Thursday, March 8, 2018

Security update: Buffer overflow in the DHCP client


Updated blog post with the information about CentOS' package



Updated blog post with the information about Red Hat's and Oracle Linux's packages


A new security vulnerability in the DHCP client has been discovered. This allows a malicious server (or an entity masquerading as a server) to cause a buffer overflow in dhclient by sending a response containing a specially constructed options section. You can find more information about this in the DHCP official announcement.

This buffer overflow can result in a crash due to an out-of-bounds memory access if the client receives and processes a triggering response packet. However, buffer overflow outcomes might vary depending on the operating system. Outcomes such as remote code execution may also be possible in some circumstances.

Versions affected are:
  • 4.1.0 -> 4.1-ESV-R15
  • 4.2.0 -> 4.2.8
  • 4.3.0 -> 4.3.6
  • 4.4.0
Bitnami-packaged images might be affected by this issue if the dhclient tool hasn't been updated. At the same time of this security issue, another security vulnerability in the DHCP server component was published but we want to clarify that none of our solutions include that package installed by default.

When this security issue was found, another security vulnerability in the DHCP server component was published but we want to clarify that none of our solutions include that package installed by default.

We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami and our team is working to update all of the affected Virtual Machines and Cloud Images available through Bitnami for all Cloud Providers. We will keep you updated in this blog post.

How to mitigate the issue

In the meantime, you can mitigate this problem by updating the tool using the package manager included with your operating system.

Amazon Linux

    There is not any new version of the package yet

RedHat / CentOS / Oracle Server

    yum install dhcp-common

Ubuntu / Debian

    sudo apt-get install isc-dhcp-client

Once updated, you will have one of the following version:

CentOS / Amazon Linux

    There is not any new version of the package yet





Oracle Server





    jessie: 4.3.1-6+deb8u3
    stretch: 4.3.5-3+deb9u1

How to obtain the installed version of the package

To check the currently installed version on your system:

RedHat / CentOS / Oracle Server / Amazon Linux

    sudo yum -q info installed dhcp-common

Ubuntu / Debian

    sudo dpkg -s isc-dhcp-client

If you have additional questions about this security issue, post them in our community forum, and we will be happy to help you.

Monday, March 5, 2018

Bitnami Jenkins - Oracle Jump Start Demo Lab

While Bitnami has always made it easy to launch cloud applications, Oracle has taken it one step further with their Jump Start Demo Lab program. Now not only do you get free access to ready-to-run Bitnami applications, but you also get free access to the Oracle cloud to test the application as well.

Bitnami has been collaborating with the Oracle Jump Start team on several popular applications and we’re announcing today the availability of our Jenkins Demo Lab.

Bitnami Jenkins

If your job involves developing or deploying software, you've probably already heard of Jenkins, a Continuous Integration (CI) server designed specifically for automating software builds and deployments. As a leading open source project, Jenkins is extremely versatile and comes with 1000+ plugins that allow easy integration with many different platforms, source code management systems and build systems. Jump Start allows you to try a Jenkins on OCI in a self-paced guided demo environment for free.

Ready to get started?

If you are ready to automate your software testing and delivery process and would like to explore the functionality of Jenkins for free in one of the world’s leading clouds, then this is your chance.

Visit Oracle Jump Start page for detailed instructions to get you up and running right away.

How to Guides:

Want more? Curious about other Oracle Jump Start applications?

See the entire Bitnami application catalog available in the Oracle Cloud

Friday, March 2, 2018

Bitnami named Top 3 Vendor in Application Deployment and Management for DevOps by EMA

Authored by Tom McCafferty, VP of Marketing

The new Enterprise Management Associates report “Ten Priorities for Container Management and DevOps in 2018” was just released and Bitnami is proud to be chosen as a Top 3 vendor for Application Deployment and Management. The report analyzes survey data from 300 enterprise Devops teams to break down industry trends and highlights key products to “recognize a vendor’s excellent alignment with customer challenges.”

Let’s be honest...who doesn’t like a little recognition? At Bitnami we’ve been innovating very rapidly over the past year and it’s nice to be recognized for the work that we are doing. This report highlights three of our key products initiatives that are expanding our product portfolio beyond our core application catalog business. As Bitnami continues to grow, we’re squarely focused on adding value to customers in two ways…

1. Simplifying the journey to the cloud by automating application migration (see Stacksmith)

2. Driving the next generation of application packaging standards and usage around containers and Kubernetes (see Kubeapps) and FaaS (see Kubeless).

While these represent an obvious extension to our company focus on application packaging and management, it’s great to see that they align so nicely with the 10 priorities that the EMA report identified for container management and Devops in the enterprise…

Check out the complete report - Enterprise Management Associates “10 Priorities for Container Management and DevOps in Production and at Scale in 2018 (EMA Top 3)

I’ve been a fan of Enterprise Management Associates and Torsten’s no-nonsense approach to the analyst game for a long time. Briefing him on the work we’re doing related to application packaging, cloud migration and Kubernetes was exactly as expected…conversational, technically deep and ultimately very enjoyable. Seeing that much of our product focus aligned with exactly the feedback he had been getting from the 300 enterprises surveyed for the recent Top 3 report was great validation from a resource I know I can trust and I expect that many enterprises can look to for guidance on 2018 strategies.