Tuesday, January 10, 2017

PWNScriptum Security Issue

[ UPDATE 2017-01-16 ]

The Magento team has published a new blog post about this security issue. They recommend to turn off the "Set Return-Path" setting (switch to "No") at "Stores-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path"

We also want to inform you that the standard Bitnami Magento deployments are not affected as that field is set to "No" by default.



During the past couple of weeks, vulnerabilities were discovered in the most widely used PHP Mailing Libraries: PHPMailer (CVE-2016-10033 and CVE-2016-10045), Swiftmailer (CVE-2016-10074) and ZendMail (CVE-2016-10034). There are several stacks in the Bitnami library that could be potentially affected. Because this issue is related to the implementation of the applications themselves, it must be addressed by their original developers.

From the moment this issue was reported, our security team started a very thorough review of all our PHP applications (including contacting developers directly in several cases.) We will release fixed versions of all affected apps as soon as they are available.

Note that in several cases, the application was developed in a way that made it impossible for the vulnerability to be exploited. Examples include:

  • WordPress: “Presently, WordPress Core (and as a result, anything utilising wp_mail()) are unaffected by the recent disclosures, the vulnerabilities require the usage of a PHPMailer feature which WordPress & wp_mail() does not use. This applies to WordPress 4.7, 4.6.x, and all previous secure versions.” [more info]
  • Drupal: “The SMTP module has a modified third party PHPMailer library in its codebase. The modified version of the library is not affected.” [more info]
  • Joomla: “After analysis [..] there are additional validations in place which make executing this vulnerability impractical within the Joomla environment.” [more info]
  • Moodle: “So my current conclusion is that Moodle sites are not affected by the Sender vulnerability discovered in phpmailer < 5.2.18.” [more info]
  • Phabricator: “No immediate action is necessary because we don't expose any way to get at these vulnerabilities.” [more info] 

Affected Bitnami PHP applications with recently released fixes
: Akeneo, Dreamfactory, Mahara, Mantis, Mautic, ModX, Owncloud, OroCRM, TinyTinyRSS, PHPList. Please make sure you update your stacks by following the documentation in docs.bitnami.com.

Unaffected Bitnami PHP applications
: SEO Panel, CMS Made Simple, Piwik, Magento, Prestashop, EspoCRM, Pimcore, Shopware and Oxid.

Please stay tuned if you are using a Bitnami PHP application, as we will continue releasing apps as soon as a fix is available.