Friday, January 27, 2017

Security Release: WordPress 4.7.2

WordPress has released a new version that fixes three security vulnerabilities.

It is strongly recommended that you update your WordPress application to the latest version, Wordpress 4.7.2. You can follow our documentation to learn how to upgrade your application and ensure its security.

For new application deployments, Bitnami has released WordPress 4.7.2 containers, installers and virtual machines that address these vulnerabilities. If you deploy Bitnami WordPress via a Bitnami Launchpad, your application will be up-to-date and secure. If you deploy Bitnami WordPress via one of our cloud partner marketplaces and it is not yet updated to version 4.7.2, you will need to upgrade your application using the documentation linked above.

If you have further questions about Bitnami WordPress or this security issue, please post to our community forum, and we will be happy to help you.

Friday, January 13, 2017

Elasticsearch Installation Security Incident

As of today, attackers have been reportedly scanning for and vandalizing unsecured Elasticsearch installations over the Internet. (See: http://www.pcworld.com/article/3157417/security/after-mongodb-ransomware-groups-hit-exposed-elasticsearch-clusters.html)

Bitnami's security team has reviewed our image library. As a result, we have confirmed that Bitnami virtual machines and single-VM cloud images are not vulnerable to this attack because they do not expose Elasticsearch publicly by default; Elasticsearch is proxied through Apache with authentication.

One Bitnami listing, "Elasticsearch Cluster" on Microsoft Azure, was found to be vulnerable. This listing was removed earlier this week and we are notifying the small number of users who may have installations based on the affected template.

Since the scale of the attack appears to be growing, we recommend that all users of Bitnami Elasticsearch on all cloud platforms check that their installations are secure. Deployments that were secure at launch may have been accidentally opened to the Internet by changing the default configuration. 

We recommend that you immediately ensure that your Elasticsearch is not exposed to the public internet by reviewing:

a) Inbound firewall rules prevent traffic to ports 9200-9300 from the Internet

or

b) Moving any Elasticsearch deployments to private networks

How to restrict access to port 9200 on Microsoft Azure:
1. Login to Microsoft Azure Portal.
2. Using the left hand navigation bar, go to “Resource groups”.
3. Select the resource group your Elasticsearch Cluster application is located in.
4. Select the "Network Security Group" to edit the properties.



5. Select the "Inbound security rules" to close the port 9200 by changing the Action from “Allow” to “Deny”.
6. Click the blue “Save” button at the top of the window.


Additional practices for securing Elasticsearch can be found here: http://code972.com/blog/2017/01/107-dont-be-ransacked-securing-your-elasticsearch-cluster-properly

If you have been affected by this attack or need additional help updating your Bitnami Elasticsearch, please contact us directly through our Helpdesk and we will do our best to assist you. https://bitnami.zendesk.com/hc/en-us.

CodeIgniter Security Issue CVE-2016-10131

[ UPDATE 2017-01-17 ]

The Bitnami Team is happy to announce that the Bitnami Cloud Hosting images have been properly updated and they use the latest version of CodeIgniter.

----

The CodeIgniter project released a new update that contains an important security fix for a cross-site scripting vulnerability. We strongly recommend that all CodeIgniter developers using Bitnami LAMP installations or CodeIgniter Development container should upgrade to the latest version immediately.

We released new versions of Bitnami LAMP, MAMP, WAMP, LAPP, MAPP and WAPP (PHP5 and PHP7) installers, virtual machines and cloud images that fix this security issue. We also released a new version of our Bitnami CodeIgniter development container. Further details regarding the security issue are explained below:

"System/libraries/Email.php in CodeIgniter before 3.1.3 allows remote attackers to execute arbitrary code by leveraging control over the email->from field to insert sendmail command-line arguments."

More info: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10131

Workaround

 

If you're unable to upgrade right away, you can secure your installation against this vulnerability by manually updating CodeIgniter. In order to do so, please follow the instructions below:

https://codeigniter.com/userguide3/installation/upgrading.html

Do you have questions about Bitnami or the security issue? Please post to our community forum and we will be happy to help you.

Tuesday, January 10, 2017

PWNScriptum Security Issue

[ UPDATE 2017-01-16 ]

The Magento team has published a new blog post about this security issue. They recommend to turn off the "Set Return-Path" setting (switch to "No") at "Stores-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path"

We also want to inform you that the standard Bitnami Magento deployments are not affected as that field is set to "No" by default.

https://magento.com/security/news/new-zend-framework-1-security-vulnerability

----

During the past couple of weeks, vulnerabilities were discovered in the most widely used PHP Mailing Libraries: PHPMailer (CVE-2016-10033 and CVE-2016-10045), Swiftmailer (CVE-2016-10074) and ZendMail (CVE-2016-10034). There are several stacks in the Bitnami library that could be potentially affected. Because this issue is related to the implementation of the applications themselves, it must be addressed by their original developers.

From the moment this issue was reported, our security team started a very thorough review of all our PHP applications (including contacting developers directly in several cases.) We will release fixed versions of all affected apps as soon as they are available.

