Enterprise Chef Server 11.1.6 is a security release that includes an updated version of OpenSSL that patches CVE-2014-0224. All installs of Enterprise Chef should be upgraded immediately. This bug permits an attacker to execute an undetectable MITM attack on an otherwise secure connection. As a result, the attacker could read or alter any traffic between the client and the server. This would include secret data such as usernames, passwords, node data, data bags, etc. The severity of this exploit cannot be overstated. Please follow the upgrade instructions below carefully to ensure that your Enterprise Chef install is fully patched.
## Upgrade Instructions
### Download
Contact your sales representative for a link to download the patched Enterprise Chef.
### Upgrade
Follow the upgrade instructions on the Chef Documentation site:
– Standalone Installs
– HA Installs
**WARNING** – take special care to note the known issues with HA upgrades!
### Remediate
– **Change Secrets** – as an extra precaution, you may want to change any secrets (such as usernames, passwords, encrypted data bags) that may have been sent between the client and the server. If an attacker was executing this attack he/she would be able to see this data in “plain-text”. If you need help with any of these steps, please contact support.
—
## Release Notes
### Security Fixes:
The following items are the set of security fixes that have been applied since Enterprise Chef 11.1.4:
* Address vulnerabilities CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-3470 https://www.openssl.org/news/secadv_20140605.txt
### What’s New:
The following items are new for Enterprise Chef 11.1.4 and/or are changes from previous versions:
* [oc_erchef] First release with full compatibility for Chef Actions service