Today we are announcing security releases of all supported versions of the Chef Client, ChefDK, Chef Container and the Push Jobs client. These releases address package ownership issues on Debian-based platforms.
Platforms
- Ubuntu Linux
- Debian Linux
Description
Chef products installed from Debian-style .deb packages created files under /opt/<install_dir> with ownership by UID 999 or other UIDs instead of UID 0 (root). An unprivileged user with the matching UID would be able to change file contents to execute arbitrary commands as the user running the Chef product. Please see the accompanying blog post for more details on the underlying Omnibus installer issue.
We recommend remediation of chef-client before addressing the potential server-side or add-on issues. See also: Chef Server and Premium Feature Security Releases.
Affected Products and Remediation Steps
Chef Client
chef-client 10: AFFECTED: all releases from chef\_10.28.0 through chef\_10.34.2
chef-client 11: AFFECTED: all releases from chef\_11.6.0.rc.0 through chef\_11.16.0
Remediate the issue by upgrading to the latest release. For Chef 11, Use the omnibus installer, e.g., `curl -L https://www.opscode.com/chef/install.sh | sudo bash`
or use your package management framework to update to the versions below, or any subsequent release:
- chef\_10.34.4 for chef-client 10: https://downloads.chef.io/
- chef\_11.16.2 for chef-client 11: https://downloads.chef.io/
If you’re unable to upgrade the package, fix the permissions in place.
Shell workaround: From a root shell, run:
`chown -Rh 0:0 /opt/chef`
Chef recipe: Include the following sample recipe in your base system configuration:
execute 'fix\_chef\_uid' do
command 'chown -Rh 0:0 /opt/chef'
not_if (File.stat('/opt/chef/bin').uid == 0)
end
ChefDK
chefdk: AFFECTED: all releases through 0.2.0
Remediate the issue by upgrading to the latest release. Use your package management framework to update to the version below, or any subsequent release:
chefdk 0.2.2 https://downloads.chef.io/tools/infra
If you’re unable to upgrade the package, fix the permissions in place.
Shell workaround: From a root shell, run:
`chown -Rh 0:0 /opt/chefdk`
Chef recipe: Include the following sample recipe in your base system configuration:
execute 'fix\_chefdk\_uid' do
command 'chown -Rh 0:0 /opt/chefdk'
not_if (File.stat('/opt/chefdk/bin').uid == 0)
end
Chef Container
chef-container: AFFECTED: all releases from 11.12.8
Remediate the issue by either a) correcting file ownerships in-place via Dockerfile RUN command or Chef recipe, or b) by rebuilding your Docker image to update to the patched Chef Container release:
- In your Dockerfile, put the following line directly after your FROM line:
RUN `chown -Rh 0:0 /opt/chef` or one can use a simple Chef recipe as part of every system’s base configuration, e.g.:execute 'fix\_chef\_uid' do
command 'chown -Rh 0:0 /opt/chef'
not_if (File.stat('/opt/chef/bin').uid == 0)
end - When you initialized your Docker Context with `knife container docker init`, you provided one or two values. The first value was the name of the image. In the commands below, this value will be referred to as `YOUR_IMAGE_NAME`. In the example `knife
container docker init myorg/myapp`, `YOUR_IMAGE_NAME` would be `myorg/myapp`.The second value was the base image specified with the `-f` flag. If you did not specify this value, then you used the default value of `chef/ubuntu-12.04:latest`. In
the commands below, this value will be referred to as `BASE_IMAGE_NAME`.To rebuild your Docker Image with the patched version of the Chef Container package, please run these three commands for each impacted image:
- `docker pull BASE_IMAGE`
- `docker tag BASE_IMAGE YOUR_IMAGE_NAME`
- `knife container docker build YOUR_IMAGE_NAME`
Push Jobs Client (Enterprise Chef or Private Chef only)
push-jobs-client: AFFECTED: all releases from 1.0.1 through 1.1.3
Remediate the issue by upgrading to the latest release. Use your package management framework to update to the version below, or any subsequent release:
opscode-push-jobs-client 1.1.4 https://downloads.chef.io/tools/push-jobs-client
If you’re unable to upgrade the package, fix the permissions in place.
Shell workaround: From a root shell, run:
`chown -Rh 0:0 /opt/opscode-push-jobs-client`
Chef recipe: Include the following sample recipe in your base system configuration:
execute 'fix\_push\_jobs\_client\_uid' do
command 'chown -Rh 0:0 /opt/opscode-push-jobs-client'
not_if (File.stat('/opt/opscode-push-jobs-client/bin').uid == 0)
end
Discussion
The post-build test suite will now include ownership and mode tests to prevent a future regression.
Credit
We’d like to extend our gratitude to Jacob Vosmaer and the team at GitLab for practicing responsible disclosure.