Tuesday, November 29, 2016

Bitnami Releases Two Amazon RDS Offerings!

Bitnami, one of the leading providers of open source software in the AWS Marketplace, is excited to announce two new offerings using Amazon Relational Database Service (RDS), Wordpress Multi-Tier with Amazon RDS for MariaDB and Redmine Multi-Tier with Amazon RDS for MariaDB. Wordpress, a popular Content Management System (CMS) and Redmine, a flexible and richly configurable project management platform, are excellent additions to any business’ needs in the cloud. 

Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while managing time-consuming database administration tasks, freeing you up to focus on your applications and business.  With Amazon RDS, you can deploy a scalable MariaDB database, a popular open source relational database created by the original developers of MySQL.



Tighter integration with Amazon’s managed database offering in the cloud allows customers to take advantage of that same value with the expertise of Amazon Web Services managing the infrastructure for critical data in the cloud. These two new offerings use Amazon CloudFormation Templates created by Bitnami to orchestrate the application’s resources for the deployment. Users will be able to configure architecture suited to their needs and launch an environment into their AWS Account. All of the data required to get up and running will be pre-populated and ready for use upon deployment. 

Bitnami’s applications are trusted for their ability to provide the most up-to-date and patched versions of popular open source applications, consistently and expediently after release.  Using Bitnami’s Cloud Formation Templates allows customers to receive all of these Bitnami benefits while also being able to have an environment that incorporates the scalability and ease of use of Cloud Formation Templates.

Bitnami is excited to deepen our partnership with Amazon Web Services and our customers through the AWS Marketplace. We look forward to continuing to provide more value for our users and receiving your feedback on these applications. Please reach out to us directly if you have any requests or would like to see your applications available with Amazon RDS. You can reach out to us at enterprise@bitnami.com.

Monday, November 21, 2016

MySQL / MariaDB: Privilege Escalation / Race Condition / Root Privilege Escalation (CVE-2016-6663 and CVE-2016-6664)

Several new security vulnerabilities that affect some versions of MySQL and MariaDB were announced recently:

We want to let you know that all the published Bitnami Stacks that include MySQL or MariaDB as the database server are not affected, since they are using non-affected versions of the component.

CVE-2016-6663

The vulnerability can allow a local system user with access to the affected database in the context of a low-privileged account (CREATE/INSERT/SELECT grants) to escalate their privileges and execute arbitrary code as the database system user.

Successful exploitation would allow an attacker to gain access to all of the databases stored on the affected database server.

Affected versions:

MariaDB 
< 5.5.52
< 10.1.18
        < 10.0.28

MySQL  
<= 5.5.51
<= 5.6.32
<= 5.7.14

More information about this issue can be found at the following link: https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html

CVE-2016-6664

MySQL-based databases including MySQL, MariaDB and Percona are affected by a privilege escalation vulnerability which can let attackers who have gained access to mysql system user to further escalate their privileges to root user allowing them to fully compromise the system.
The vulnerability stems from unsafe file handling of error logs and other files.

Affected versions:

MySQL  
<= 5.5.51
<= 5.6.32
<= 5.7.14

MariaDB
All current

More information about this issue can be found at the following link: https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html

Are you using an affected version of the server or do you have questions about the security issue? Please post to our community forum and we will be happy to help you.

Friday, November 18, 2016

Security Release: Drupal 7 and 8

The Drupal project released a new update that fixes several security vulnerabilities. We strongly recommend upgrading your existing Drupal 7 and 8 sites.

Information regarding the additional changes is available in the official security advisory. In response to the new Drupal version, we have released the following: Bitnami Drupal 7 and 8 installers, virtual machines, and cloud images.

Two notable issues include:

1. Confirmation forms allow external URLs to be injected (Moderately critical - Drupal 7)
Under certain circumstances, malicious users could construct a URL to a confirmation form that would trick users into being redirected to a 3rd party website after interacting with the form, thereby exposing the users to potential social engineering attacks.


2. Denial of service via transliterate mechanism (Moderately critical - Drupal 8)
A specially crafted URL can cause a denial of service via the transliterate mechanism.

Our new releases fix the known security issues. There are no new features or non-security related bug fixes in these releases.

If you have questions about Bitnami Drupal or these security issues, please post to our community forum and we will be happy to help you.

Security Release: Jenkins 2.19.3 (CVE-2016-9299)



T
he Jenkins project hast just released a new update that fixes a zero-day vulnerability that allow unauthenticated remote code execution. It is considered critical as it allows to execute code to unprivileged users.


We released new versions of Bitnami Jenkins 2.19.3 installersvirtual machines and cloud images that fix the security issue.

More information about the issue can be found in the official blog post.

Do you already have a Jenkins installation? You can follow our guide about how to upgrade your application and you won't have to worry about these vulnerabilities.

If you have further questions about Bitnami Jenkins or this security issue, please post to our community forum, and we will be happy to help.

Thursday, November 3, 2016

Critical Security Release for GitLab (CVE-2016-9086)

The Gitlab project released a new update that contains an important security fix for a critical directory traversal vulnerability, and we strongly recommend that all GitLab installations be upgraded to the new version immediately.

We released new versions of Bitnami Gitlab 8.13.3 installers, virtual machines and cloud images that fix the security issue.

Directory traversal via "import/export" feature: CVE-2016-9086


Added in GitLab 8.9, the "import/export project" feature of GitLab allows a user to export and then re-import their projects as tape archive files (tar). All GitLab versions prior to 8.13.0 restricted this feature to administrators only. Starting with version 8.13.0 this feature was made available to all users.

More information about the issue can be found in the official blog post.

Workarounds


If you're unable to upgrade right away, you can secure your GitLab installation against this vulnerability using the workaround outlined below until you have time to upgrade.

Disable Project Import/Export via Tape Archive

Login using an administrator account to your GitLab installation and perform the following:

- Choose "Admin Area"
- Click "Settings"



- Under "Import Sources" disable the "GitLab export" option


- Click Save

Verifying the workaround

- In a Browser Window, login as any user
- Click "Projects"
- Click "New Project"
- Enter a project name
- Verify that "GitLab export" does not appear as an import option

Do you have questions about Bitnami Gitlab or the security issue? Please post to our community forum, and we will be happy to help you.