edX Critical Security Fix: Chemical Equation Advanced Problems and security vulnerability in Recommender xblock

[UPDATE 2018-08-01]

Another similar security fix was released and it also allows steal credentials from staff members.

The Bitnami Team worked on publishing the new cloud images, virtual machines and native installers with this new fix. New launches of Bitnami edX ginkgo.2-7 via our launchpad are secure and do not need to be updated further.

If you have an already running installation, we updated the workaround steps to patch this security vulnerability along with the previous one that was announced.

[UPDATE 2018-07-30]

The Bitnami Team is happy to announce that the cloud images, virtual machines and native installers have been updated properly. New launches of Bitnami edX ginkgo.2-6 via our launchpad are secure and do not need to be updated further.

Users launching Bitnami edX via a cloud marketplace are advised to select version ginkgo.2-6 of Bitnami edX, once it is published. Installations based on previous versions will need to be upgraded as described below.

----

A new security vulnerability in edX has been announced. This vulnerability allows learners to include a script in their response to Chemical Equation advanced problems. If the script is malicious and  staff members are lured into viewing the submission, their credentials could be at risk.

We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami. For that reason, our team is working to update all of the affected edX packages available through Bitnami as quickly as possible.

Workaround

In the meantime, we strongly encourage edX administrators to apply the security patch published by the maintainers. To do so, run the following commands depending on your deployment choice:

• Native installers

cd /tmp
curl "https://github.com/edx/edx-platform/commit/5b144559fbdba7ff673cc1c165aa2d343e07b6bd.patch" > edX.patch
curl -L "https://groups.google.com/group/openedx-announce/attach/82b14205f6ca3/update-recommender-ginkgo.patch?part=0.1&authuser=0" > edX-xblock.patch
cd installdir/apps/edx/edx-platform/
patch -p1 < /tmp/edX.patch
patch -p1 < /tmp/edX-xblock.patch

• Cloud images and virtual machines

cd /tmp
curl "https://github.com/edx/edx-platform/commit/5b144559fbdba7ff673cc1c165aa2d343e07b6bd.patch" > edX.patch
curl -L "https://groups.google.com/group/openedx-announce/attach/82b14205f6ca3/update-recommender-ginkgo.patch?part=0.1&authuser=0" > edX-xblock.patch
cd /opt/bitnami/apps/edx/edx-platform/
sudo patch -p1 < /tmp/edX.patch
sudo patch -p1 < /tmp/edX-xblock.patch


If you have further questions about Bitnami edX or this security issue, please post to our community forum, and we will be happy to help you.

Speak with Bitnami Stacksmith experts at Gartner Catalyst 2018

We are excited to be a sponsor for the Gartner Catalyst Conference in San Diego on August 20th-23rd. During the conference, we will show you how your company can optimize your DevOps pipeline by automating your application packaging for today’s cloud and container platforms, and continuously maintain them to ensure they stay up-to-date and secure.

Stop by our booth to discuss how to package and maintain your applications today. Our experts will show you exactly how Stacksmith can improve, automate, and simplify your DevOps process. Not a cloud expert? No problem. Not interested in re-architecting your applications? No problem. Not interested in changing your current CI / CD process? No problem. Come see how Stacksmith meets you where you are!

If you are going to be at Gartner Catalyst, login to your event portal and schedule a meeting with us here.

Here is how Bitnami Stacksmith addresses the current pain points that you might be facing:

Application/Cloud Integration

• Package your applications for multiple platforms and formats, using one simple tool
• Simplify cloud migration and access cloud services from your applications - without having to re-write them!

Application Architecture/Development

• Automate application packaging and deployment template creation
• Improve your security profile and the interworking between developers, security, and operations
• Streamline application maintenance

Cloud Computing/Cloud Architecture

• Package for the cloud and containers with a tool that brings the platform specific knowledge and optimizes your application for your target platform
• Migrate to the cloud and access powerful cloud services you can’t access today

For $325 off your Gartner ticket, use the coupon code CATSP16 when registering for the event. We look forward to seeing you there!

