Wednesday, February 8, 2017

Security Release: Parse Server 2.3.1-1

Bitnami has released Parse Server version 2.3.1-1 for containers, installers and virtual machines to implement authentication when connecting to the Parse dashboard. If you deploy a new Bitnami Parse Server via a Bitnami Launchpad, your application will be up-to-date and secure. When deploying via a partner cloud marketplace, please ensure version 2.3.1-1 is selected.

If you are still using a Bitnami Parse Server version 2.3.1-0 or earlier you must take steps to secure your installation. This is important because unauthenticated users could connect to and and extract data from your server. Possible ways to secure your installation include:

    1. Preventing connections from the public Internet to port 80 on the Parse Server.
    2. Configuring authentication as described in our documentation.

Do you have questions about Bitnami or this security release? Please post to our community forum and we will be happy to help you.

Thursday, February 2, 2017

Security Release: Jenkins 2.44/2.32.2

[UPDATE 2017-02-03]

For new application deployments, Bitnami has released Jenkins 2.44 containers, and Jenkins 2.32.2 installers, virtual machines and cloud images that address these vulnerabilities. If you deploy Bitnami Jenkins via a Bitnami Launchpad, your application will be up-to-date and secure. If you deploy Bitnami Jenkins via one of our cloud partner marketplaces and it is not yet updated to version 2.32.2, you will need to upgrade your application using the documentation linked below.

----

The Jenkins project has just released a new version that fixes multiple security issues, including a fix for a XStream remote code execution vulnerability.

It is strongly suggested that you update your Jenkins application to the latest version. You can follow our documentation to learn how to upgrade your application. If you are using the Bitnami Jenkins container, please follow the documentation in our GitHub repository.


You can find more information about the Jenkins security issues in the Jenkins Security Advisory.



We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami. Our team is working to update all of the affected Jenkins packages available through Bitnami as quickly as possible.

If you have further questions about Bitnami Jenkins or this security issue, please post to our community forum,and we will be happy to help you.

Friday, January 27, 2017

Security Release: WordPress 4.7.2

WordPress has released a new version that fixes three security vulnerabilities.

It is strongly recommended that you update your WordPress application to the latest version, Wordpress 4.7.2. You can follow our documentation to learn how to upgrade your application and ensure its security.

For new application deployments, Bitnami has released WordPress 4.7.2 containers, installers and virtual machines that address these vulnerabilities. If you deploy Bitnami WordPress via a Bitnami Launchpad, your application will be up-to-date and secure. If you deploy Bitnami WordPress via one of our cloud partner marketplaces and it is not yet updated to version 4.7.2, you will need to upgrade your application using the documentation linked above.

If you have further questions about Bitnami WordPress or this security issue, please post to our community forum, and we will be happy to help you.

Friday, January 13, 2017

Elasticsearch Installation Security Incident

As of today, attackers have been reportedly scanning for and vandalizing unsecured Elasticsearch installations over the Internet. (See: http://www.pcworld.com/article/3157417/security/after-mongodb-ransomware-groups-hit-exposed-elasticsearch-clusters.html)

Bitnami's security team has reviewed our image library. As a result, we have confirmed that Bitnami virtual machines and single-VM cloud images are not vulnerable to this attack because they do not expose Elasticsearch publicly by default; Elasticsearch is proxied through Apache with authentication.

One Bitnami listing, "Elasticsearch Cluster" on Microsoft Azure, was found to be vulnerable. This listing was removed earlier this week and we are notifying the small number of users who may have installations based on the affected template.

Since the scale of the attack appears to be growing, we recommend that all users of Bitnami Elasticsearch on all cloud platforms check that their installations are secure. Deployments that were secure at launch may have been accidentally opened to the Internet by changing the default configuration. 

We recommend that you immediately ensure that your Elasticsearch is not exposed to the public internet by reviewing:

a) Inbound firewall rules prevent traffic to ports 9200-9300 from the Internet

or

b) Moving any Elasticsearch deployments to private networks

How to restrict access to port 9200 on Microsoft Azure:
1. Login to Microsoft Azure Portal.
2. Using the left hand navigation bar, go to “Resource groups”.
3. Select the resource group your Elasticsearch Cluster application is located in.
4. Select the "Network Security Group" to edit the properties.


5. Select the "Inbound security rules" to close the port 9200 by changing the Action from “Allow” to “Deny”.
6. Click the blue “Save” button at the top of the window.


