Chef Server 11.0.12 is a security release that includes an updated version of OpenSSL that patches CVE-2014-0160, also known as the Heartbleed bug. All installs of Chef Server should be upgraded immediately. The result of this bug is a trivial exploit that allows an attacker to read secrets from the memory of a compromised server. These secrets can include any of the information stored within your Chef Server – usernames, passwords, node data, databags, etc. The severity of this exploit cannot be understated. Please follow the upgrade instructions below carefully to ensure that your Chef Server install is fully patched.
To download the latest version of Chef Server, visit https://www.getchef.com/chef/install
First, follow the upgrade instructions on the Chef Documentation site here: http://docs.opscode.com/upgrade_server_open_source.html#upgrade-to-newer-versions-of-chef-server-11
NOTE – Besides upgrading OpenSSL, this is the most important step in closing the vulnerability of the Heartbleed bug. The SSL certificates, as well as any of the secrets stored on your Chef Server, should be considered compromised to the network to which the Chef Server was available. Here are the steps needed to regenerate your SSL certificates:
Regenerate your SSL certificates by following the instructions on the Chef Documentation site here: http://docs.opscode.com/open_source/server_security.html#regenerate-ssl-certificates
The following items are the set of security fixes that have been applied since Chef Server 11.0.11: