print or use ASN.1 formatted data. Chef will update its products according to their regular release schedules to include OpenSSL 1.0.1s in order to mitigate this vulnerability.
Chef’s products are vulnerable to CVE-2016-0702; however, the vulnerability is considered low severity, is only applicable to systems running on Intel Sandy Bridge processors, and “the ability to exploit this issue is limited as it relies on an attacker who has control of code in a thread running on the same hyper-threaded core as the victim thread which is performing decryptions.” Chef will update its products according to their regular release schedules to include OpenSSL 1.0.1s in order to mitigate this vulnerability.
Chef’s products currently ship with OpenSSL 1.0.1r and this vulnerability was corrected in OpenSSL 1.0.1m, released March 19, 2015. Additionally, Chef’s products do not ship with SSLv2 enabled.
Chef’s products currently ship with OpenSSL 1.0.1r and this vulnerability was corrected in OpenSSL 1.0.1m, released March 19, 2015. Additionally, Chef’s products do not ship with SSLv2 enabled.