Friday, April 28, 2017

Security Release: Jenkins 2.57/2.46.2

The Jenkins project has released a new version that fixes multiple Cross-Site Request Forgery vulnerabilities, along with an unauthenticated remote code execution vulnerability & an impersonation issue.

It is strongly suggested that you update your Jenkins installations to the latest version. You can follow our documentation to learn how to upgrade your application. If you are using the Bitnami Jenkins Docker container image, please follow the documentation in our GitHub repository.

You can find more information about the Jenkins security issues in the Jenkins Security Advisory.


Bitnami has released Jenkins 2.57 containers, and Jenkins 2.46.2 installers, virtual machines and cloud images that address these vulnerabilities.

https://bitnami.com/stack/jenkins

The Bitnami Jenkins offered on Bitnami.com and on our cloud-specific launchpads has been updated to version 2.46.2. New launches of Bitnami Jenkins via our launchpad are secure and do not need to be further updated.

Users launching Bitnami Jenkins via a cloud marketplace are advised to select version 2.46.2 of Bitnami Jenkins, once it is published. Installations based on previous versions will need to be upgraded as described above.

If you have further questions about Bitnami Jenkins or this security issue, please post to our community forum and, we will be happy to help you.

Thursday, April 20, 2017

Drupal Security Issue SA-CORE-2017-002


Drupal’s core security team has discovered a new critical security vulnerability in the RESTful Web Services (rest) module, SA-CORE-2017-002.

This module is not enabled by default in the Bitnami Drupal application. If you do not use the RESTful Web Services module, you do not need to take any action.

If you have the RESTful Web Services module enabled, your Drupal application is affected if all of the following conditions are met:
  • The version of the application is prior to 8.3.1 (Drupal 7.x is not affected).
  • The site allows PATCH requests.
  • An attacker can get or register a user account on the site.
If your Drupal installation meets those requirements it is recommended to update your Drupal application to the latest version, Drupal 8.3.1. You can follow our documentation to learn how to upgrade your application and ensure its security.

For new application deployments, Bitnami has released Drupal 8.3.1 containers, installers, virtual machines and cloud images that address this vulnerability. If you deploy Bitnami Drupal via a Bitnami Launchpad, your application will be up-to-date and secure. If you deploy Bitnami Drupal via one of our cloud partner marketplaces and it is not yet updated to version 8.3.1, you will need to upgrade your application using the documentation linked above.

If you have further questions about Bitnami Drupal or this security issue, please post to our  community forums, and we will be happy to help you.

Tuesday, April 18, 2017

Drupal Security Issue SA-CONTRIB-2017-38

A new critical security vulnerability in the References module has been discovered by Drupal's core security team as SA-CONTRIB-2017-38. Although this module is no longer maintained, it is currently used within over 120,000 installations.

If you use the References module, it is advised to uninstall it. In order to maintain equivalent functionality, it is recommended to try the Entity Reference module. If you do not use the References module, you do not need to take any action.

The References module is only supported by Drupal 7.x versions. The Bitnami Drupal stack does not include the References module by default.  Therefore, it is not affected by this issue.

If you have further questions about Bitnami Drupal or this security issue, please post to our community forum, and we will be happy to help you.

Wednesday, March 22, 2017

Moodle Security Issue CVE-2017-2641

[UPDATE 2017-03-23]

For new application deployments, Bitnami has released Moodle 3.2.2 installers, containers, virtual machines and cloud images that address these vulnerabilities. If you deploy Bitnami Moodle via a Bitnami Launchpad, your application will be up-to-date and secure. If you deploy Bitnami Moodle via one of our cloud partner marketplaces and it is not yet updated to version 3.2.2, you should apply the workaround explained below.

----

The Moodle project has just released new versions that contain an important security fix for a SQL injection vulnerability via user preferences that can lead to remote code execution (CVE-2017-2641).

Moodle has released versions 3.2.2, 3.1.5, 3.0.9 and 2.7.19 that fix the issue. We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami. Our team is working to update all of the affected Moodle packages available through Bitnami as quickly as possible.

Workaround


In the meantime, we strongly encourage all Moodle administrators to apply the security patch published by the Moodle maintainers. In order to do so, log in to your Moodle installation and run the following commands:

$ curl -L -o /tmp/security.path 'https://git.moodle.org/gw?p=moodle.git;a=patch;h=6e65554ea19f4e90c09864081e47424f8efca02e'
$ cd /opt/bitnami/apps/moodle/htdocs
$ sudo patch -p1 < /tmp/security.patch
$ rm /tmp/security.patch

If you have further questions about Bitnami Moodle or this security issue, please post to our community forum, and we will be happy to help you.

