Wednesday, May 18, 2016

Security Release: Magento 2.0.6


The Magento project has released a new update that fixes several security vulnerabilities. A few of the notable fixes include:
  • APPSEC1420: Magento no longer permits an unauthenticated user to remotely execute code on the server through APIs.
  • APPSEC1421: The Magento installation code is no longer accessible once the installation process has completed.
  • APPSEC1422: Magento no longer allows authenticated customers to change other customers' account information using either SOAP or REST calls.

We highly recommend upgrading your existing Magento Community Edition 2.0 sites. For more information about the security issues fixed with this recently released update, please check out Magento's Security Center.

We have released Bitnami Magento 2.0.6 installersvirtual machines and cloud images that fix the security issues.

If you already have a running version of Bitnami Magento, you can upgrade the application by following the detailed steps on our wiki page:

https://wiki.bitnami.com/Applications/BitNami_Magento#How_to_upgrade_Magento.3f

Do you have additional questions about Bitnami Magento? Post to our community forum, and we will be happy to help you.

Wednesday, May 11, 2016

Security Release: Gitlab 8.7.4

The Gitlab project released a new update that contains security fixes, including one for an XSS vulnerability via faulty URI scheme sanitization, and we strongly recommend that all GitLab installations be upgraded to the new version immediately.

We released new versions of Bitnami Gitlab 8.7.4 installers, virtual machines and cloud images that fix the security issues.

Additional information regarding XSS vulnerability via faulty URI scheme sanitization:

The URI scheme of user-supplied links was not being properly sanitized. Please see the GitHub issue for more details. Additional information regarding the additional changes is available in the official security advisory.

Do you have questions about Bitnami Gitlab or the security issue? Please post to our community forum, and we will be happy to help you.

PHP Security Issue: libgd CVE-2016-3074

A PHP security issue that affects previous versions of PHP was recently announced. A signedness vulnerability (CVE-2016-3074) exists in libgd 2.1.1, which may result in a heap overflow when processing compressed gd2 data.

[Update: 2016/05/11]

We want to let you know that the Bitnami Team worked on updating all the native installers, virtual machines and the cloud providers images of all the affected applications and all of them are already available. We will continue working on updating the Bitnami Cloud Hosting base image.

If for any reason you are not able to update your application, follow the instructions below:

  • Deactivate the following PHP functions (imagecreatefromgd2, imagecreatefromgd2part, imagegd2) in the php.ini file.
disable_functions = imagecreatefromgd2, imagecreatefromgd2part, imagegd2

  • In Windows systems, the gd extension can be deactivated easily. Comment out this line in the php.ini file:
;extension=php_gd2.dll

More information about the fixed version can be found on the GD Graphics GitHub page: https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19

Do you have questions about the security issue? Post to our community forum, and we will be happy to help you.

[Update: 2016/05/12]

The Bitnami Cloud Hosting base image was released today so all of the new servers launched using our platform will include the latest security update.

Tuesday, May 10, 2016

Security Release: WordPress 4.5.2

The WordPress project has just released a new version due to two security vulnerabilities:
  • WordPress versions 4.5.1 and earlier are affected by a SOME vulnerability through Plupload, the third-party library WordPress uses for uploading files. 
  • WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players.
The WordPress team strongly encourages their users to update their site to version 4.5.2. For more details please check the official announcement. Bitnami users who are already running a version of Bitnami WordPress will not be affected, as their application will be automatically updated. If you are using Bitnami WordPress, you can confirm that the update has been done by checking the version from your admin panel.

We have released Bitnami WordPress 4.5.2 (and Multisite version) installers, virtual machines and cloud images that fix these issues.

Do you have questions about Bitnami WordPress or the security issue? Post to our community forum, and we will be happy to help you.

WordPress Stack with PHP7

WordPress announced a few months ago that it is fully compatible with the latest version of the PHP framework, PHP7. Nowadays most of the popular plugins are already compatible and WordPress has also published a developer guide about how to update WordPress plugins to support PHP7.

Here, at Bitnami, we baked a new WordPress stack based on PHP7 to help you run the latest, shiniest and fastest software. WordPress + PHP7 is faster than ever before.