Additional practices for securing Elasticsearch can be found here: http://code972.com/blog/2017/01/107-dont-be-ransacked-securing-your-elasticsearch-cluster-properly

If you have been affected by this attack or need additional help updating your Bitnami Elasticsearch, please contact us directly through our Helpdesk and we will do our best to assist you. https://bitnami.zendesk.com/hc/en-us.

CodeIgniter Security Issue CVE-2016-10131

[ UPDATE 2017-01-17 ]

The Bitnami Team is happy to announce that the Bitnami Cloud Hosting images have been properly updated and they use the latest version of CodeIgniter.

----

The CodeIgniter project released a new update that contains an important security fix for a cross-site scripting vulnerability. We strongly recommend that all CodeIgniter developers using Bitnami LAMP installations or CodeIgniter Development container should upgrade to the latest version immediately.

We released new versions of Bitnami LAMP, MAMP, WAMP, LAPP, MAPP and WAPP (PHP5 and PHP7) installers, virtual machines and cloud images that fix this security issue. We also released a new version of our Bitnami CodeIgniter development container. Further details regarding the security issue are explained below:

"System/libraries/Email.php in CodeIgniter before 3.1.3 allows remote attackers to execute arbitrary code by leveraging control over the email->from field to insert sendmail command-line arguments."

More info: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10131

Workaround

 

If you're unable to upgrade right away, you can secure your installation against this vulnerability by manually updating CodeIgniter. In order to do so, please follow the instructions below:

https://codeigniter.com/userguide3/installation/upgrading.html

Do you have questions about Bitnami or the security issue? Please post to our community forum and we will be happy to help you.

Tuesday, January 10, 2017

PWNScriptum Security Issue

[ UPDATE 2017-01-16 ]

The Magento team has published a new blog post about this security issue. They recommend to turn off the "Set Return-Path" setting (switch to "No") at "Stores-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path"


We also want to inform you that the standard Bitnami Magento deployments are not affected as that field is set to "No" by default.

https://magento.com/security/news/new-zend-framework-1-security-vulnerability

----

During the past couple of weeks, vulnerabilities were discovered in the most widely used PHP Mailing Libraries: PHPMailer (CVE-2016-10033 and CVE-2016-10045), Swiftmailer (CVE-2016-10074) and ZendMail (CVE-2016-10034). There are several stacks in the Bitnami library that could be potentially affected. Because this issue is related to the implementation of the applications themselves, it must be addressed by their original developers.

From the moment this issue was reported, our security team started a very thorough review of all our PHP applications (including contacting developers directly in several cases.) We will release fixed versions of all affected apps as soon as they are available.

Note that in several cases, the application was developed in a way that made it impossible for the vulnerability to be exploited. Examples include:

  • WordPress: “Presently, WordPress Core (and as a result, anything utilising wp_mail()) are unaffected by the recent disclosures, the vulnerabilities require the usage of a PHPMailer feature which WordPress & wp_mail() does not use. This applies to WordPress 4.7, 4.6.x, and all previous secure versions.” [more info]
  • Drupal: “The SMTP module has a modified third party PHPMailer library in its codebase. The modified version of the library is not affected.” [more info]
  • Joomla: “After analysis [..] there are additional validations in place which make executing this vulnerability impractical within the Joomla environment.” [more info]
  • Moodle: “So my current conclusion is that Moodle sites are not affected by the Sender vulnerability discovered in phpmailer < 5.2.18.” [more info]
  • Phabricator: “No immediate action is necessary because we don't expose any way to get at these vulnerabilities.” [more info] 

Affected Bitnami PHP applications with recently released fixes
: Akeneo, Dreamfactory, Mahara, Mantis, Mautic, ModX, Owncloud, OroCRM, TinyTinyRSS, PHPList. Please make sure you update your stacks by following the documentation in docs.bitnami.com.

Unaffected Bitnami PHP applications
: SEO Panel, CMS Made Simple, Piwik, Magento, Prestashop, EspoCRM, Pimcore, Shopware and Oxid.

Please stay tuned if you are using a Bitnami PHP application, as we will continue releasing apps as soon as a fix is available.

Bitnami Applications for Oracle Bare Metal Cloud Services


At Oracle World in 2015, Bitnami and Oracle jointly announced the availability of the Bitnami catalog of more than 150 applications for Oracle Cloud Platform.

Fast forward a little more than a year later, and Bitnami is proud to be collaborating with the Oracle Bare Metal Cloud Services (BMCS) team to extend selected Bitnami offerings to BMCS, as well.