Thursday, March 16, 2017

Security Release: Drupal 8.2.7



Drupal has released a new version that fixes three security vulnerabilities.

It is recommended that you update your Drupal application to the latest version, Drupal 8.2.7. You can follow our documentation to learn how to upgrade your application and ensure its security.

The vulnerabilities fixed in the latest version of Drupal are the following:

  • Editor module incorrectly checks access to inline private files - Access Bypass - Critical - CVE-2017-6377
  • Some admin paths were not protected with a CSRF token - Cross Site Request Forgery - Moderately Critical - CVE-2017-6379
  • Remote code execution - Moderately Critical - CVE-2017-6381


For new application deployments, Bitnami has released Drupal 8.2.7 containers, installers, virtual machines and cloud images that address these vulnerabilities. If you deploy Bitnami Drupal via a Bitnami Launchpad, your application will be up-to-date and secure. If you deploy Bitnami Drupal via one of our cloud partner marketplaces and it is not yet updated to version 8.2.7, you will need to upgrade your application using the documentation linked above.

If you have further questions about Bitnami Drupal or this security issue, please post to our community forum, and we will be happy to help you.

Tuesday, March 7, 2017

Security release: WordPress 4.7.3

WordPress has released a new version that fixes six security vulnerabilities.

It is recommended that you update your WordPress application to the latest version, Wordpress 4.7.3. You can follow our documentation to learn how to upgrade your application and ensure its security.

For new application deployments, Bitnami has released WordPress 4.7.3 containers, installers, virtual machines and cloud images that address these vulnerabilities. If you deploy Bitnami WordPress via a Bitnami Launchpad, your application will be up-to-date and secure. If you deploy Bitnami WordPress via one of our cloud partner marketplaces and it is not yet updated to version 4.7.3, you will need to upgrade your application using the documentation linked above.

If you have further questions about Bitnami WordPress or this security issue, please post to our community forum, and we will be happy to help you.

Bitnami Announces Skippbox Acquisition

Those of you who follow Bitnami closely may have noticed that Bitnami has been ramping up our development of container-based applications, and, more recently, our efforts to make Kubernetes-based application deployment easier via Helm Charts and the Monocular project.

Thus, it’s probably not a big surprise that we are enthusiastic about the future of containers, and when it comes to orchestration, very excited about the momentum that has built around Kubernetes as the leading solution for running containers in production.

Therefore, we’re happy to announce the acquisition of Skippbox, Ltd.

With the Skippbox acquisition, we’re vastly upgrading our container and Kubernetes expertise.  While much is still in the “stay tuned” category, some immediate announcements include:

  • We’re now offering Kubernetes training, the first session of which will be at KubeCon EU, in Berlin.  For additional information on future training offerings, please check out our new training page.
  • Our new Senior Director of Cloud Technologies, Sebastien Goasguen, will be speaking on “Scheduling Containers with Kubernetes” at the upcoming O’Reilly Velocity Conference, June 21, 2017.
  • Bitnami has joined the Cloud Native Computing Foundation (CNCF), which is a perfect fit for our increased investments in containers and Kubernetes.

If you have any questions, we love to hear from you.  In the meantime, stay tuned for more container and Kubernetes developments in the very near future. 

Monday, February 27, 2017

Security notification: XSS and sandbox escape vulnerability in Plone

The Plone project has released a new patch that fixes a XSS and a sandbox escape vulnerability in the application.

You can find more info about these issues on the Plone Security Announcements page.

All supported Plone versions (4.3.11 and any earlier 4.x version, 5.0.6 and any earlier 5.x version) are affected. Previous versions could be affected but have not been fully tested. We highly recommend patching your existing Plone sites by following the steps below:

1. Create a backup of your current installation of the application

https://docs.bitnami.com/?page=apps&name=plone&section=how-to-create-a-full-backup-of-plone

2. Download the available patch at the security page

https://plone.org/security/hotfix/20170117

3. Unpack the zip file at /opt/bitnami/apps/plone/zeocluster/products

4. Modify the permissions of the files

    sudo chown -R plone:plone /opt/bitnami/apps/plone/zeocluster/products

5. Restart the Plone service

    sudo /opt/bitnami/ctlscript.sh restart plone

6. Check that the application has been restarted properly. You should see these lines in the /opt/bitnami/apps/plone/zeoclustervar/client1/event.log file

------
2017-02-27T11:04:58 INFO Products.PloneHotfix20170117 Applied zmi patch
------
2017-02-27T11:04:58 INFO Products.PloneHotfix20170117 Applied strformat patch
------
2017-02-27T11:04:58 INFO Products.PloneHotfix20170117 Hotfix installed

Do you have additional questions about Bitnami Plone or the security vulnerability? Please post to our community forum and we will be happy to help you.

