Monday, January 26, 2015

Chef Analytics 1.1.1 security release [feedly]

Chef Analytics 1.1.1 security release
// Chef Blog


We shipped Analytics 1.1.0 with a development configuration setting enabled that disabled authentication on the endpoints used to create and modify rules and notification aliases. This meant that rules could be created or modified without having to be logged in as a valid chef user.

We have released version 1.1.1 of Chef Analytics, available now on the Chef analytics download page to resolve this issue.

Does this vulnerability affect my installation?

This vulnerability only affects Chef analytics 1.1.0. Chef analytics 1.0.x versions are not affected.

If the file /opt/opscode-analytics/embedded/service/notifier_config/sys.config contains the following offending entry, then your Analytics installation is vulnerable.

  {accept_insecure, true}

Verifying integrity

To manually examine all your rules and aliases in the Analytics database (Postgres):

  $ su - chef-pgsql  $ psql notifier_config  psql (9.2.9)  Type "help" for help.    notifier_config=# \x  notifier_config=# select * from rules;  -- Ensure the content of each rule. A malicious entry may appear with an empty  modified_by column.    notifier_config=# select * from aliases;  -- A malicious entry could route notifications to a different host.    -- A malicious entry may appear with an empty modified_by column.    -- Ensure that all values for each row are correct.

If you find an entry that you believe is malicious, you can delete it directly from the database. Note the table (either rules or aliases) and the ID field for the row in the database. Here is an example of deleting a rule:

      notifier_config=# select * from rules;      -[ RECORD 1 ]-------------------------------------      id          | 3393ee14-8c66-4ed9-ac19-d1cbedf89fcb      name        | New Rule Group 1      org_name    | ponyville      modified_by | applejack      modified_at | 2015-01-26 23:23:17+00      rule        | rules 'New Rule Group 1'                  |   rule on action                  |   when                  |     true                  |   then                  |     noop()                  |   end                  | end      priority    | 0      active      | t      notifier_config=# delete from rules where id = '3393ee14-8c66-4ed9-ac19-d1cbedf89fcb';      DELETE 1


The simplest resolution is to upgrade to 1.1.1. The only change is the one to fix this issue.

If you cannot upgrade, the issue can be resolved by modifying the file /etc/opscode-analytics/opscode-analytics.rb, and setting the value of accept_insecure from true to false:

  notifier_config['accept_insecure'] = false

Once this change has been made, Chef Analytics needs to be reconfigured via:

  opscode-analytics-ctl reconfigure

If you have any questions or need help during the process, please contact the Chef support team.

The Chef Analytics team


Shared via my feedly reader

Sent from my iPad

Todd Pigram

Data Center Engineer  

1801 Superior Ave. Ste. 300 | Cleveland, OH  44114

(800) 777-7178 | toll free

(440) 268-3297 | office

(216) 224-5769 | mobile

Architects of the anyplace workspace

No comments:

Post a Comment