We've worked with the Oracle BMCS team to select the first 21 applications, including Java-related infrastructure such as JBoss, Liferay, Node.JS, and Tomcat; databases such as MongoDB and MySQL, as well as popular line of business applications like WordPress, Magento, and Moodle.

Bitnami-packaged applications are tested and approved to run on Oracle Cloud, secure, and kept up to date.

To see the complete list:

1. Go to the Oracle Cloud Marketplace

2. Type "bitnami bare metal" into the search box

You're now ready to download the installer for the application of your choice and use it on your Oracle BMCS account.


Monday, January 9, 2017

'MongoDB with Replication' Security Issue


[UPDATE 2017-01-11]

The steps to restrict access to port 27017 on Google Cloud Platform have been updated

[UPDATE 2017-01-10]

The Bitnami Team has been working on creating new guides to securing the database and recovering the data using MongoDB Oplog. Please find below the "How to enable authentication for securing your installation" and "Restoring your database" sections below.

----

In the past few days, it has been reported that attackers have been scanning for and vandalizing unsecured MongoDB databases accessible over the internet. (See https://www.scmagazine.com/mongodb-databases-under-attack-worldwide/article/629601/)

Our security team follows these reports closely and began a review of our existing images. As a result, we confirmed Bitnami virtual machines and single cloud images are not vulnerable to this attack because they require the administrator to authenticate. However, one Bitnami listing is vulnerable when left in it’s default configuration: Bitnami’s MongoDB with Replication. This template is offered in Google Cloud Launcher and Microsoft Azure.

We are working with Google to remove and replace the template on the Google Cloud Launcher.  If you launch or have launched a “MongoDB with Replication” application prior to version 3.4.1, please take immediate steps to secure your application, instructions below.

For Microsoft Azure users, a replacement template, which implements MongoDB authentication to prevent users from remotely performing CRUD operations on the database, is available now in the Azure Marketplace here. The fixed template version is MongoDB 3.4.1-0 (Debian 8).

While the scale of the attack across the internet was large, only a small number of Bitnami users were affected and not already secured. We are working with the cloud vendors to contact these users and replace the default settings. In the meantime, if you think your installation could be affected, please see below for steps that you can take to safeguard your data.

If you are currently using installations based on the Bitnami MongoDB with Replication template that have not already been secured:

The following steps are recommended immediately


1. Restricting external access to default port 27017
2. Enabling authentication to secure your installation
3. Restoring your database

How to restrict access to port 27017 on Google Cloud Platform

1. Login to Google Cloud Platform.
2. Using the left hand menu, navigate to the “Networking” section.
3. Under the networking section choose “Firewall Rules”.


In this section find the firewall rules that correspond with your MongoDB instance. If you launched through the Google Cloud Launcher the name is likely to be “mongodb-multivm-1-node-0-firewall”.

4. Click on the 'Firewall Rule Details' for each MongoDB instance to show firewall rules details:


5. Remove port 27017 from the list of allowed protocols and ports. Remove the bitnami-mongodb tag if it is set.


6. Click “Save”.

7. Using the left hand menu, navigate to the “Compute Engine” section. In this section find the instances that correspond with your MongoDB deployment. Look for the different nodes of the deployment, if you launched through the Google Cloud Launcher the name is likely to be “mongodb-multivm”.

8. Remove the bitnami-mongodb tag in all the instances if it is set.


9. Click “Save”.

Tuesday, December 20, 2016

Joomla! 3.6.5 Security Release (CVE-2016-9838)

The Joomla! project has just released a new version that fixes three security vulnerabilities.

This is a security release for the 3.x series and it only contains the security fixes, no other changes have been made. It is strongly suggested that you update your Joomla! website to the latest version.

You can find more info about these issue at the Joomla! release news page.

We have released Bitnami Joomla! 3.6.5 Docker image, cloud images, installers and virtual machines that fix these issues.

Do you already have a Joomla! installation? You can follow our guide about how to upgrade your application and you won't have to worry about these vulnerabilities.

If you have further questions about Bitnami Joomla! or this security issue, please post to our community forum, and we would be happy to help you.

Friday, December 9, 2016

WordPress 4.7 “Vaughan” ‒ Now Available from Bitnami

Version 4.7 of WordPress, named “Vaughan” in honor of legendary jazz vocalist Sarah “Sassy” Vaughan, is now available from Bitnami. If you are already using a Bitnami WordPress image, you can simply upgrade your version from your WordPress admin panel.

