Drupal 8.5.3 and 7.59 highly critical releases (SA-CORE-2018-004)

[Note] Open Atrium (a Drupal distribution) and CiviCRM (CMS integration with Drupal) are also affected by this vulnerability. Make sure that your deployment is updated to the latest version.

--

Drupal has released a new version that fixes a highly critical security vulnerability. We strongly recommend upgrading your existing Drupal 7 and 8 sites.

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.

It is recommended that you upgrade your Drupal application to Drupal 7.59 or later and Drupal 8.5.3 or later. We highly recommend creating a backup before proceeding. You can follow our documentation to learn how to upgrade your application and ensure its security.

If you are unable to update immediately and have advanced Drupal administration skills, you may opt to patch your systems until such time as you are able to completely update. The Drupal community has provided patches which can be applied using the following procedure:

1. Move to Drupal directory (assuming /opt/bitnami/ as installdir):
cd /opt/bitnami/apps/drupal/htdocs/

2. Download the correct patch for your system based on the version of Drupal in use.

- For Drupal 7.x:
wget -O drupal.patch 'https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=080daa38f265ea28444c540832509a48861587d0'

- For Drupal 8.5.x:
wget -O drupal.patch 'https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=bb6d396609600d1169da29456ba3db59abae4b7e'

3. Apply the patch:

sudo git apply /opt/bitnami/apps/drupal/htdocs/drupal.patch

4. Restart the Apache web server:

sudo /opt/bitnami/ctlscript.sh restart apache

Patching is a temporary solution until you find the time to perform a complete upgrade of your Drupal installation. These patches will only work if your site already has the fix from SA-CORE-2018-002 applied.

For new application deployments, including the Bitnami Launchpad, we are releasing Drupal 7.59 and 8.5.3 containers, installers, virtual machines and cloud images that include the fix to address this vulnerability. If you deploy Bitnami Drupal and it is not yet updated to its latest version, you will need to upgrade by following our documentation.

If you have further questions about Bitnami Drupal or this security issue, please post to our community forum, where we will be happy to help.

Top reasons to move to multi-tier deployments with Bitnami

Authored by Greg DeRenne, Technical Marketing Engineer

Introduction

The majority of images available in the Bitnami catalog or any of the Cloud Service Provider’s marketplace (Azure, AWS, Oracle Compute Infrastructure, Google Compute) are single tier architectures. This means that all of the required components run on a single Virtual Machine (VM).

A single VM solution has its benefits:

• Extremely simple to understand and get started with
• Cost effective. Depending on the cloud, usage may even fall into a free tier.
• Quick to deploy (some VM’s spin up in just 2-3 minutes)

In summary, single VM solutions are ideal for development, testing, demonstrations, proof of concept and small scale use cases. 

To meet user demand for larger production use cases, Bitnami has been focused on building out multi-tier solutions. Multi-tier solutions have more than a single VM, and usually include additional infrastructure resources, such as gateways, security groups, load balancers, etc. Multi-tier solutions are ideal:

• For production use (where higher run costs are justified)
• When additional deployment options are needed (such as sizing, snapshots, and cloud-native managed services)

Current examples of multi-tier solutions include:



In addition to customer inquiry and demand, several factors influence what stacks we develop multi-tier solutions for. They generally follow into the following categories:

• Horizontal scaling or high availability through redundancy (Jenkins, Elasticsearch, MySQL)
• Vertical scaling flexibility and security (Wordpress, MEAN stack)

Knowing the scaling and usage requirements of multi-tier solutions, it’s understandable that they are often more complex and require additional assets and output types.

  

As you can see, a single-tier simply consists of a machine image for the specific cloud. For a multi-tier solution, Bitnami auto-generates the templates needed to build out all resources based on several configuration options you specify at the time of creation. (More on this later.)

The rest of this blog will explain what the top reasons to use Bitnami multi-tier solutions are, and why they matter. Several example multi-tier Bitnami deployments that are already available in the Marketplace will be used to help illustrate the points made. Note that some of the reasons may overlap with single VM solutions. For example, from an end-user perspective, both our single and multi-tier solutions are simple to use. However, the single VM is even simpler. 