Chat Securely with Mattermost Team Edition, Now in Bitnami!


We are excited to announce our newest ISV partnership with Mattermost, the open source Slack-alternative you can run in your own cloud account!

Modern chat tools have taken the world by storm with a variety of features like search, archiving, and extensibility that make them extremely useful to almost any type of organization. However, when chat is only available as a service it can run afoul of' IT security policies that require full control over sensitive files and data. With a seemingly endless procession of data breaches, it is no surprise that many companies and organizations are unable to use chat tools that only run in servers they cannot control or audit.


That's why Mattermost Team Edition presents such a great opportunity: it comes loaded with all the features that make contemporary chat tools great while giving the organization complete ownership of all its conversations, shared files, images, and other data generated in the course of routine chat operations. Mattermost integrates with the other tools that teams depend on such as a version control system, CRM, help desk, continuous integration/delivery, bug tracker, and countless other technologies that can generate a tremendous amount of sensitive, business-critical data. It also has the features that endear modern chat tools to users, such as slash commands for GIFs (and other useful functions) and customized emojis.

Bitnami Mattermost Team Edition can be launched in your organization's cloud account on all the most popular platforms like Amazon Web Services, Microsoft Azure, Google Cloud Platform, and Oracle Cloud Platform through the Bitnami Launchpads or third party marketplaces. Government entities will be delighted to know that they can launch Mattermost Team Edition in Azure's Government Cloud in just a few clicks through the Gov Cloud Marketplace. There is also a Mattermost Virtual Machine that can be used in the enterprise datacenter, with or without a connection to the internet.

Powerful Features Include:
  • One-to-one and group messaging, file sharing, and unlimited search history
  • Advanced communication features including markdown support, threaded messaging, custom emoji, and emoji reactions
  • Ability to connect to mobile apps in iTunes and Google Play, or to compile your own mobile apps from provided source code
  • Ability to connect to desktop apps for Windows, Mac, and Linux 
  • Highly customizable third party bots, integrations and command line tools 
  • Languages include English, Chinese (Simplified & Traditional), Dutch, French, German, Japanese, Korean, Portuguese, Russian, Spanish
  • Easily scales from dozens to hundreds of users
  • Supports upgrade to Mattermost Enterprise Edition with advanced security, configuration and scalability benefits. Learn more at https://mattermost.com
Mattermost Team Edition is now available in Bitnami to launch in just a few clicks in all your favorite cloud platforms, as a virtual machine, and as a native installer for Linux. Interested in a quick test drive? Try our one-hour cloud demo and get familiar with the intuitive interface, absolutely free!



Visit our docs to learn how to manage and configure your installation. Still have questions? Head to the Mattermost Team Edition product page or Mattermost Help page for more information.

Wednesday, February 22, 2017

Security notification: DCCP double-free kernel vulnerability (CVE-2017-6074)


[UPDATE 2017-02-28]


Updated blog post with the steps to update CentOS and Oracle Linux kernels

----

[UPDATE 2017-02-23]

Updated blog post with the steps to update Debian and RedHat kernels

----

A new security vulnerability in the Linux kernel has been discovered. You can find more information about this vulnerability in the following research report: "DCCP double-free vulnerability".

Even though the Linux kernel code affected was implemented before 2006, it is not a remotely exploitable vulnerability. Therefore, you can continue using any of the Bitnami Cloud Images or Virtual Machines without being affected. We also want to let you know that our containers offering is not affected by this security vulnerability.

