Today we announce the newest additions to CFEngine. CFEngine 3.16 brings several improvements, bug fixes, and new features. The theme for this release has been compliance, and it notably includes a new category of reports for proving compliance to regulation and other compliance frameworks in high level, easy to read reports. If you are interested to learn more about CFEngine, schedule training, or hear about pricing options, feel free to reach out to us!
Blazing the trail CFEngine was the first Configuration Management solution on the market, and while we have made many and significant changes and improvements to CFEngine in that time, we stay true to the principles that make it such a great product and technology. There are many things that have changed in the market, not at least the competitive situation, we believe that fundamentally many of the challenges stay the same. It then follows that good architecture should not be sacrificed for short term hype. In this short blog post, I will go over a few of the items that lead to CFEngine’s excellence, longevity in the market, and current strong position.
Contributor and CFEngine Champion, Jon Henrik Bjørnstad, developed a tool for encrypting files using CFEngine host keys, called cf-keycrypt. Thank you to Jon Henrik and all of our contributors for helping improve the CFEngine project. Our developer, Vratislav Podzimek, recently took some time to review the cf-keycrypt code, and made many improvements and fixes. The most notable changes were:
Switched to hybrid encryption (payload is encrypted with randomly generated AES key, AES key is encrypted with RSA key). Added file format, with HTTP-like headers for metadata Files can be encrypted for multiple hosts (host keys) Name changed to cf-secret cf-secret is now merged and will be a part of the upcoming 3.16 release.
A vulnerability was recently discovered in CFEngine Mission Portal and has now been fixed. Under certain circumstances, it was possible to inject JavaScript code into data presented in Mission Portal, that would be run in the user’s browser. This security issue was fixed in CFEngine 3.10.7, 3.12.3, and 3.15.0, and will be mitigated by upgrading your hub to one of these versions (or later). No other action is required than upgrading the Hub. This issue is present in CFEngine Enterprise 3.7 versions, 3.10.0 through 3.10.6, as well as 3.12.0, 3.12.1, and 3.12.2. All customers have been notified prior to this announcement and had time to address the issue. Any community users who use CFEngine Enterprise Free 25 should upgrade immediately. Open source versions of CFEngine (CFEngine Community) are not affected, as they do not include the Mission Portal Web UI. The security of the CFEngine product and our users is something we take very seriously, and we will continue to look for, fix and responsibly disclose serious weaknesses in our product(s). This issue has been registered as CVE-2019-19394 in the official public CVE registry. If you have any questions or concerns please contact CFEngine support if you have a support contract or email security@cfengine.com
CFEngine 2 network communication is insecure by today’s standards.
CFEngine 2 CVE-2016-6329: CFEngine 2 uses Blowfish cipher (1993) which today is considered: Weak Deprecated Subject to key recovery attack No security fixes since 2008. Protocol communications not encrypted; only data transfer (which facilitates attack). Encryption is off by default. CFEngine 3 All communication is encrypted Uses TLS 1.3 (current state of the art) Up to date, maintained, secure from the software vendor Full Enterprise support, with SLA. Solution CFEngine 3 was intentionally designed so that you can install it side by side with 2, so you have time to migrate your policies from 2 to 3.
Recently a security flaw, CVE-2019-1552, has been discovered in OpenSSL. This vulnerability affects the Windows Enterprise agent packages. To mitigate this security vulnerability we have rebuilt CFEngine with the fix to this issue. These packages have been re-released with the version number CFEngine 3.12.2-4. As always, you can download CFEngine Enterprise packages from the download page, Note that only the affected packages have been re-released. CFEngine Community wasn’t affected at all, due to lack of affected feature, Upgrade today, and make your automation even more secure!
On [2019-07-29 Mon] we released new builds of our Enterprise Hub packages for 3.12.2 and 3.14.0. This release addresses CVE-2019-10164.
PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authenticated user can overflow a stack-based buffer by changing the user’s own password to a purpose-crafted value. This often suffices to execute arbitrary code as the PostgreSQL operating system account.
CFEngine Enterprise LTS versions 3.12.0, 3.12.1, 3.12.2-1, 3.12.2-2, and non-LTS version 3.14.0 vendor PostgreSQL versions affected by this vulnerability. In the default configuration as access to root or cfpostgres local users must be achieved first.
Description The CFEngine engineering team has recently discovered a severe security issue in the CFEngine Enterprise product. CFEngine is using some internal secrets for authentication to the Mission Portal API and the PostgreSQL database when running background maintenance tasks. These internal secrets are randomly generated during the installation process and stored in files which only the root user has access to. Unfortunately, the commands that generate and store the secrets were being logged to the /var/log/CFEngineHub-Install.log installation log which was world-readable and thus accessible for any user logged in to the system (on the hub machine). Please note that this only affects the hub hosts, agent hosts don’t generate and use such internal secrets.
The CFEngine policy analyzer is an awesome new service introduced in CFEngine 3.13. The policy analyzer allows you to quickly debug policies and inspect what is going on under hood of CFEngine. A known challenge with CFEngine, and most DSL based automation tools, relates to understanding what is actually going on during live operations. Many users view it as “black-box magic”. Unfortunately, the amount of magic and the size of the black box increases with the level of automation. This is undesirable. Enter the policy analyzer.
Today’s approach to securing IT infrastructure is passé. In a dynamic world of unpredictable and often frequent infrastructure changes, the traditional approach to security falls short. It is no longer sufficient to just scan frequently for vulnerabilities and then try to interpret this data in real time without (human) error. Additionally, despite smart analytics, this approach to illuminating security issues and remediating them is extremely time consuming. How many organizations can really claim to have identified and fixed all vulnerabilities? None! Automation has brought agility and consistency to infrastructure and other workflow services now. Security can and should expect to see similar gains. In this blog we explore some of the reasons that make organizations vulnerable and provide guidance on how they can better counter and secure their infrastructure and applications.