Top reasons to consider using Multi-tier over Single-tier solutions

Price

Bitnami application and developer stacks are offered for free to the user, only cloud consumption is paid for. It’s true, single-tier solutions are free from Bitnami as well, and cost less with respect to cloud usage… but as mentioned earlier, there are scenarios that justify the extra run costs. (Such as a production roll out, not a simple demo or proof of concept that only needs to run for a few hours.)

Further, if you consider the age old adage:

“Time is money.” Quoted by just about every business owner… ever.

Price can be more than just a monetary value. There is also time and effort to consider. As you read on, you will learn the complexity under the hood of Bitnami multi-tier solutions shields you from spending a lot of time and effort. How much? It differs from case to case, but it is usually measured in days and weeks, not just hours.

Performance

Improved performance is arguably the most important reason to go to a multi-tier architecture. When the database is split out from the application, the workload becomes distributed. Further, the configuration for each tier can be optimized. For example, if your application is CPU heavy, but light on database read/writes, you can use VMs that are optimized for compute on the application tier, but save money by not incurring extra cost for additional IOPS (input/output per second) and high disk throughput VMs on the database tier. In some use cases, a managed database service (such as Azure Cosmos DB or AWS RDS (Relational Database Service, using Aurora or MariaDB) may be preferred to rolling your own database install on VMs. Cloud Service Providers (CSPs) tackle the most challenging of IT and operations roles for their managed database services, including performance. Several Bitnami multi-tier solutions include managed database services. A good example is deploying a custom Node.js application that uses Azure’s load balancer and Cosmos DB configured for MongoDB.
                                                

Security

The first step in moving from an all-in-one architecture to a multi-tier architecture involves splitting the database tier out on its own. Data is paramount, hence keeping the data secure is critical. Security best practices, many internal enterprise policies, and PCI (Payment Card Industry) compliance require database isolation. A multi-tiered architecture reduces the number of threat vectors to the data. Consider the basic multi-tier architecture for one of the most popular Bitnami application stacks (WordPress):
                                              
By default, firewall rules do not allow any remote access to the database, only access from the VMs in the data tier. However, the application tier allows external traffic to ports 22 (SSH), 80 (HTTP) and 443 (HTTPS). If that does not meet with your more robust security policies, not to worry, you are not without options. Simply modify the inbound firewall rules to turn off SSH access to the application tier. Some enterprises set up a dedicated management VPC (virtual private cloud), that includes a bastion host. Hence, remote access via SSH must go through the bastion host. That VPC and bastion host can be closely monitored, and restricted to a list of source IP addresses as well, greatly reducing the potential for a data breach.

Bitnami multi-tier solutions are more secure by default, and our images are monitored and updated, especially when it comes to security patches.
Availability

A discussion about availability often includes reliability and redundancy as well.

The Node.js deployment discussed earlier also utilizes a managed database service. Azure’s Cosmos DB is a reliable, available, high throughput database service with geo-replication capabilities. Nice!

                                                  

Note the write region is in the western U.S., and a read replica in the eastern U.S. This was configured at the time of creation, but it can be modified or added to later. Setting up a highly available, reliable, redundant and high throughput solution for your data like this is no small task. The majority of small and medium sized companies, even some larger enterprises, simply don't have the resources to design, configure, and maintain such an endeavor. The Cosmos DB service level agreement (SLA) offers 99.999% high availability. Bitnami has taken this into account when designing the Node.js HA cluster deployment for Azure.

From the application perspective, high availability is achieved through a load balancer sitting in front of multiple front-ends running your application.

Simple and includes Best Practices

There is no simpler way to roll out production ready, secure, reliable, performant application and development stacks than Bitnami’s multi-tier solutions. To help illustrate this, recall the Node.js application with load balancing on the front-end and MongoDB on the backend just discussed. When you click “create”, the following assets are generated for you by Bitnami via an Azure Resource Manager (ARM) template:

                                             

The Bitnami auto-generated ~1,000 line template used to create all resources is available for download and modification if needed. In addition to creating the resources, many best practices specific to the application are also included in the template. For example, various permissions, ports, enable/disable authentication for servers, etc. Once the VMs are up and registered with the load balancer, browse to the public IP and your good to go.