At the time of this post, a new patched kernel has only been released for Ubuntu. We will update this blog post as kernel patches for other distributions become available. You can update your appropriate kernel by running the following commands (you must run the command specific to your distribution):

Ubuntu 


sudo apt-get update && sudo apt-get dist-upgrade 

You will have the fixed version of the kernel after rebooting your server. You will get a similar output than this one when running `uname -a`

Linux ip-172-31-32-244 3.13.0-110-generic #157-Ubuntu SMP Mon Feb 20 11:54:05 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Debian


sudo apt-get update && sudo apt-get dist-upgrade 

You will have the fixed version of the kernel after rebooting your server. You will get a similar output than this one when running `uname -a`

Linux bitnami-wordpress-dm-1d22 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u1 (2017-02-22) x86_64 GNU/Linux

RedHat


sudo yum update 

You will have the fixed version of the kernel after rebooting your server. You will get a similar output than this one when running `uname -a`

Linux ip-10-99-173-165.ec2.internal 3.10.0-514.6.2.el7.x86_64 #1 SMP Fri Feb 17 19:21:31 EST 2017 x86_64 x86_64 x86_64 GNU/Linux

CentOS


sudo yum update 

You will have the fixed version of the kernel after rebooting your server. You will get a similar output than this one when running `uname -a`

Linux localhost.localdomain 3.10.0-514.6.2.el7.x86_64 #1 SMP Thu Feb 23 03:04:39 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Oracle Linux


sudo yum update 

You will have the fixed version of the kernel after rebooting your server. You will get a similar output than this one when running `uname -a`

Linux bitnami-wordpress-0 4.1.12-61.1.28.el6uek.x86_64 #2 SMP Thu Feb 23 20:03:53 PST 2017 x86_64 x86_64 x86_64 GNU/Linux

If you have any questions about this process, please post to our community support forum and we will be happy to help!

Wednesday, February 8, 2017

Security Release: Parse Server 2.3.1-1

Bitnami has released Parse Server version 2.3.1-1 for containers, installers and virtual machines to implement authentication when connecting to the Parse dashboard. If you deploy a new Bitnami Parse Server via a Bitnami Launchpad, your application will be up-to-date and secure. When deploying via a partner cloud marketplace, please ensure version 2.3.1-1 is selected.

If you are still using a Bitnami Parse Server version 2.3.1-0 or earlier you must take steps to secure your installation. This is important because unauthenticated users could connect to and and extract data from your server. Possible ways to secure your installation include:

    1. Preventing connections from the public Internet to port 80 on the Parse Server.
    2. Configuring authentication as described in our documentation.

Do you have questions about Bitnami or this security release? Please post to our community forum and we will be happy to help you.

Thursday, February 2, 2017

Security Release: Jenkins 2.44/2.32.2

[UPDATE 2017-02-03]

For new application deployments, Bitnami has released Jenkins 2.44 containers, and Jenkins 2.32.2 installers, virtual machines and cloud images that address these vulnerabilities. If you deploy Bitnami Jenkins via a Bitnami Launchpad, your application will be up-to-date and secure. If you deploy Bitnami Jenkins via one of our cloud partner marketplaces and it is not yet updated to version 2.32.2, you will need to upgrade your application using the documentation linked below.

----

The Jenkins project has just released a new version that fixes multiple security issues, including a fix for a XStream remote code execution vulnerability.

It is strongly suggested that you update your Jenkins application to the latest version. You can follow our documentation to learn how to upgrade your application. If you are using the Bitnami Jenkins container, please follow the documentation in our GitHub repository.


You can find more information about the Jenkins security issues in the Jenkins Security Advisory.



We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami. Our team is working to update all of the affected Jenkins packages available through Bitnami as quickly as possible.

If you have further questions about Bitnami Jenkins or this security issue, please post to our community forum,and we will be happy to help you.

Friday, January 27, 2017

Security Release: WordPress 4.7.2

WordPress has released a new version that fixes three security vulnerabilities.

It is strongly recommended that you update your WordPress application to the latest version, Wordpress 4.7.2. You can follow our documentation to learn how to upgrade your application and ensure its security.

For new application deployments, Bitnami has released WordPress 4.7.2 containers, installers and virtual machines that address these vulnerabilities. If you deploy Bitnami WordPress via a Bitnami Launchpad, your application will be up-to-date and secure. If you deploy Bitnami WordPress via one of our cloud partner marketplaces and it is not yet updated to version 4.7.2, you will need to upgrade your application using the documentation linked above.

If you have further questions about Bitnami WordPress or this security issue, please post to our community forum, and we will be happy to help you.

Friday, January 13, 2017

Elasticsearch Installation Security Incident

As of today, attackers have been reportedly scanning for and vandalizing unsecured Elasticsearch installations over the Internet. (See: http://www.pcworld.com/article/3157417/security/after-mongodb-ransomware-groups-hit-exposed-elasticsearch-clusters.html)

Bitnami's security team has reviewed our image library. As a result, we have confirmed that Bitnami virtual machines and single-VM cloud images are not vulnerable to this attack because they do not expose Elasticsearch publicly by default; Elasticsearch is proxied through Apache with authentication.

