Chef Blogs

Chef & Rails CVE-2014-3482

Seth Vargo | Posted on | Releases

At 17:11 UTC, the Rails security team publicized CVE-2014-3482 and CVE-2014-3483. In short, this vulnerability is related to the PostgreSQL adapater in ActiveRecord. A bug in the SQL quoting code could allow an attacker to carefully craft a request and execute a SQL injection. Only applications which query against bitstring or range type columns were vulnerable.

After a careful investigation of our various services, both internal and external, we concluded that no Chef Software products are vulnerable to CVE-2014-3482/3.

We take security very seriously at Chef Software. In accordance with our responsible disclosure policy, please email security (at) getchef.com to bring vulnerabilities to our attention.