After reviewing the vulnerabilities described in these security advisories, the team at CHEF has determined that Chef products are not at immediate risk as a result of the OpenSSL vulnerabilities disclosed today.
Recommendation to users
Because OpenSSL 1.0.2. is the only version of OpenSSL vulnerable to the exploit described in CVE-2015-0291, Chef users do not need to take immediate action in response to this discolsure, because Chef products do not include OpenSSL 1.0.2.
Further analysis
OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)
There are no Chef products that include OpenSSL 1.0.2. As a result, Chef products are not affected by the vulnerability disclosed in high severity bulletin CVE-2015-0291 (OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291).
“Freak,” RSA silently downgrades to EXPORT_RSA Client
No Chef products are configured to support export ciphers. As a result, Chef products are not affected by the vulnerability disclosed in high severity bulletin CVE-2015-0204 (RSA silently downgrades to EXPORT_RSA[Client]).
Chef Response Plan
Though there is no immediate danger, Chef will still release new versions of several products starting today that will include updated versions of OpenSSL. Users can update to these on their own schedule, but are not required to upgrade to protect against CVE-2015-0291.
Chef users do not need to take any immediate action in response to the newly published OpenSSL high severity security advisory. Chef products are not vulnerable to CVE-2015-0291, or CVE-2015-0204. Chef will include the newly-released patches to OpenSSL in future releases on the previously planned product release schedule.