One Bitnami listing, "Elasticsearch Cluster" on Microsoft Azure, was found to be vulnerable. This listing was removed earlier this week and we are notifying the small number of users who may have installations based on the affected template.

Since the scale of the attack appears to be growing, we recommend that all users of Bitnami Elasticsearch on all cloud platforms check that their installations are secure. Deployments that were secure at launch may have been accidentally opened to the Internet by changing the default configuration. 

We recommend that you immediately ensure that your Elasticsearch is not exposed to the public internet by reviewing:

a) Inbound firewall rules prevent traffic to ports 9200-9300 from the Internet

or

b) Moving any Elasticsearch deployments to private networks

How to restrict access to port 9200 on Microsoft Azure:
1. Login to Microsoft Azure Portal.
2. Using the left hand navigation bar, go to “Resource groups”.
3. Select the resource group your Elasticsearch Cluster application is located in.
4. Select the "Network Security Group" to edit the properties.


5. Select the "Inbound security rules" to close the port 9200 by changing the Action from “Allow” to “Deny”.
6. Click the blue “Save” button at the top of the window.


Additional practices for securing Elasticsearch can be found here: http://code972.com/blog/2017/01/107-dont-be-ransacked-securing-your-elasticsearch-cluster-properly

If you have been affected by this attack or need additional help updating your Bitnami Elasticsearch, please contact us directly through our Helpdesk and we will do our best to assist you. https://bitnami.zendesk.com/hc/en-us.

CodeIgniter Security Issue CVE-2016-10131

[ UPDATE 2017-01-17 ]

The Bitnami Team is happy to announce that the Bitnami Cloud Hosting images have been properly updated and they use the latest version of CodeIgniter.

----

The CodeIgniter project released a new update that contains an important security fix for a cross-site scripting vulnerability. We strongly recommend that all CodeIgniter developers using Bitnami LAMP installations or CodeIgniter Development container should upgrade to the latest version immediately.

We released new versions of Bitnami LAMP, MAMP, WAMP, LAPP, MAPP and WAPP (PHP5 and PHP7) installers, virtual machines and cloud images that fix this security issue. We also released a new version of our Bitnami CodeIgniter development container. Further details regarding the security issue are explained below:

"System/libraries/Email.php in CodeIgniter before 3.1.3 allows remote attackers to execute arbitrary code by leveraging control over the email->from field to insert sendmail command-line arguments."

More info: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10131

Workaround

 

If you're unable to upgrade right away, you can secure your installation against this vulnerability by manually updating CodeIgniter. In order to do so, please follow the instructions below:

https://codeigniter.com/userguide3/installation/upgrading.html

Do you have questions about Bitnami or the security issue? Please post to our community forum and we will be happy to help you.

Tuesday, January 10, 2017

PWNScriptum Security Issue

[ UPDATE 2017-01-16 ]

The Magento team has published a new blog post about this security issue. They recommend to turn off the "Set Return-Path" setting (switch to "No") at "Stores-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path"


We also want to inform you that the standard Bitnami Magento deployments are not affected as that field is set to "No" by default.

https://magento.com/security/news/new-zend-framework-1-security-vulnerability

----

During the past couple of weeks, vulnerabilities were discovered in the most widely used PHP Mailing Libraries: PHPMailer (CVE-2016-10033 and CVE-2016-10045), Swiftmailer (CVE-2016-10074) and ZendMail (CVE-2016-10034). There are several stacks in the Bitnami library that could be potentially affected. Because this issue is related to the implementation of the applications themselves, it must be addressed by their original developers.

From the moment this issue was reported, our security team started a very thorough review of all our PHP applications (including contacting developers directly in several cases.) We will release fixed versions of all affected apps as soon as they are available.

Note that in several cases, the application was developed in a way that made it impossible for the vulnerability to be exploited. Examples include:

  • WordPress: “Presently, WordPress Core (and as a result, anything utilising wp_mail()) are unaffected by the recent disclosures, the vulnerabilities require the usage of a PHPMailer feature which WordPress & wp_mail() does not use. This applies to WordPress 4.7, 4.6.x, and all previous secure versions.” [more info]
  • Drupal: “The SMTP module has a modified third party PHPMailer library in its codebase. The modified version of the library is not affected.” [more info]
  • Joomla: “After analysis [..] there are additional validations in place which make executing this vulnerability impractical within the Joomla environment.” [more info]
  • Moodle: “So my current conclusion is that Moodle sites are not affected by the Sender vulnerability discovered in phpmailer < 5.2.18.” [more info]
  • Phabricator: “No immediate action is necessary because we don't expose any way to get at these vulnerabilities.” [more info] 

Affected Bitnami PHP applications with recently released fixes
: Akeneo, Dreamfactory, Mahara, Mantis, Mautic, ModX, Owncloud, OroCRM, TinyTinyRSS, PHPList. Please make sure you update your stacks by following the documentation in docs.bitnami.com.

