We are pleased to announce two new patch releases for CFEngine, version 3.12.6 and 3.15.3! These releases mainly contain bug fixes and dependency updates, but in 3.15.3 there are also some new enhancements in Mission Portal. The new cf-secret binary is also included in 3.15.3 packages.
New in Mission Portal 3.15.3 Synchronizing roles between Mission Portal and Active Directory When using LDAP for authentication, Mission Portal can now automatically grant roles based on the tags received from your LDAP server (for example Active Directory). This means that new users can start using Mission Portal immediately, without having to wait for an administrator to grant the appropriate roles manually. Enable this in Mission Portal Authentication Settings:
It’s no secret that COVID-19 is negatively impacting businesses of all sizes in a number of ways. Some more obvious than others. Unless you are in IT, you’re probably not thinking of how COVID-19 can affect the infrastructure security of your organization, but the truth is that as businesses make the tough decision to layoff employees in order to stay in business, basic security hygiene can easily be overlooked. Even organizations that are fortunate enough to not have to make cuts are still impacted in the form of needing access to specialized tools that allow IT & Security teams to enforce infrastructure changes remotely, efficiently, and at scale. If you’re looking to implement a configuration management tool to improve infrastructure security, such as CFEngine, it can be a little overwhelming to understand what types of questions to ask and criteria to consider. To help you brainstorm and prioritize, I’d like to cover what I believe are the top 3 most important criteria to consider during your evaluation.
Today we announce the newest additions to CFEngine. CFEngine 3.16 brings several improvements, bug fixes, and new features. The theme for this release has been compliance, and it notably includes a new category of reports for proving compliance to regulation and other compliance frameworks in high level, easy to read reports. If you are interested to learn more about CFEngine, schedule training, or hear about pricing options, feel free to reach out to us!
Blazing the trail CFEngine was the first Configuration Management solution on the market, and while we have made many and significant changes and improvements to CFEngine in that time, we stay true to the principles that make it such a great product and technology. There are many things that have changed in the market, not at least the competitive situation, we believe that fundamentally many of the challenges stay the same. It then follows that good architecture should not be sacrificed for short term hype. In this short blog post, I will go over a few of the items that lead to CFEngine’s excellence, longevity in the market, and current strong position.
Contributor and CFEngine Champion, Jon Henrik Bjørnstad, developed a tool for encrypting files using CFEngine host keys, called cf-keycrypt. Thank you to Jon Henrik and all of our contributors for helping improve the CFEngine project. Our developer, Vratislav Podzimek, recently took some time to review the cf-keycrypt code, and made many improvements and fixes. The most notable changes were:
Switched to hybrid encryption (payload is encrypted with randomly generated AES key, AES key is encrypted with RSA key). Added file format, with HTTP-like headers for metadata Files can be encrypted for multiple hosts (host keys) Name changed to cf-secret cf-secret is now merged and will be a part of the upcoming 3.16 release.
A vulnerability was recently discovered in CFEngine Mission Portal and has now been fixed. Under certain circumstances, it was possible to inject JavaScript code into data presented in Mission Portal, that would be run in the user’s browser. This security issue was fixed in CFEngine 3.10.7, 3.12.3, and 3.15.0, and will be mitigated by upgrading your hub to one of these versions (or later). No other action is required than upgrading the Hub. This issue is present in CFEngine Enterprise 3.7 versions, 3.10.0 through 3.10.6, as well as 3.12.0, 3.12.1, and 3.12.2. All customers have been notified prior to this announcement and had time to address the issue. Any community users who use CFEngine Enterprise Free 25 should upgrade immediately. Open source versions of CFEngine (CFEngine Community) are not affected, as they do not include the Mission Portal Web UI. The security of the CFEngine product and our users is something we take very seriously, and we will continue to look for, fix and responsibly disclose serious weaknesses in our product(s). This issue has been registered as CVE-2019-19394 in the official public CVE registry. If you have any questions or concerns please contact CFEngine support if you have a support contract or email security@cfengine.com
CFEngine 2 network communication is insecure by today’s standards.
CFEngine 2 CVE-2016-6329: CFEngine 2 uses Blowfish cipher (1993) which today is considered: Weak Deprecated Subject to key recovery attack No security fixes since 2008. Protocol communications not encrypted; only data transfer (which facilitates attack). Encryption is off by default. CFEngine 3 All communication is encrypted Uses TLS 1.3 (current state of the art) Up to date, maintained, secure from the software vendor Full Enterprise support, with SLA. Solution CFEngine 3 was intentionally designed so that you can install it side by side with 2, so you have time to migrate your policies from 2 to 3.
Recently a security flaw, CVE-2019-1552, has been discovered in OpenSSL. This vulnerability affects the Windows Enterprise agent packages. To mitigate this security vulnerability we have rebuilt CFEngine with the fix to this issue. These packages have been re-released with the version number CFEngine 3.12.2-4. As always, you can download CFEngine Enterprise packages from the download page, Note that only the affected packages have been re-released. CFEngine Community wasn’t affected at all, due to lack of affected feature, Upgrade today, and make your automation even more secure!
On [2019-07-29 Mon] we released new builds of our Enterprise Hub packages for 3.12.2 and 3.14.0. This release addresses CVE-2019-10164.
PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authenticated user can overflow a stack-based buffer by changing the user’s own password to a purpose-crafted value. This often suffices to execute arbitrary code as the PostgreSQL operating system account.
CFEngine Enterprise LTS versions 3.12.0, 3.12.1, 3.12.2-1, 3.12.2-2, and non-LTS version 3.14.0 vendor PostgreSQL versions affected by this vulnerability. In the default configuration as access to root or cfpostgres local users must be achieved first.
Description The CFEngine engineering team has recently discovered a severe security issue in the CFEngine Enterprise product. CFEngine is using some internal secrets for authentication to the Mission Portal API and the PostgreSQL database when running background maintenance tasks. These internal secrets are randomly generated during the installation process and stored in files which only the root user has access to. Unfortunately, the commands that generate and store the secrets were being logged to the /var/log/CFEngineHub-Install.log installation log which was world-readable and thus accessible for any user logged in to the system (on the hub machine). Please note that this only affects the hub hosts, agent hosts don’t generate and use such internal secrets.