But that's not all. If you still want to run WordPress on PHP 5.6, now you can. Use the Bitnami LAMP Stack and install the WordPress module on it, or use the WordPress Legacy Stack. The WordPress Legacy Stack will have the same and latest version of WordPress but will ship with PHP 5.6

Both new WordPress versions are available as installers, virtual machines, and cloud images on the Bitnami WordPress Stack page.

If you have questions about Bitnami WordPress or the advantages of using PHP7 over PHP5.6, please post to our community forum, and we will be happy to help you.

Monday, May 9, 2016

Zero to Clustered Application on Kubernetes with Bitnami

Kubernetes, a popular Docker container orchestration platform, promises to make deploying and managing containerized applications simple. This post walks through configuring and deploying a widely used web application, the Redmine issue tracking application, packaged as Docker containers.

This tutorial is aimed at developers and operators interested in learning about containerizing applications on Kubernetes and looking for solutions to common concerns including configurability, application state, and health monitoring.

Before you get started

You’ll need to setup a Kubernetes cluster. There are many deployment options for Kubernetes as documented here (http://kubernetes.io/docs/getting-started-guides/binary_release/) Particularly if you’re new to Kubernetes we recommend starting with Google Container Engine (https://cloud.google.com/container-engine/)

You’ll need a copy of the helm package manager for Kubernetes for your platform. Helm can be downloaded directly from https://helm.sh. Version 0.5.0 or higher is required.

Deploying Redmine

1. Helm uses charts to describe how to deploy a particular applications and their metadata. Collections of charts are organized into repositories so our first step is to add the Bitnami chart repository to helm:

helm repo add bitnami http://github.com/bitnami/charts.git 



2. First we'll create an MariaDB database instance for Redmine to use:

helm install bitnami/mariadb

Once MariaDB has been deployed we can deploy the Redmine application

helm install bitnami/redmine

Redmine will take a minute or two to start, the ready count shows when the application has started:

kubectl get po


The Redmine pod will show a ready count of 1 / 1, as shown above,  when redmine has finished launching.

To access the running Redmine application we need to know the IP address of the Kubernetes load balancer:

kubectl describe service redmine

To access Redmine type the “Load Balancer Ingress” address into your web browser:

The default username and password are "user" and "bitnami"

Digging Deeper - customizing your application deployment

One of the great features of Kubernetes and Helm is the ability to customize and configure each application deployment. Helm supports customizing applications by editing and regenerating them before installing. The Bitnami Redmine chart has been designed with this in mind and provides a range of customization options including:
  • Changing the default MariaDB password
  • Setting the Redmine admin user and password
  • Configuring Redmine to use SMTP (email) 
  • Configuring the Redmine UI language 
Note: When modifying the default values in values.toml remember to run "helm generate redmine" before installing. Remember to make sure the MariaDB database password matches the Redmine.

A full walkthrough including advanced configuration topics can be found here:

https://github.com/bitnami/charts/tree/master/_docs/redmine

Let us know in the comments which other applications you want to deploy on Kubernetes.

Tuesday, May 3, 2016

ImageMagick: Remote execution vulnerability (CVE-2016–3714)

Several security vulnerabilities have been recently discovered for certain ImageMagick coders. Specifically, the vulnerabilities include possible remote code execution and the ability to render files on the local system.

A number of image processing plugins depend on the ImageMagick library, including, but not limited to, PHP’s Imagick, Ruby’s RMagick and Paperclip, and nodejs’s imagemagick.

More information about the vulnerability can be found on the ImageMagick website. (Updated 05/05 The issue has been named as ImageTragick.)


If you use ImageMagick or an affected library, we recommend you mitigate the known vulnerabilities by doing this:

1. Edit the policy.xml file of ImageMagick:
/opt/bitnami/common/lib/ImageMagick-6.7.5/config/policy.xml
2. Add the following policy rules (updated 05/05):
<policymap>
  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="URL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="coder" rights="none" pattern="MSL" />
  <policy domain="coder" rights="none" pattern="TEXT" />
  <policy domain="coder" rights="none" pattern="SHOW" />
  <policy domain="coder" rights="none" pattern="WIN" />
  <policy domain="coder" rights="none" pattern="PLT" />
</policymap>

3. Verify your policies with the following command:
convert -list policy
Below is an example policy output:
Path: [built-in]
  Policy: Undefined
    rights: None 
Path: /opt/bitnami/common/lib/ImageMagick-6.7.5/config/policy.xml
  Policy: Coder
    rights: None 
    pattern: EPHEMERAL
  Policy: Coder
    rights: None 
    pattern: URL
  Policy: Coder
    rights: None 
    pattern: HTTPS
  Policy: Coder
    rights: None 
    pattern: MVG
  Policy: Coder
    rights: None 
    pattern: MSL
...

