Security Release: Magento 2.2.3

Magento has released a new update that contains multiple security enhancements. These help to resolve, amongst others, the Cross-Site Scripting (XSS) and authenticated Admin user Remote Code Execution (RCE) vulnerabilities. Here is the complete list of security enhancements introduced by this new release:

APPSEC-1951: JavaScript execution in the administrator panel
APPSEC-1952: Remote Code Execution using media upload
APPSEC-1865: Cross-Site Scripting in customer information
APPSEC-1907: Cross-Site Scripting in Customer Address
APPSEC-1935: Cross-Site Scripting leading to Denial-of-Service

We highly recommend upgrading your existing Magento Community Edition 2.x sites. For more information about these security issues and many others fixed in Magento 2.2.3, please refer to this blog post in the Magento Security Center.

Bitnami has released Bitnami Magento 2.2.3 Helm charts, containers, installers, virtual machines, and cloud images in order to address these security vulnerabilities. If you already have Bitnami Magento running on any of these platforms, you can upgrade the application by following our documentation.

Users launching Bitnami Magento via a cloud provider's marketplace are advised to select version 2.2.3, once it is published. Installations based on previous versions will need to be upgraded as described above.

If you have additional questions about Bitnami Magento, post them in our community forum, and we will be happy to help you.

Bitnami Stacksmith - Cloud Migration Made Simple

Authored by Michael Murphy, Product Marketing Manager

Bitnami is pleased to announce the official release of Stacksmith, our enterprise application migration solution.

Stacksmith has been in the works for the last year or so, but it builds on Bitnami’s extensive experience in application packaging that goes back much further. In fact, Stacksmith is a productization of the tooling and automation that Bitnami uses internally to package and maintain the catalog of about 120 open source applications that it publishes to all the major cloud marketplaces. And just like our application catalog, packaging an application in Stacksmith ensures an easy-to-use, ready-to-run and always up to date application...only in this case, it’s your internal custom application.

Stacksmith let's enterprise companies leverage Bitnami’s application packaging experience and automation when they repackage their custom and legacy applications and move them to a public or private cloud platform. 

There are two key points that I want to focus on in this blog post. Taken together, they significantly differentiate Stacksmith from other application migration solutions. They are:

• Stacksmith is easy to use
• Stacksmith gets you all the way there

Let’s look at each in a bit more detail.

Stacksmith is easy to use

Consider the following:

• You don’t have to have a sophisticated internal software development team in place to use Stacksmith – our step by step approach walks you through the process. 
• You don’t have to have lots of cloud knowledge or experience to use Stacksmith – Bitnami’s extensive experience packaging for all the major cloud provider platforms means that this knowledge is built in. The Stacksmith templates bring in all the components required by the target platform, as well as best practices. 
• You don’t have to edit or alter your application source code – you can replatform it as-is with Stacksmith. So even if the original developers of the application have long since moved on, you can still migrate the application with confidence. 
• Keeping your replatformed application up to date moving forward becomes super easy – Stacksmith automates the ongoing maintenance tasks associated with keeping applications up to date, a challenge many companies face with their legacy applications in the datacenter today.

Replatforming with Stacksmith takes about the same effort as rehosting (aka ‘lifting & shifting’) your application. Yet it delivers on automation and other cloud-native benefits that you will want to utilize on your new cloud platform - rehosting does not. And rehosting solutions deliver as output a VM or container – but you need more than just that to deploy to your new platform. Which brings me nicely to the second point…

Stacksmith gets you all the way there

Stacksmith is designed to deliver a complete application migration experience for enterprises. It doesn’t only deliver part of the migration toolchain experience – Stacksmith gives you everything you need to complete the replatforming process. This is a significant departure from many other solutions in the market that simply build a container or virtual machine - but still require you to create the deployment template needed for the new platform. Creating those templates requires cloud and platform specific knowledge.

