Wednesday, March 22, 2017

Moodle Security Issue CVE-2017-2641

[UPDATE 2017-03-23]

For new application deployments, Bitnami has released Moodle 3.2.2 installers, containers, virtual machines and cloud images that address these vulnerabilities. If you deploy Bitnami Moodle via a Bitnami Launchpad, your application will be up-to-date and secure. If you deploy Bitnami Moodle via one of our cloud partner marketplaces and it is not yet updated to version 3.2.2, you should apply the workaround explained below.


The Moodle project has just released new versions that contain an important security fix for a SQL injection vulnerability via user preferences that can lead to remote code execution (CVE-2017-2641).

Moodle has released versions 3.2.2, 3.1.5, 3.0.9 and 2.7.19 that fix the issue. We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami. Our team is working to update all of the affected Moodle packages available through Bitnami as quickly as possible.


In the meantime, we strongly encourage all Moodle administrators to apply the security patch published by the Moodle maintainers. In order to do so, log in to your Moodle installation and run the following commands:

$ curl -L -o /tmp/security.path ';a=patch;h=6e65554ea19f4e90c09864081e47424f8efca02e'
$ cd /opt/bitnami/apps/moodle/htdocs
$ sudo patch -p1 < /tmp/security.patch
$ rm /tmp/security.patch

If you have further questions about Bitnami Moodle or this security issue, please post to our community forum, and we will be happy to help you.