Unaffected Bitnami PHP applications
: SEO Panel, CMS Made Simple, Piwik, Magento, Prestashop, EspoCRM, Pimcore, Shopware and Oxid.

Please stay tuned if you are using a Bitnami PHP application, as we will continue releasing apps as soon as a fix is available.

Bitnami Applications for Oracle Bare Metal Cloud Services


At Oracle World in 2015, Bitnami and Oracle jointly announced the availability of the Bitnami catalog of more than 150 applications for Oracle Cloud Platform.

Fast forward a little more than a year later, and Bitnami is proud to be collaborating with the Oracle Bare Metal Cloud Services (BMCS) team to extend selected Bitnami offerings to BMCS, as well.

We've worked with the Oracle BMCS team to select the first 21 applications, including Java-related infrastructure such as JBoss, Liferay, Node.JS, and Tomcat; databases such as MongoDB and MySQL, as well as popular line of business applications like WordPress, Magento, and Moodle.

Bitnami-packaged applications are tested and approved to run on Oracle Cloud, secure, and kept up to date.

To see the complete list:

1. Go to the Oracle Cloud Marketplace

2. Type "bitnami bare metal" into the search box

You're now ready to download the installer for the application of your choice and use it on your Oracle BMCS account.


Monday, January 9, 2017

'MongoDB with Replication' Security Issue


[UPDATE 2017-01-11]

The steps to restrict access to port 27017 on Google Cloud Platform have been updated

[UPDATE 2017-01-10]

The Bitnami Team has been working on creating new guides to securing the database and recovering the data using MongoDB Oplog. Please find below the "How to enable authentication for securing your installation" and "Restoring your database" sections below.

----

In the past few days, it has been reported that attackers have been scanning for and vandalizing unsecured MongoDB databases accessible over the internet. (See https://www.scmagazine.com/mongodb-databases-under-attack-worldwide/article/629601/)

Our security team follows these reports closely and began a review of our existing images. As a result, we confirmed Bitnami virtual machines and single cloud images are not vulnerable to this attack because they require the administrator to authenticate. However, one Bitnami listing is vulnerable when left in it’s default configuration: Bitnami’s MongoDB with Replication. This template is offered in Google Cloud Launcher and Microsoft Azure.

We are working with Google to remove and replace the template on the Google Cloud Launcher.  If you launch or have launched a “MongoDB with Replication” application prior to version 3.4.1, please take immediate steps to secure your application, instructions below.

For Microsoft Azure users, a replacement template, which implements MongoDB authentication to prevent users from remotely performing CRUD operations on the database, is available now in the Azure Marketplace here. The fixed template version is MongoDB 3.4.1-0 (Debian 8).

While the scale of the attack across the internet was large, only a small number of Bitnami users were affected and not already secured. We are working with the cloud vendors to contact these users and replace the default settings. In the meantime, if you think your installation could be affected, please see below for steps that you can take to safeguard your data.

If you are currently using installations based on the Bitnami MongoDB with Replication template that have not already been secured:

The following steps are recommended immediately


1. Restricting external access to default port 27017
2. Enabling authentication to secure your installation
3. Restoring your database

How to restrict access to port 27017 on Google Cloud Platform

1. Login to Google Cloud Platform.
2. Using the left hand menu, navigate to the “Networking” section.
3. Under the networking section choose “Firewall Rules”.


In this section find the firewall rules that correspond with your MongoDB instance. If you launched through the Google Cloud Launcher the name is likely to be “mongodb-multivm-1-node-0-firewall”.

4. Click on the 'Firewall Rule Details' for each MongoDB instance to show firewall rules details:


5. Remove port 27017 from the list of allowed protocols and ports. Remove the bitnami-mongodb tag if it is set.


6. Click “Save”.

7. Using the left hand menu, navigate to the “Compute Engine” section. In this section find the instances that correspond with your MongoDB deployment. Look for the different nodes of the deployment, if you launched through the Google Cloud Launcher the name is likely to be “mongodb-multivm”.

8. Remove the bitnami-mongodb tag in all the instances if it is set.


9. Click “Save”.