Stacksmith takes a running application in the traditional datacenter, repackages it, and delivers a running application in the public or private cloud. Boom - application migrated. And the extensive Bitnami experience means that all the required components for your application to run on its new platform, as well as platform best practices, are built in to the process and get included with your new application package - we know what each platform requires so you don’t have to.

Find out for yourself. We created a host of new assets for this launch, including:

• A completely refreshed Bitnami website
• New Stacksmith product and solution pages on the new Bitnami.com site
• A whitepaper titled ‘Optimizing Applications for Cloud Migration’
• A Stacksmith 30 day Trial - come try it out!
• A Stacksmith Demo Video
• A series of enterprise blog posts that explore a number of application migration topics and challenges
• Stacksmith documentation 

If you have been waiting for a ‘better solution’ to assist with your digital transformation initiative, now you have it! Use Stacksmith to get those legacy applications migrated to cloud, private or public. 

Oh and if you like what you see, help us spread the word!

Helm Summit In Review

Authored by Rick Spencer, VP of Engineering

The Helm project was initiated initially started, roughly, by Deis, Google, and Bitnami. Deis and Google combining packaging technology in the first iteration of the tooling, and Bitnami providing the actual packages and the expertise in packaging. It then evolved that Google devs focused more on providing the testing, and Deis devs primarily drove the development of the tools, with Bitnami devs contributing charts, and related tech, such as the linter.

Microsoft acquired Deis last year. I was involved in a (very) few of the discussion regarding Helm 3 and Helm summit, and it seemed clear to me that Microsoft was providing resources and people to plan and execute the summit. I have to commend Microsoft for their very light touch at the summit. Other companies might have used the summit as an opportunity to push their brand on the community, but this summit was very community focused. It was all about contributors.

You could really see this on Day 2 when our own Miguel (an Emeritus Maintainer of Helm) moderated a panel of the core devs. As you would expect many, but not all, of the core devs were from Deis and currently working for Microsoft. And very active contributors such as Matt Farina (also a core dev) don’t even work at any of the three initial companies that started Helm. Even the conference MC was not a Microsoftee, but rather from Nike, who are apparently heavy users of Helm. I think that this effort to keep the project a real community open source project will be a strong contribution to the success and longevity of the project.

Day 1 was very “backward facing,” dedicated to reviewing the history of the project, but also with a strong focus on presentations from users discussing how they use Helm. It was fun to hear so many Bitnami sponsored projects (monocular, sealed secrets, our charts, etc…) mentioned throughout the day. We see the numbers of users and contributions growing but it was nice to hear how much the community is embracing our contributions.

Day 1 wasn’t just about celebrating Helm, these users brought up problems and challenges. This was important for Day 2, when the conference switched to planning Helm 3.0.

For example, Ubisoft discussed their heavy usage of Helm. They noted that they struggled at times because Helm assumes charts will be deployed “by themselves” so Helm has limited composability. Related, they also said that they find collaborating on deployments is not as well supported by Helm as they would like. For example, one team cannot easily provide a standard implementation of something like networking or logging across all teams. They are looking at ksonnet to see if that can help. They are also looking at monocular to help with visibility.

I also particularly enjoyed the Chart Museum presentation. Chart Museum provides a highly functional chart repo, and the code seems very community friendly.

After lunch on Day 2, the conference switched to working sessions to discuss Helm 3. To set up for this, 2 of the core maintainers set the groundwork by describing requirements for Helm 3.

While I thought the requirements were reasonable, I did feel that they were a little too prescriptive, and limiting. It felt that they were trying very hard to limit the scope of the changes, and therefore limit the project.

However, Brian Grant from Google went on to make a strong case that Helm should be decomposed into a set of unix-like tools rather than one server and one client, and ensure that each of these tools is built in a really “kubernetes way” (my read was that meant using all of the appropriate parts of the current and future kubernetes API).

