Chef Analytics 1.1.1 security release
// Chef Blog
We shipped Analytics
1.1.0 with a development configuration setting enabled that disabled authentication on the endpoints used to create and modify rules and notification aliases. This meant that rules could be created or modified without having to be logged in as a valid chef user.
We have released version
1.1.1 of Chef Analytics, available now on the Chef analytics download page to resolve this issue.
Does this vulnerability affect my installation?
This vulnerability only affects Chef analytics
1.1.0. Chef analytics
1.0.x versions are not affected.
If the file
/opt/opscode-analytics/embedded/service/notifier_config/sys.config contains the following offending entry, then your Analytics installation is vulnerable.
To manually examine all your rules and aliases in the Analytics database (Postgres):
$ su - chef-pgsql $ psql notifier_config psql (9.2.9) Type "help" for help. notifier_config=# \x notifier_config=# select * from rules; -- Ensure the content of each rule. A malicious entry may appear with an empty modified_by column. notifier_config=# select * from aliases; -- A malicious entry could route notifications to a different host. -- A malicious entry may appear with an empty modified_by column. -- Ensure that all values for each row are correct.
If you find an entry that you believe is malicious, you can delete it directly from the database. Note the table (either rules or aliases) and the ID field for the row in the database. Here is an example of deleting a rule:
notifier_config=# select * from rules; -[ RECORD 1 ]------------------------------------- id | 3393ee14-8c66-4ed9-ac19-d1cbedf89fcb name | New Rule Group 1 org_name | ponyville modified_by | applejack modified_at | 2015-01-26 23:23:17+00 rule | rules 'New Rule Group 1' | rule on action | when | true | then | noop() | end | end priority | 0 active | t notifier_config=# delete from rules where id = '3393ee14-8c66-4ed9-ac19-d1cbedf89fcb'; DELETE 1
The simplest resolution is to upgrade to
1.1.1. The only change is the one to fix this issue.
If you cannot upgrade, the issue can be resolved by modifying the file
/etc/opscode-analytics/opscode-analytics.rb, and setting the value of
notifier_config['accept_insecure'] = false
Once this change has been made, Chef Analytics needs to be reconfigured via:
If you have any questions or need help during the process, please contact the Chef support team.
The Chef Analytics team
Shared via my feedly reader
Data Center Engineer
1801 Superior Ave. Ste. 300 | Cleveland, OH 44114
(800) 777-7178 | toll free
(440) 268-3297 | office
(216) 224-5769 | mobile
Architects of the anyplace workspace™