Chef Blogs

Security Releases: Chef Client and Related Products (insecure file ownership)

Nathen Harvey | Posted on | announcements | release | Releases

Today we are announcing security releases of all supported versions of the Chef Client, ChefDK, Chef Container and the Push Jobs client. These releases address package ownership issues on Debian-based platforms.

Platforms

  • Ubuntu Linux
  • Debian Linux

Description

Chef products installed from Debian-style .deb packages created files under /opt/<install_dir> with ownership by UID 999 or other UIDs instead of UID 0 (root). An unprivileged user with the matching UID would be able to change file contents to execute arbitrary commands as the user running the Chef product. Please see the accompanying blog post for more details on the underlying Omnibus installer issue.

We recommend remediation of chef-client before addressing the potential server-side or add-on issues. See also: Chef Server and Premium Feature Security Releases.

Affected Products and Remediation Steps

Chef Client

chef-client 10: AFFECTED: all releases from chef\_10.28.0  through chef\_10.34.2

chef-client 11: AFFECTED: all releases from chef\_11.6.0.rc.0 through chef\_11.16.0

Remediate the issue by upgrading to the latest release. For Chef 11, Use the omnibus installer, e.g., `curl -L https://www.opscode.com/chef/install.sh | sudo bash`

or use your package management framework to update to the versions below, or any subsequent release:

If you’re unable to upgrade the package, fix the permissions in place.

Shell workaround: From a root shell, run:

`chown -Rh 0:0 /opt/chef`

Chef recipe: Include the following sample recipe in your base system configuration:

execute 'fix\_chef\_uid' do
command 'chown -Rh 0:0 /opt/chef'
not_if (File.stat('/opt/chef/bin').uid == 0)
end

ChefDK

chefdk: AFFECTED: all releases through 0.2.0

Remediate the issue by upgrading to the latest release. Use your package management framework to update to the version below, or any subsequent release:

chefdk 0.2.2 https://www.chef.io/downloads

If you’re unable to upgrade the package, fix the permissions in place.

Shell workaround: From a root shell, run:

`chown -Rh 0:0 /opt/chefdk`

Chef recipe: Include the following sample recipe in your base system configuration:

execute 'fix\_chefdk\_uid' do
command 'chown -Rh 0:0 /opt/chefdk'
not_if (File.stat('/opt/chefdk/bin').uid == 0)
end

Chef Container

chef-container: AFFECTED: all releases from 11.12.8

Remediate the issue by either a) correcting file ownerships in-place via Dockerfile RUN command or Chef recipe, or b) by rebuilding your Docker image to update to the patched Chef Container release:

  1. In your Dockerfile, put the following line directly after your FROM line:
    RUN `chown -Rh 0:0 /opt/chef` or one can use a simple Chef recipe as part of every system’s base configuration, e.g.:
    execute 'fix\_chef\_uid' do
    command 'chown -Rh 0:0 /opt/chef'
    not_if (File.stat('/opt/chef/bin').uid == 0)
    end
  2. When you initialized your Docker Context with `knife container docker init`, you provided one or two values. The first value was the name of the image. In the commands below, this value will be referred to as `YOUR_IMAGE_NAME`. In the example `knife container docker init myorg/myapp`, `YOUR_IMAGE_NAME` would be `myorg/myapp`.The second value was the base image specified with the `-f` flag. If you did not specify this value, then you used the default value of `chef/ubuntu-12.04:latest`. In the commands below, this value will be referred to as `BASE_IMAGE_NAME`.To rebuild your Docker Image with the patched version of the Chef Container package, please run these three commands for each impacted image:
    1. `docker pull BASE_IMAGE`
    2. `docker tag BASE_IMAGE YOUR_IMAGE_NAME`
    3. `knife container docker build YOUR_IMAGE_NAME`

Push Jobs Client (Enterprise Chef or Private Chef only)

push-jobs-client: AFFECTED: all releases from 1.0.1 through 1.1.3

Remediate the issue by upgrading to the latest release. Use your package management framework to update to the version below, or any subsequent release:

opscode-push-jobs-client 1.1.4 https://www.chef.io/downloads

If you’re unable to upgrade the package, fix the permissions in place.

Shell workaround: From a root shell, run:

`chown -Rh 0:0 /opt/opscode-push-jobs-client`

Chef recipe: Include the following sample recipe in your base system configuration:

execute 'fix\_push\_jobs\_client\_uid' do
command 'chown -Rh 0:0 /opt/opscode-push-jobs-client'
not_if (File.stat('/opt/opscode-push-jobs-client/bin').uid == 0)
end

Discussion

The post-build test suite will now include ownership and mode tests to prevent a future regression.

Credit

We’d like to extend our gratitude to Jacob Vosmaer and the team at GitLab for practicing responsible disclosure.