In my view, this would be a stronger approach to the tooling. I think it would be important to maintain compatibility with existing Helm 2 charts, as that is where the lion’s share of the user effort has gone so far. However, having a set of smaller tools with strictly defined inputs and outputs could keep the community from splintering as different teams adopt different technologies to fit their needs (I’m thinking of things like jsonnet, ksonnet, and kubecfg). Additionally, I think this approach could result in a deeper relationship between the Kubernetes and Helm communities.

I don’t think the Helm project or community is ready to take this leap in version 3.0. It seemed that there was more “low hanging fruit” in improvements that the community is eager to tackle first.

Overall this was a great event. I look forward to the progress we’ll make as a community on Helm 3.0 given the direction that was set and the long term future of Helm as a project with the group that was represented in Portland last week.

A glimpse back at the Bitnami All-Hands 2018

Authored by Miranda Carter, Marketing Manager (previously Operations Manager)

On an average day at Bitnami, we work with teammates from over 10 counties and 19 time zones. With all geographical hurdles aside, we are still able to collaborate and share in a company wide culture that is filled with some of the most talented people in the industry.

Once a year, we bring this amazing team together to make our bonds even stronger and our goals even tighter. The Bitnami All-hands is something that each Bitnami employee looks forward to because it provides the extra spark that ignites a year’s worth of passion towards our company goals, and creates memories, pictures, and inside jokes that continuously get brought up in Slack conversations throughout the year.

This year, we started our All-hands with one of my favorite things, the ice breaker, which let’s each of us meet the new faces in the room and kick off the week with a little fun. This year we did an activity called the “egg-breaker”, where each group had to create a structure for their egg that would protect it from a series of tests (like throwing it on the ground...hard). Not one group’s egg survived, so the activity reminded us that we should all stick to packaging apps instead of packaging eggs.

Once we got our giggles out, it was straight to business as we started a series of employee lead session and talks that were curated by internal request that we had gathered from employees a few weeks before. Some of my favorite sessions included:

• Product,People, and Profit
• Kubernetes Roadmap 
• Ecosytem Whiteboarding 
• Ask the Founders AMA
• Bitnami Value Awards

One thing that has always amazed me about the Bitnami All-hands is the amount of curiosity that fills the room throughout each presentation. Even during our optional presentations, the room is filled with employees from all different departments and roles, who are truly engaged in whatever the session is about.

The company does a great job of keeping everyone up-to-date on company objectives throughout the year during our bi-monthly demo meetings, but the All-hands is where they take it to the next level. Each executive presents the good, bad, and the ugly of the previous year, and then reveals the 2018 objectives that they expect to hit for the following year for their department.

These type of presentations might sound boring to you, but this is the exact type of content that makes a Bitnami employee want to jump out of their seat to “Make it so”!

After all the presentations were said and done, we hopped on a bus to Sintra, Portugal for a fun (no work) weekend away. We had a blast doing a scavenger hunt at Quinta da Regaleira, exploring the many twists and turns of the Sintra Castle, and had an amazing party with a live band on Saturday night.

Following the weekend away, our engineering team continued the momentum of the All-hands with an engineering sprint and a continuation of round table discussions about what’s next for our projects like Kubeless. They even finished our new website design, have you checked it out yet? 

I’d say this year’s All-Hands was extremely successful, and gave us all the momentum that we needed to kick 2018 off the right way. We’ve got the clear goals and the cross-team commitments it will take to execute! We can’t wait to show you all what we are working on. Stay tuned for some big announcements this week!

If you are interested in joining this amazing team and working with the latest technologies, check out our open roles here!

Meet the Team: Matt Small

The Bitnami team is a diverse group of talented people distributed all over the world. Get to know them better through this series of blog posts.

Matt is the Head of Customer Success, and lives and works in Bend, Oregon. He calls himself a “Cloudie.”

