Thursday, February 21, 2019

Remote Code Execution Vulnerability in WordPress

A remote code execution vulnerability in the WordPress core has recently been found. The vulnerability affects all WordPress versions prior to 5.0.3.

This vulnerability has been present for over 6 years and can be exploited by an attacker with at least "author" privileges. More information about the vulnerability can be found in the announcement.

A fix that completely addresses this vulnerability will be included in the next WordPress release. In the meantime, we have released Bitnami WordPress 5.0.3 (and Multisite version) installers, virtual machines and cloud images for all platforms. We have also released updated WordPress containers and Helm Charts for Kubernetes.

Have questions about Bitnami WordPress or the security issue? Post to our community forum, and we would be happy to help you.

Drupal 8.6.10 security release

Drupal has released a new version that fixes a highly critical security vulnerability. This security vulnerability can affect your Drupal 8 and 7 sites.

SA-CORE-2019-003 can lead to arbitrary PHP code execution if one of the following conditions is met:


  • The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests. 
  • The site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.


Learn more about this vulnerability in the Drupal official announcement.

Bitnami images are not affected since none of our solutions meet the conditions above, but it is recommended to upgrade your Drupal application to Drupal 8.6.10 or later. You can follow our documentation to learn how to upgrade your application to strengthen its security. We highly recommend creating a backup before performing the upgrade.

For new application deployments, including the Bitnami Launchpad ones, we have released Drupal 8.6.10 for containers, installers, virtual machines, cloud images, and Multi-Tier solutions. If you deploy any of these solutions and they have not yet been updated to the latest version, you will need to follow the upgrade process described in our documentation.

If you have further questions about this security issue, please post to our community forum, where we will be happy to help.

Wednesday, February 20, 2019

Arbitrary code execution vulnerabilities in Kibana (CVE-2019-7609 and CVE-2019-7609)

Some security vulnerabilities in Kibana have been reported recently. Two of these vulnerabilities allow arbitrary code execution in the application.

Apart from these arbitrary code execution vulnerabilities in Kibana, the official announcement also mentions other security improvements in the Elasticsearch, Logstash and Kibana components. Versions prior to 6.6.1 are affected by these vulnerabilities. You can learn more about them in the official announcements.

We recommend that you upgrade your ELK deployments to the latest version. You can follow our documentation to learn how to upgrade your deployment to strengthen its security. We highly recommend creating a backup before performing the upgrade.

For new application deployments, including those made from the Bitnami Launchpad, we have updated and released the containers, installers, virtual machines, cloud images, and Multi-Tier solutions that contain any of the affected versions.

If you have further questions about this security issue, please post to our community forum, where we will be happy to help.