Tuesday, October 9, 2018

Arbitrary Code Execution Vulnerability in Git CVE-2018-17456

A new security vulnerability has been disclosed. All Git versions prior to 2.14.5, 2.15.3, 2.16.5, 2.17.2, 2.18.1 and 2.19.1 are affected.

The CVE-2018-17456 vulnerability allows an attacker to execute arbitrary code by crafting a malicious .gitmodules file in a project cloned with the flag --recurse-submodules:

When running "git clone --recurse-submodules", Git parses the supplied
.gitmodules file for a URL field and blindly passes it as an argument
to a "git clone" subprocess.  If the URL field is set to a string that
begins with a dash, this "git clone" subprocess interprets the URL as
an option.  This can lead to executing an arbitrary script shipped in
the superproject as the user who ran "git clone".


Our team is working on updating all the affected solutions available in the  Bitnami catalog. That way, all new installations and cloud launches will use a fixed Git version. If you have a running application that uses  Git, you will need to migrate the content of your deployment to a secured one.

If you have installed Git using the system packages, please update the component when the new package is available for your operating system.

If you have any questions about the security issue or you need support to migrate your data, please post to our community support forum and we will be happy to help!

Thursday, October 4, 2018

Speculation Attacks using the Return Stack Buffer

[UPDATE 2018-10-05]

This blog post was updated with the steps to update Debian 8

----

A new vulnerability  was discovered in the Linux Kernel. The recent Spectre attacks exploit speculative execution to allow the exfiltration of sensitive data across protection boundaries.

https://blog.bitnami.com/2018/01/spectre-and-meltdown-privileged-memory.html
https://blog.bitnami.com/2018/05/kernel-side-channel-attack.html

This is a new Spectre-class attack, also known as SpectreRSB (CVE-2018-15572), that exploits the return stack buffer (RSB), a common structure in modern CPUs used to predict return addresses. More information about this security vulnerability can be found in the official paper at https://www.usenix.org/conference/woot18/presentation/koruyeh.

Once a new, patched kernel is available from the operating system vendor, you can update it by following these instructions (depending on your distribution/operating system):


Debian 8 and 9 / Ubuntu 14.04, 16.04 and 18.04

    sudo apt-get update && sudo apt-get dist-upgrade

Oracle Linux, Red Hat, CentOS and Amazon Linux

    Not affected

OSX

   Update your system packages when the operating system suggests to.

Once you have completed the steps above, you will have the fixed version of the kernel/operating system after rebooting your server.

If you have any questions about this process, please post to our community support forum and we will be happy to help!

Tuesday, September 25, 2018

Bitnami is Named a Gold Status Partner with Azure and Adds Stacksmith Consulting to Azure Marketplace

It’s Microsoft Ignite this week, so we thought now would be a great time to provide a community update on what Bitnami has been up to with Microsoft lately.

First, a bit of history. Bitnami is known for its catalog of 130+ open source applications and run-time environments that it packages, maintains, and publishes to public catalogs like the Azure Marketplace. To achieve this, Bitnami has developed sophisticated internal tooling and automation that simplifies and streamlines this process.

In March, we launched Stacksmith. A productization of this core Bitnami technology, Stacksmith is designed to help enterprise companies package and maintain their own applications for the cloud. Stacksmith takes your applications and scripts, repackages and optimizes them for the cloud and / or containers, and delivers the images and templates you need to deploy them to your chosen target.

In May, we added support for Microsoft Azure to Stacksmith. This opens up a host of possibilities, not the least of which is that best fit cloud services become available to your applications.

Now, we are really happy to announce that Bitnami has attained Microsoft Azure Gold Status, and Stacksmith is now a co-sell ready Software-as-a-Service solution in the Azure Marketplace.

In addition, Bitnami has created a Stacksmith consulting offer, which is available from the Azure Marketplace under the consulting services category. This offer is designed to provide all the support that enterprises will need to get up and running quickly and efficiently with Stacksmith.

With this offer, Bitnami will work directly with customers to:
  • Set up a Stacksmith evaluation account
  • Connect Stacksmith to their Azure account
  • Evaluate their chosen application for readiness (Linux)
  • Gather the required resources to package and deploy their application
  • Package their application for Azure and/or AKS
  • Deploy their application to the cloud
  • Demonstrate how Stacksmith maintains their application to keep it up-to-date and secure over time

Stacksmith provides the same level of trusted packaging and maintenance as Bitnami’s application catalog offerings have been come to be known. This simple, effective, and personalized consulting service shows customers how to get applications to the cloud quickly. 

Stacksmith enables enterprises to:
  • Improve their application delivery and maintenance framework, enabling enforcement of enterprise IT and security policies and operations best practices on applications
  • Simplify cloud migration by allowing enterprises to move and improve applications so they can access native cloud services
  • Provide continuous golden image security, allowing IT operations to control and secure OS and application configurations and easily replenish baselines
  • Create enterprise cloud service catalogs to centrally house standardized assets and make them available across the organization

We are pretty excited about all of this, and look forward to a super productive partnership with Microsoft that continues to expand and strengthen. Learn more about Stacksmith, or how you can use the Stacksmith consulting offer to realize immediate value by getting your enterprise application packaged, deployed, and maintained on Azure or AKS quickly and easily.