A Brief Bio

I’ve always been fascinated by technology; less so about having to build it myself and more so about figuring out how it solves real challenges for the business. In the past 10 years, cloud computing has become an all-encompassing focus for me--since cloud-years are like dog-years, that’s more like 70 years. I got my head stuck in the clouds during Amazon Web Services’ infancy as an early employee at RightScale, a leading Cloud Management Platform, and I was fortunate in my timing and proximity to cloud computing luminaries. Since then I’ve made it my goal to not just understand the nuts and bolts technology, but to figure out its most transformative uses. I’ve personally helped hundreds of IT organizations with their digital transformation and cloud journeys; assisting them in breaking down cultural barriers, adopting new tools, and managing their infrastructure investments across public and private cloud and container platforms.

The opportunities I’ve had to speak with startups, enterprises, service providers, cloud and software vendors, about the positive and negative impacts that “cloud” has had on their business has left me with a deep understanding of how hard but worthwhile this type of disruptive adoption can be. I have found great personal satisfaction in helping others successfully navigate and manage those disruptions. I’m joining Bitnami to help them establish new foundations for success in the Enterprise with Stacksmith, an opportunity that affords me great personal and professional growth.

I’m also a huge fan of remote working and call the beautiful city of Bend, Oregon my home and office--I call myself a “Cloudie.” To me, cloud computing has forever shifted the landscape of remote work. I’m very happy to be a part of a team with a solid remote culture, that values knowledge and talent wherever in the world it’s found.

Why you joined Bitnami and what excites you about working here?

Initially I was most excited to join the team and work with their founders. I had been following Bitnami for many years as they moved from local installers, to cloud images, to multi-tier orchestration, to containers. I watched Erica and Daniel place certain bets and avoid others in a rapidly changing landscape. They face disruption with eyes wide open, even if that means some disruption to their own business. They never seemed content to rest on their laurels, even if those laurels have helped them build a well-funded and profitable company. I valued the opportunity to work with them and within a comfortable, friendly sister-culture to RightScale.

But now, HOLY CRAP is there a lot more to get excited about at Bitnami!

Stacksmith, my Bitnami baby, is not just a simple tool that builds images for clouds and containers; it’s fundamentally redefining what an “application package” is and should contain--images, services and deployment instructions. It’s next and final step in a DevOps transformation, providing line of business and application owners (Dev) control over their application updates and versioning, while still deferring the best practices and corporate standards for their architecture to IT (Ops). Somehow (hit me up for a demo and I’ll show you) it manages to do this with an accessible approach that resonates with one of Bitnami’s core values, Value Simplicity. It meets people where they are in their cloud maturity and integrates with a broad landscape of popular tooling and practices. Being able to show how impactful this can be in 10 minutes or less is super exciting. Hearing someone tell me we’ve positively changed their entire philosophical outlook on how applications should be packaged and moved through the pipeline in 30 minutes or less is mind-blowing.

After participating in my first Bitnami Global All Hands in Sevilla, Spain, I left that whirlwind week thoroughly impressed with the caliber of people that Bitnami hires. It was clear to me that it was a passion for cloud and container technology and more so the passion to help others succeed with it, that was the thread that bound this, ridiculously smart, highly distributed and multi-cultural team together. Whether it’s implementing tools to help users find a support doc before they knew they needed it or offering to help their new Head of Customer Success figure out how to set up a minikube cluster and use Helm charts, this team is ready to MAKE IT SO.

What are you working on?

Everything Stacksmith! Applications are eating the world and Stacksmith packages them. To find out more, you’re just going to have to talk to me.

What do you like to do for fun?


I enjoy spending time with my wife and two young boys no matter what we’re doing. I love to eat delicious food, though I’m not much of a chef myself. I really like to ski and you can often find me on Mt. Bachelor on the weekends during the wintertime (look in the trees). During the warmer months you may find me enjoying some of Bend’s fine weather on the Deschutes River or a nearby lake and the even finer beer (Bend has the highest number of breweries per capita in the USA).



Interested in working with Bitnami and Matt? Apply for one of our open positions!