Not familiar with Bitnami WordPress? In short, it is the easiest way to install your own WordPress instance. We've packaged WordPress as a self-contained and incredibly fast distribution that is simple to deploy. To get started with Bitnami WordPress, you can download our ready-to-run installers for Linux, Windows and Mac OS X, or our virtual machine images (VMs) and container for the application. If you want a hosted WordPress application, you can deploy Bitnami Wordpress into the cloud with one of our several cloud partners.

What's new in WordPress 4.7?

There are a significant number of new features in this WordPress version, including:

  • Twenty Seventeen theme: This yearly update of WordPress's native theme focuses on business sites and features a customizable front page with multiple sections.


  • New additions to the application appearance customizer that take you through the initial setup of a theme, with non-destructive live previews of all your changes in one uninterrupted workflow.
  • New tools to manage your document collection; uploading PDFs will generate thumbnail images so you can more easily distinguish between all your documents.
  • REST API endpoints for posts, comments, terms, users, meta, and settings.




Get started with new a WordPress application easily by deploying a Bitnami WordPress stack. If you have questions about Bitnami WordPress, please post to our community forum, and we will be happy to help you.

Tuesday, December 6, 2016

Security Release: GitLab 8.14.3 (CVE-2016-9469)

The GitLab project released a new update that contains an important security fix for a critical denial-of-service and data corruption vulnerability, and we strongly recommend that all affected GitLab installations be upgraded to the latest version immediately.

We released new versions of Bitnami Gitlab 8.14.3 installers, virtual machines and cloud images that fix this security issue. Further details regarding the security issue are explained below:

Denial-of-Service and Data Corruption Vulnerability in Issue and Merge Request Trackers

This issue is the result of un-sanitized user input being passed to an internal function that expects only trusted data. This code was introduced in GitLab 8.13.0.

More information about the issue can be found in the official blog post.

Workarounds


If you're unable to upgrade right away, you can secure your GitLab installation against this vulnerability using one of the workarounds outlined below until you have time to upgrade.


Securing via web server configuration

  • Add the following text at the end of the httpd-app.conf file of Gitlab
     RewriteEngine On
     RewriteCond %{QUERY_STRING} ^.*(state=destroy).* [NC,OR]
     RewriteCond %{QUERY_STRING} ^.*(state=delete).* [NC]
     RewriteRule ^(.*)$ - [F,L]

  • Restart Apache
           sudo /opt/bitnami/ctlscript.sh restart apache


Securing via patch

  • Create a patch file at /opt/bitnami/apps/gitlab/htdocs
  • Apply the patch below
     diff --git a/app/finders/issuable_finder.rb                          b/app/finders/issuable_finder.rb
     index e42d5af..2c9412b 100644
     --- a/app/finders/issuable_finder.rb
     +++ b/app/finders/issuable_finder.rb
     @@ -7,7 +7,7 @@
      #   current_user - which user use
      #   params:
      #     scope: 'created-by-me' or 'assigned-to-me' or 'all'
     -#     state: 'open' or 'closed' or 'all'
     +#     state: 'opened' or 'closed' or 'all'
      #     group_id: integer 
      #     project_id: integer
      #     milestone_title: string
     @@ -183,10 +183,13 @@ class IssuableFinder
          end
          def by_state(items)
     -      params[:state] ||= 'all'
     -
     -      if items.respond_to?(params[:state])
     -        items.public_send(params[:state])
     +      case params[:state].to_s
     +      when 'closed'
     +        items.closed
     +      when 'merged'
     +        items.respond_to?(:merged) ? items.merged : items.closed
     +      when 'opened'
     +        items.opened
            else
              items
            end


Verifying the workaround

  • Open your GitLab project
  • Open the project's issue tracker
  • Choose the "closed" tab
  • Adjust the "state" field in your browser's address bar to "deleteme"
  • Verify you receive a 403 Forbidden error


Note: If you only applied the patch you will receive no errors here.

Do you have questions about Bitnami GitLab or the security issue? Please post to our community forum and we will be happy to help you.


Thursday, December 1, 2016

Code Dx Now Available in Microsoft’s Azure Government Cloud Marketplace

Bitnami has included Code Dx in the first wave of applications published to Microsoft’s Azure Government Cloud Marketplace. Code Dx provides comprehensive tools for software development professionals and quality assurance experts to test applications for vulnerabilities, pinpointing issues in the actual code.