The Bitnami Team is working hard on updating the library to its latest version in order to fix this issue in our future releases. If you have questions about ImageMagick or the security vulnerability, please post to our community forum, and we will be happy to help you.

Security notification: OpenSSL 1.0.2h / 1.0.1t

A new security vulnerability was recently discovered in certain versions of OpenSSL. More information about the vulnerability is available on the OpenSSL website: https://www.openssl.org/news/secadv/20160503.txt

There are two high security issues that do not affect Bitnami installations:

1. Memory corruption in the ASN.1 encoder (CVE-2016-2108).

  • All of the currently released Bitnami stacks use an OpenSSL version greater than the affected versions: 1.0.2c or 1.0.1o.

2. Padding oracle in AES-NI CBC MAC check (CVE-2016-2107). 

  • The OpenSSL we ship with the Bitnami installers, virtual machines and cloud images does not enable AES-NI encryption.

The Bitnami team will continue working on updating OpenSSL to 1.0.2h for all Bitnami apps, however, to be clear, the two security issues above do not affect our applications that are currently available.

Critical Security Release for GitLab (CVE-2016-4340)


The Gitlab project released a new update that contains a number of important security fixes, including one for a critical privilege escalation, and we strongly recommend that all GitLab installations be upgraded to the new version immediately.

We released new versions of Bitnami Gitlab 8.7.1 installersvirtual machines and cloud images that fix the security issues.

Critical Security Issue: Privilege escalation via "impersonate" feature

Added in GitLab 8.2, this feature was intended to allow an administrator to simulate being logged in as any other user.

Part of this feature was not properly secured and it was possible for any authenticated user, administrator or not, to "log in" as any other user, including administrators. Please see the GitLab website for more details. Additional information regarding the additional changes is available in the official security advisory.

Workarounds

If you are unable to upgrade right away, you can secure your GitLab installation against this vulnerability using one of the workarounds outlined below until you have time to upgrade:

Securing via web server configuration

1. Add the following text at the end of the httpd-app.conf file of Gitlab
<LocationMatch "^/admin/users/stop_impersonation">
  Order Deny,Allow
  Deny from all
</LocationMatch>
2.  Restart Apache
sudo /opt/bitnami/ctlscript.sh restart apache

Securing via patch

1. Create a patch file at /opt/bitnami/apps/gitlab/htdocs
diff --git a/app/controllers/admin/impersonation_controller.rb b/app/controllers/admin/impersonation_controller.rb
index bf98af7..8790018 100644
--- a/app/controllers/admin/impersonation_controller.rb
+++ b/app/controllers/admin/impersonation_controller.rb
@@ -1,4 +1,5 @@
 class Admin::ImpersonationController < Admin::ApplicationController
+  before_action :render_403, only: :destroy
   skip_before_action :authenticate_admin!, only: :destroy

   before_action :user

2. Apply the path
sudo git apply -v path.diff
The following output will appear:
Checking patch app/controllers/admin/impersonation_controller.rb...
Applied patch app/controllers/admin/impersonation_controller.rb cleanly.

Recover the permissions of the modified file:
sudo chown git:git /opt/bitnami/apps/gitlab/htdocs/app/controllers/admin/impersonation_controller.rb

Verifying the workaround


  1. In an Incognito Window, login as an administrator
  2. Go to the Admin section
  3. Click on "Users"
  4. Select any user
  5. Click "Impersonate"
  6. Click on the "Stop Impersonation" icon in the upper right
  7. Verify you receive a 403 Forbidden error
Do you have questions about Bitnami Gitlab or the security issue? Please post to our community forum, and we will be happy to help you.