Wednesday, May 30, 2018

Arbitrary Code Execution Vulnerability in Git

A new security vulnerability was disclosed and any Git versions previous to 2.13.7, 2.14.4, 2.15.2, 2.16.4 and 2.17.1 are affected.

This security vulnerability can lead to arbitrary code execution when a user operates in a malicious repository.

With a crafted .gitmodules file, the malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server. 

Our team is working on updating the affected solutions available through Bitnami. This will ensure that all new installations and launches will be secured against these issues. If you have a running application with Git, you will need to migrate the content of your deployment to a secured one.

In case you have installed Git using the system packages, please update the component when the new package is available for your operating system.

If you have any questions about the security issue or how to migrate your data, please post to our community support forum and we will be happy to help!

Wednesday, May 23, 2018

Kernel Side-Channel Attack using Speculative Store Bypass

[2018-05-25]

Bitnami has now released all the Ubuntu, Red Hat, CentOS and Oracle Linux based images with the new kernel available. Updates are being propagated to the Bitnami Launchpads and the different Cloud Platforms.

----

Description

A new CPU security vulnerability has been found. This, it is similar to the Meltdown and Spectre flaws that were revealed earlier this year. Labelled as “Speculative Store Bypass” or “Variant 4”, the latest vulnerability exploits the speculative execution that modern CPUs use.

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal the data available on the computer’s memory. They were publicly disclosed on January, 4th 2018.

This new vulnerability affects modern out-of-order execution processor cores from Intel, AMD, and ARM. This means that mobile devices are also affected. It can be potentially exploited by script files running within a program to lift sensitive information out of other parts of the application. Intel describes it as:

Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami. Our team is working on updating the affected Virtual Machines and Cloud Images available through Bitnami, for all of our cloud provider partners. This will ensure that all new launches will be secured against these issues. If you have an existing running server (virtual machines) or if you have a Bitnami stack installed on your computer, you will need to update the operating system on your own.

Once a new, patched kernel is available from the operating system vendor, you can update it by following these instructions (depending on your distribution/operating system):

  • Ubuntu

       sudo apt-get update && sudo apt-get dist-upgrade

  • Debian

       There is not any new kernel's version yet

  • Oracle Linux, Red Hat, CentOS and Amazon Linux

       sudo yum update

  • Windows / OSX
   Update your system packages when the operating system suggests  
   to. Enable "Check for updates" in Windows in order to get the 
   latest updates and patches.

Once you have completed the steps above, you will have the fixed version of the kernel/operating system after rebooting your server.

If you have any questions about this process, please post to our community support forum and we will be happy to help!

Wednesday, May 16, 2018

Security Update: Red Hat Linux DHCP Client

[2018-05-19]

All the affected Cloud Images has been updated.

--------

A new security vulnerability in the DHCP client implementation of Red Hat Linux has been discovered. The vulnerability, tracked as CVE-2018-1111, could allow attackers to execute arbitrary commands with root privileges on targeted systems. This issue affects Red Hat, Oracle Enterprise Linux, and CentOS servers. For further information, check the Red Hat official announcement.

The command injection flaw resides in the NetworkManager integration script included in the DHCP client packages. A malicious DHCP server or an attacker on the local network able to spoof DHCP responses could use this vulnerability to execute arbitrary commands with root privileges on systems. This is possible by configuring the NetworkManager to obtain network configuration using the DHCP protocol. Red Hat has confirmed that this vulnerability impacts both the Red Hat Enterprise Linux 6 and 7. It is strongly recommended to update the dhclient package (as soon as the newer versions will be available) if you are running one of these affected versions.

We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami. Our team is working to update all of the affected Cloud Images available through Bitnami for all Cloud Providers. We will keep you updated in this blog post.

How to mitigate the issue

In the meantime, you can mitigate this problem by updating the tool using the package manager included in the affected systems (yum).

  sudo yum install dhcp-common

Once updated, you will have one of the following versions:

  • RedHat:           4.2.5-68.el7_5.1
  • CentOS:           4.2.5-68.el7.centos.1
  • Oracle Server:  4.2.5-68.0.1.el7_5.1 

Red Hat warns: "Users have the option to remove or disable the vulnerable script, but this will prevent certain configuration parameters provided by the DHCP server from being configured on a local system, such as addresses of the local NTP or NIS servers".

How to obtain the installed version of the package

To check the currently installed version on your system:

  sudo yum -q info installed dhcp-common

If you have additional questions about this security issue, post them in our community forum, and we will be happy to help you.