With the recent attention and focus on application security—along with the tools Code Dx provides to ensure software development compliance with standards found in regulations like the DISA-STIG—government and eligible private entities alike will benefit from the greater availability and utility offered by the Azure Government Cloud platform.

With lightweight, secure access to cloud-based, physically isolated instances of Code Dx, users can quickly aggregate the results of multiple analysis tools, compare them to a wide range of industry security standards (such as OWASP Top 10), and triage identified vulnerabilities based on severity. With deployment on the Azure Government Cloud Marketplace, both new and existing users can access Code Dx on this new platform in addition to the various other deployment options already available.

For government and government-affiliated agencies, this represents a secure solution to a complex problem, but private entities also have to contend with vulnerability identification, management, and remediation, as well as ensuring compliance with regulations like HIPAA. Deployment on the Azure Government Cloud Marketplace platform gives these users the same benefits of security and cloud-based access.

To spread awareness about application security—what developers, government organizations, and security professionals need to know about it, how it’s different from network security, and what needs to be the focus in the future—and to explain some of the highlights of Code Dx’s utility, Bitnami and Code Dx are hosting a webinar on December 6, 2016, at 10 AM PST. To register, visit https://bitnami.com/webinar/codedx.

Guest blog post by: Ken Prole, CTO of Code Dx

Tuesday, November 29, 2016

Bitnami Releases Two Amazon RDS Offerings!

Bitnami, one of the leading providers of open source software in the AWS Marketplace, is excited to announce two new offerings using Amazon Relational Database Service (RDS), Wordpress Multi-Tier with Amazon RDS for MariaDB and Redmine Multi-Tier with Amazon RDS for MariaDB. Wordpress, a popular Content Management System (CMS) and Redmine, a flexible and richly configurable project management platform, are excellent additions to any business’ needs in the cloud. 

Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while managing time-consuming database administration tasks, freeing you up to focus on your applications and business.  With Amazon RDS, you can deploy a scalable MariaDB database, a popular open source relational database created by the original developers of MySQL.



Tighter integration with Amazon’s managed database offering in the cloud allows customers to take advantage of that same value with the expertise of Amazon Web Services managing the infrastructure for critical data in the cloud. These two new offerings use Amazon CloudFormation Templates created by Bitnami to orchestrate the application’s resources for the deployment. Users will be able to configure architecture suited to their needs and launch an environment into their AWS Account. All of the data required to get up and running will be pre-populated and ready for use upon deployment. 

Bitnami’s applications are trusted for their ability to provide the most up-to-date and patched versions of popular open source applications, consistently and expediently after release.  Using Bitnami’s Cloud Formation Templates allows customers to receive all of these Bitnami benefits while also being able to have an environment that incorporates the scalability and ease of use of Cloud Formation Templates.

Bitnami is excited to deepen our partnership with Amazon Web Services and our customers through the AWS Marketplace. We look forward to continuing to provide more value for our users and receiving your feedback on these applications. Please reach out to us directly if you have any requests or would like to see your applications available with Amazon RDS. You can reach out to us at enterprise@bitnami.com.

Monday, November 21, 2016

MySQL / MariaDB: Privilege Escalation / Race Condition / Root Privilege Escalation (CVE-2016-6663 and CVE-2016-6664)

Several new security vulnerabilities that affect some versions of MySQL and MariaDB were announced recently:

We want to let you know that all the published Bitnami Stacks that include MySQL or MariaDB as the database server are not affected, since they are using non-affected versions of the component.

CVE-2016-6663

The vulnerability can allow a local system user with access to the affected database in the context of a low-privileged account (CREATE/INSERT/SELECT grants) to escalate their privileges and execute arbitrary code as the database system user.

Successful exploitation would allow an attacker to gain access to all of the databases stored on the affected database server.

Affected versions:

MariaDB 
< 5.5.52
< 10.1.18
        < 10.0.28

MySQL  
<= 5.5.51
<= 5.6.32
<= 5.7.14

More information about this issue can be found at the following link: https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html

CVE-2016-6664

MySQL-based databases including MySQL, MariaDB and Percona are affected by a privilege escalation vulnerability which can let attackers who have gained access to mysql system user to further escalate their privileges to root user allowing them to fully compromise the system.
The vulnerability stems from unsafe file handling of error logs and other files.

Affected versions:

MySQL  
<= 5.5.51
<= 5.6.32
<= 5.7.14

MariaDB
All current

More information about this issue can be found at the following link: https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html

Are you using an affected version of the server or do you have questions about the security issue? Please post to our community forum and we will be happy to help you.