Note that in several cases, the application was developed in a way that made it impossible for the vulnerability to be exploited. Examples include:

  • WordPress: “Presently, WordPress Core (and as a result, anything utilising wp_mail()) are unaffected by the recent disclosures, the vulnerabilities require the usage of a PHPMailer feature which WordPress & wp_mail() does not use. This applies to WordPress 4.7, 4.6.x, and all previous secure versions.” [more info]
  • Drupal: “The SMTP module has a modified third party PHPMailer library in its codebase. The modified version of the library is not affected.” [more info]
  • Joomla: “After analysis [..] there are additional validations in place which make executing this vulnerability impractical within the Joomla environment.” [more info]
  • Moodle: “So my current conclusion is that Moodle sites are not affected by the Sender vulnerability discovered in phpmailer < 5.2.18.” [more info]
  • Phabricator: “No immediate action is necessary because we don't expose any way to get at these vulnerabilities.” [more info] 

Affected Bitnami PHP applications with recently released fixes
: Akeneo, Dreamfactory, Mahara, Mantis, Mautic, ModX, Owncloud, OroCRM, TinyTinyRSS, PHPList. Please make sure you update your stacks by following the documentation in docs.bitnami.com.

Unaffected Bitnami PHP applications
: SEO Panel, CMS Made Simple, Piwik, Magento, Prestashop, EspoCRM, Pimcore, Shopware and Oxid.

Please stay tuned if you are using a Bitnami PHP application, as we will continue releasing apps as soon as a fix is available.

Bitnami Applications for Oracle Bare Metal Cloud Services


At Oracle World in 2015, Bitnami and Oracle jointly announced the availability of the Bitnami catalog of more than 150 applications for Oracle Cloud Platform.

Fast forward a little more than a year later, and Bitnami is proud to be collaborating with the Oracle Bare Metal Cloud Services (BMCS) team to extend selected Bitnami offerings to BMCS, as well.

We've worked with the Oracle BMCS team to select the first 21 applications, including Java-related infrastructure such as JBoss, Liferay, Node.JS, and Tomcat; databases such as MongoDB and MySQL, as well as popular line of business applications like WordPress, Magento, and Moodle.

Bitnami-packaged applications are tested and approved to run on Oracle Cloud, secure, and kept up to date.

To see the complete list:

1. Go to the Oracle Cloud Marketplace

2. Type "bitnami bare metal" into the search box



You're now ready to download the installer for the application of your choice and use it on your Oracle BMCS account.


Monday, January 9, 2017

'MongoDB with Replication' Security Issue


[UPDATE 2017-01-11]

The steps to restrict access to port 27017 on Google Cloud Platform have been updated

[UPDATE 2017-01-10]

The Bitnami Team has been working on creating new guides to securing the database and recovering the data using MongoDB Oplog. Please find below the "How to enable authentication for securing your installation" and "Restoring your database" sections below.

----

In the past few days, it has been reported that attackers have been scanning for and vandalizing unsecured MongoDB databases accessible over the internet. (See https://www.scmagazine.com/mongodb-databases-under-attack-worldwide/article/629601/)

Our security team follows these reports closely and began a review of our existing images. As a result, we confirmed Bitnami virtual machines and single cloud images are not vulnerable to this attack because they require the administrator to authenticate. However, one Bitnami listing is vulnerable when left in it’s default configuration: Bitnami’s MongoDB with Replication. This template is offered in Google Cloud Launcher and Microsoft Azure.

We are working with Google to remove and replace the template on the Google Cloud Launcher.  If you launch or have launched a “MongoDB with Replication” application prior to version 3.4.1, please take immediate steps to secure your application, instructions below.

For Microsoft Azure users, a replacement template, which implements MongoDB authentication to prevent users from remotely performing CRUD operations on the database, is available now in the Azure Marketplace here. The fixed template version is MongoDB 3.4.1-0 (Debian 8).

While the scale of the attack across the internet was large, only a small number of Bitnami users were affected and not already secured. We are working with the cloud vendors to contact these users and replace the default settings. In the meantime, if you think your installation could be affected, please see below for steps that you can take to safeguard your data.

If you are currently using installations based on the Bitnami MongoDB with Replication template that have not already been secured:

The following steps are recommended immediately


1. Restricting external access to default port 27017
2. Enabling authentication to secure your installation
3. Restoring your database

How to restrict access to port 27017 on Google Cloud Platform

1. Login to Google Cloud Platform.
2. Using the left hand menu, navigate to the “Networking” section.
3. Under the networking section choose “Firewall Rules”.


In this section find the firewall rules that correspond with your MongoDB instance. If you launched through the Google Cloud Launcher the name is likely to be “mongodb-multivm-1-node-0-firewall”.

4. Click on the 'Firewall Rule Details' for each MongoDB instance to show firewall rules details:


5. Remove port 27017 from the list of allowed protocols and ports. Remove the bitnami-mongodb tag if it is set.


6. Click “Save”.

7. Using the left hand menu, navigate to the “Compute Engine” section. In this section find the instances that correspond with your MongoDB deployment. Look for the different nodes of the deployment, if you launched through the Google Cloud Launcher the name is likely to be “mongodb-multivm”.

8. Remove the bitnami-mongodb tag in all the instances if it is set.



9. Click “Save”.