As another example, take the Kafka cluster on Google Compute.

                                           
Rather than configuring and launching a Zookeeper cluster, then multiple Kafka brokers on top of that, Bitnami generates the templates needed to configure the entire deployment. You can choose the number of Zookeeper and Kafka nodes to include with your cluster. The default values include a 1-node Zookeeper cluster with a 2-node Kafka cluster (as shown from a partial Deployment Manager (DM) template and the Google Cloud console):

                                                     

Not to be forgotten, all of the multi-tier solutions available in the cloud marketplaces are built on the back of years of experience. They include extensive acquired knowledge baked in as best practices.

• Unmatched experience building, packaging, deploying, and updating images (1000’s of builds and updates every month)
• Stacks deployed over 1M times per month
• 120+ applications and development stacks available
• Stacks utilize cloud-native resources and managed services (when it’s best to do so)

“Make no mistake, you can only achieve simplicity through a lot of hard work.”  - Clarice Lispector

Let Bitnami’s hard work and proven best practices simplify rolling out multi-tier architectures in the cloud for you.

Next Steps

Take a multi-tier application or development stack for a test ride! Check out the Bitnami documentation on multi-tier solutions, the Bitnami Engineering blogs, and visit your favorite Cloud Service Provider’s (CSP) marketplace and search for: Bitnami Multi-Tier (or in some cases Bitnami Cluster)

Azure Documentation 

https://azuremarketplace.microsoft.com/marketplace/

https://docs.bitnami.com/azure-templates/

Amazon Documentation 

https://aws.amazon.com/marketplace

https://docs.bitnami.com/aws-templates/

Google Documentation 

https://cloud.google.com/launcher/

https://docs.bitnami.com/google-templates/

Meet the team: Andres Rodriguez Chamorro

The Bitnami team is a diverse group of talented people distributed all over the world. Get to know them better through this series of blog posts.

Based in our Seville Office, Andres works on our assets team.

A Brief Bio

I was born in Seville, Spain, though I did not started living here until several years later :). My first contact with computers was when I was around 8 years old, with a MSX computer (does anyone remember that?) which were mostly used for games, of course. At that point my mother was in college and she brought home some books and homework on BASIC and I started playing with it: that “coding” stuff was fascinating!....And the rest is history: different kind of computers and OSes, multiple languages to learn, etc. At the time, it was just a hobby that I really enjoyed, but it wasn’t something that I was interested in doing as a day job although I knew it would be a useful tool in whatever I ended up doing.

Years later, while I was still in college myself (doing non CS-related stuff) I got an opportunity to work as a System Administrator for one of the largest ISPs in Spain at the time and never looked back. Since then I have worked with System Administration, Engineering, and consultant work (where I mixed engineering, product and business roles) until I went back to a full-time Engineering position at CloudBees to work on Jenkins and Jenkins-based products.

Why you joined Bitnami and what excites you about working here?

The decision to join Bitnami was really easy since everything I saw about the company really resonated with me. First of all the challenge, as an engineer, you are always looking for interesting and challenging things to work on, and there are plenty of them here. Next, was meeting the team, a really talented and diverse group of people who are really awesome to learn from and work with. The mix of a big engineering office here in Seville with a strong distributed culture provides the best of both worlds. And last but not least, the Bitnami values and culture was a really good fit for me….this company works hard to build a real business based on stuff that people actually want and the goal is to achieve real, sustainable growth based on that.

What are you working on?

One of the main areas of products of Bitnami is the Application Catalog, which is what my team works on. It provides more than 150 applications, developer tools and infrastructure components conveniently packaged in multiple forms, from an installer to use in your personal computer or server, to pre-packaged virtual machines, to one-click deployments on our cloud partners, to containers and Helm charts for Kubernetes, among others. Each of these options have multiple flavors as well, from local installations for development and testing to full-fledged, production-ready multi-tier deployments in the cloud. As you can imagine, keeping that catalog up-to-date and with the latest security fixes involves many teams and creates an amazing amount of challenges. My job here is, together with all teams involved, to work on continuously improving all the automation involved with the catalog, so that we can offer more amazing stuff, faster and with greater efficiency.

