Thursday, October 18, 2018

Drupal 8.6.2 and 7.60 critical releases (SA-CORE-2018-006)



Drupal has released new versions that fix several critical security vulnerabilities. We strongly recommend upgrading your existing Drupal 7 and 8 sites.

The fixed vulnerabilities are listed below:

  • Content moderation - Moderately critical - Access bypass - Drupal 8
  • External URL injection through URL aliases - Moderately Critical - Open Redirect - Drupal 7 and Drupal 8
  • Anonymous Open Redirect - Moderately Critical - Open Redirect - Drupal 8
  • Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution - Drupal 7 and Drupal 8
  • Contextual Links validation - Critical - Remote Code Execution - Drupal 8

It is recommended that you upgrade your Drupal application to Drupal 7.60 and Drupal 8.6.2. We highly recommend creating a backup before proceeding. You can follow our DrupalCiviCRM or Open Atrium documentation to learn how to upgrade your application and address this security issue.

For new application deployments, including those through the Bitnami Launchpad, we released Drupal 7.60 and 8.6.2, CiviCRM and Open Atrium containersinstallersvirtual machines and cloud images that include the necessary fix to address these vulnerabilities.

If you have further questions about Bitnami Drupal or this security issue, please post to our community forum, where we will be happy to help.

Tuesday, October 9, 2018

Arbitrary Code Execution Vulnerability in Git CVE-2018-17456

A new security vulnerability has been disclosed. All Git versions prior to 2.14.5, 2.15.3, 2.16.5, 2.17.2, 2.18.1 and 2.19.1 are affected.

The CVE-2018-17456 vulnerability allows an attacker to execute arbitrary code by crafting a malicious .gitmodules file in a project cloned with the flag --recurse-submodules:

When running "git clone --recurse-submodules", Git parses the supplied
.gitmodules file for a URL field and blindly passes it as an argument
to a "git clone" subprocess.  If the URL field is set to a string that
begins with a dash, this "git clone" subprocess interprets the URL as
an option.  This can lead to executing an arbitrary script shipped in
the superproject as the user who ran "git clone".


Our team is working on updating all the affected solutions available in the  Bitnami catalog. That way, all new installations and cloud launches will use a fixed Git version. If you have a running application that uses  Git, you will need to migrate the content of your deployment to a secured one.

If you have installed Git using the system packages, please update the component when the new package is available for your operating system.

If you have any questions about the security issue or you need support to migrate your data, please post to our community support forum and we will be happy to help!

Thursday, October 4, 2018

Speculation Attacks using the Return Stack Buffer

[UPDATE 2018-10-05]

This blog post was updated with the steps to update Debian 8

----

A new vulnerability  was discovered in the Linux Kernel. The recent Spectre attacks exploit speculative execution to allow the exfiltration of sensitive data across protection boundaries.

https://blog.bitnami.com/2018/01/spectre-and-meltdown-privileged-memory.html
https://blog.bitnami.com/2018/05/kernel-side-channel-attack.html

This is a new Spectre-class attack, also known as SpectreRSB (CVE-2018-15572), that exploits the return stack buffer (RSB), a common structure in modern CPUs used to predict return addresses. More information about this security vulnerability can be found in the official paper at https://www.usenix.org/conference/woot18/presentation/koruyeh.

Once a new, patched kernel is available from the operating system vendor, you can update it by following these instructions (depending on your distribution/operating system):


Debian 8 and 9 / Ubuntu 14.04, 16.04 and 18.04

    sudo apt-get update && sudo apt-get dist-upgrade

Oracle Linux, Red Hat, CentOS and Amazon Linux

    Not affected

OSX

   Update your system packages when the operating system suggests to.

Once you have completed the steps above, you will have the fixed version of the kernel/operating system after rebooting your server.

If you have any questions about this process, please post to our community support forum and we will be happy to help!