Enjoying the Sierra Nevada in Spain

What do you like to do for fun?

I’ve always liked travelling, reading, hanging out with friends, good TV shows and of course, tinkering with computers :). Now, as a father of a 4-year-old, priorities change a little bit :), but life is more enjoyable than ever!

Interested in working with Bitnami and Andres? Apply for one of our open positions!

KubeCon EU Countdown - Live Demos and Major Releases

Authored by Miranda Carter, Marketing Manager

It is that time of year again where the Kubernetes fans come together under one roof to collaborate and discuss the ever-changing landscape of Kubernetes through sessions, breakout meetings, and more at KubeCon!

As part of the first KubeCon for 2018, we are excited to announce some major updates to our most popular Kubernetes projects. First, we are releasing Kubeapps 1.0 to continue the simplification of deploying and managing Kubernetes-ready applications and serverless functions.

We have added a kubernetes native authentication/authorization mechanism, support for functions, integration with the Open service broker API and based on customer feedback we integrated with JFrog artifactory Chart repository. JFrog will do a demo of the new JFrog Artifactory integration in Kubeapps at the following times:

Mark your calendar - JFrog Demo of Kubeapps

Wednesday, May 2:

10:40 Live demo/Q&A at the Bitnami Booth

Thursday, May 3:

15:20 Live demo/Q&A at the JFrog Booth

Second, we are also releasing Kubeless 1.0 to accelerate adoption of serverless functions in Kubernetes. Kubeless is feature packed, with support for Golang function, NATS.io events, integration with Sysdig Falco and much more. r SAP and Sysdig will be at Kubecon with us to demo those new exciting Kubeless features, they will be doing live demos of their integrations at the following times:

Mark your calendar- SAP Demos of Kubeless

Wednesday, May 2:

18:40 Live demo/ Q&A at the Bitnami booth

Mark your calendar - Sysdig Demos of Kubeless

Wednesday, May 2:

15:20 Live demo/ Q&A at the Bitnami booth

Thursday, May 3:

10:40 Live demo/ Q&A at the Sysdig booth

Along with the live booth demos and Q&A, our Kubernetes leaders will be presenting two talks as well. Make sure to add them to your conference schedule!

• Securing Serverless Functions via Kubernetes Objects by Sebastien Goasguen
• Seamless Development Environments on Kubernetes using Telepresence by Ara Pulido

We look forward to seeing you all there!

Can't make it to KubeCon? Register for our KubeCon re-cap webinar where we will go in-depth about all of the updates that we demoed at the show! 

And the answer is….Multi-Tier.

For the past few months, our team has been creating and releasing Multi-Tier applications for our cloud partners such as Microsoft Azure and Google Cloud Platform.

These Multi-Tier applications are production ready, and will provide your company with the scalable infrastructure that your application will need in order to run efficiently.

Check out our posts below to learn more about each of the offerings, and how to get started:

Jenkins - Build Your Applications At Any Scale, On Any Platform With Bitnami Jenkins Cluster

Memcached - Boost The Performance Of Your Web Applications With Bitnami Memcached With Multiple Instances

Postgres - Worried About Big Data? Scale Up With Bitnami's Secure, Fault-Tolerant PostgreSQL Cluster

MongoDB - Deploy A Production-Ready MongoDB Cluster In Just A Few Clicks

RabbitMQ - Bitnami RabbitMQ Cluster: Searching For The Maximum Performance

Redis - Integrate Distributed, Fault-Tolerant Caching With Your App Using Bitnami's Redis High Availability Solution

Kafka - Bitnami Kafka Cluster, Go Into Production In Just A Few Clicks

ElasticSearch - Add Scalable, High-Performance Search To Your App With The Bitnami Elasticsearch Cluster

Security Release: JasperReports 6.4.3

TIBCO JasperReports has released a new update that contains multiple security enhancements, including one that prevents remote code execution. We recommend that all JasperReports installations be upgraded to its new version (JasperReports 6.4.3) immediately.

TIBCO JasperReports Library Code Sandboxing Problem - CVE-2018-5429
TIBCO JasperReports Server Information Disclosure Vulnerability - CVE-2018-5430
TIBCO JasperReports Server Cross Site Scripting Vulnerability - CVE-2018-5431

For more information about these security issues, please refer to the different advisories.

Bitnami has released Bitnami JasperReports 6.4.3 Helm charts, containers, installers, virtual machines, and cloud images in order to address these security vulnerabilities. If you already have Bitnami JasperReports running on any of these platforms, you can upgrade the application by following the official upgrade guide.

Users launching Bitnami JasperReports via a cloud provider's marketplace are advised to select version 6.4.3, once it is published. Installations based on previous versions will need to be upgraded as described above.

If you have additional questions about Bitnami JasperReports, post them in our community forum, and we will be happy to help you.

Meet the Team: Mose

The Bitnami team is a diverse group of talented people distributed all over the world. Get to know them better through this series of blog posts.

Based in Taipei, Taiwan, Mose works remotely for the Webdev team.

A Brief Bio

When Internet came to France around 1994, I was a working in advertising as a creative director, but my passion was around automating things. So, I had to learn programming to automate my first websites, first statically and later dynamically with php in 98. Then, I became a developer, learning all I could from practice (thanks to the internet bubble of the 2000’s), and by participating in various open source projects, a real fertile ground for self-learning. Since then, I made my way into programming and system administration while engaging in some activism around Open Source, collective intelligence, environments, and various other things. I always have used Linux, preferably Debian flavored.

In 2008, I decided to learn a new language that was not for programming.. I chose Chinese. I moved to Taiwan and spent one year at a university learning Chinese there. And I never left. Taiwan is a really great country to live in, as a foreigner.

I consider myself a life-long geek with a weird mixed background. More details on http://mose.com

Why you joined Bitnami and what excites you about working here?

What excited me about Bitnami was the type of products that we deliver. Packaging Open Source applications for various platforms and environments is like a public service for the internet. We are at the age where more and more SaaS platforms offer services that transform the internet user in a mere consumer with no control over their data, so Open Source software lost a bit of its power to liberate people. With Bitnami, people can easily deploy Open Source applications in various places, which empowers them to take back control of the internet....and this is a big deal for me.

But there were also many other factors that attracted me to Bitnami like the flexibility to work remotely, and the deliberate intention to make remote work possible and efficient. Since I’m in Asia, I had multiple options to work remotely for other companies, but without a real concern about remote workers in a company, it can be tricky. I was confident that Bitnami would provide a better experience than I had in the past since the overall culture and values are a big part of the company. And the values really have weight internally, it’s not just some paint for external eyes. I like it.

Also, the fact that Bitnami remains on the edge of what’s new and fresh in term of technologies gave me the guarantee that it would be a good environment for potential exploration and discoveries.

What are you working on?
I am on the Webdev team, which is in charge of automating delivery of our packages and images to cloud vendors, and also maintaining various websites and tools available at Bitnami, either publicly or internally.

I just began one month ago, but I can predict that I won’t ever be bored with the work I am doing. There is a lot of different processes to manage and automate. Each cloud vendor, platform or format brings new challenges since there is no real standard in this industry. This is certainly why Bitnami is so valuable because it handle such diverse software and solutions.

The work within my team is mostly focused on writing code to facilitate the pipeline of delivery and the management of workflows, so that the software can reach it's destination in a usable shape and multiple flavors. It’s a lot of invisible work, deep down in the machine, but it’s very pleasant because it’s not simple and it requires a good amount of creative thinking.

What do you like to do for fun?

Mose enjoying a walk around Hong Kong

I’m a very boring person, because for fun, I do some more coding, or sysadmin stuff. I participate in various local and international communities, but it’s usually (not exclusively though) with other geeks. I’m not anti-social at all, it’s just that I’m comfortable with my peers and I like keeping my head inside the game.

Sometimes I do some biking, but I don’t like working out, it is just a logical transportation device for me. Sometimes I cook, but well, that doesn’t count, I’m french after all.

I prefer to have no stress in my daily life. I favor working on things I consider are fun, interesting and make sense, so I don’t feel the need to escape or decompress. I guess that’s the benefit of being older, I play for the long run.

Interested in working with Bitnami and Mose? Apply for one of our open positions!