Would you like to try out Stacksmith now? Sign up for a free trial here.

The Rise of Application-Centric DevOps - How Treating the Application as the Asset Increases Trust and Security in the DevOps Process

Written by Matt Small, Head of Solution Architecture

Application-centric DevOps

DevOps is about running applications not infrastructure.  For all we talk about DevOps, closing the gap between code running in dev and code running in production, it’s odd that Ops is still forced to take an infrastructure-centric view of the world, while Dev continues to take an application-centric one.   Shouldn’t we care most about the application itself?  After all, it’s the sum total of all the parts of an application--the code, the dependencies, the infrastructure, the deployment policies, the integrations--that is valuable to the business.

The solution to this--packaging everything required to install and run an application on a target--was solved a long time ago for desktop software with installers.  Since then, the steady waves of disruption to both engineering and operations practices have led to the decentralization of applications and infrastructure alike and proliferate ways to address and automate all of it.  Interestingly though, the idea that we should be taking all those increasingly distributed and disparate components and version controlling them as a package has not been compellingly reincorporated.

How did we get here?

In Ops, IaaS forced us to consider that infrastructure existing at any given moment is not, in fact, a given.  We planned for failure.  We imaged things and launched infrastructure from those images.  When that proved to be too inflexible for the agility of cloud, we adopted launch-time configuration management and orchestration as a best practice.  Let’s start with a golden image that’s versionable.  Let’s layer in scripts to configure the machines, also versionable.  Let’s tie it all together with orchestration so we get a fully functional deployment that can run the application that Dev provided us.

PaaS promised to simplify this tier by tier.  We incorporated that into our orchestration and stitched these services together with IaaS and other API-driven resources, again in the aim of running the code that Dev provided us.

Meanwhile, Dev ran down the path with ubiquitous source control, continuous integration and continuous code deployment processes.  We ensured they too could iterate quickly, partying on issues, testing and releasing early and often, breaking and fixing things with haste.

Then Dev hopped to the other side of the philosophical lemniscate with containers.  Suddenly Dev is the one imaging things and could hand something to Ops to run in staging or production that they had just been running locally.  Immutable image building was back in style and each tier could be more easily versioned once again.

Containerless...ahem...serverless is the next wave washing over us.  The code just runs in the box[es].  Pay no attention to the man behind the curtain!  Now we can incorporate all the best microservices from the most appropriate providers, and the middleware that glues them together with the datastores they need.

Ops trudged along and while they were happy to argue less frequently with Dev about what's going into the box, they were simultaneously dealing with exploding application architecture complexity.   We continue to do our best to stitch things together.  Though increasingly we’re dealing with broadly heterogeneous environments leveraging containers, instances, APIs, managed and unmanaged services (RIP CMDB).  An application can be made up of one, some or all of these.

What’s the alternative? 

Reconverging on the center of the DevOps leminscate, and bringing back the application-centric view of packaging and versioning everything as a unit. Take the code itself, its build dependencies and boot logic, the orchestration required to configure and deploy it and the governance policies it needs to follow to successfully run in a target platform, and make that an immutable, versionable object.  You now have the packaged concatenation of DevOps.  In this approach, the leminscate connects, it doesn’t overlap and chase its tail.  It creates a trusted handshake between development, security and operations whereby all of their requirements, opinions and policies are converged.

Dev maintains control over the application, its version, the explicit dependencies they care about and the application’s boot logic within their tool chain.  Ops and security lock things down, orchestrate the requisite cloud services, and integrate deployment and operational dependencies and policies using their preferred tool chain.  The creation of a versionable, immutable, deploy-ready Application Package during the asset build and assembly process ensures that everyone’s requirements and policies are factored in at a point in time.   Whenever we have a question about what is running and how, everyone knows exactly where to look--the Application Package.

When fully automated, the upstream CI tool converges the code and places a trusted code asset in an artifact repository and development manages their dependencies and application configuration requirements in source control.  Continuous Application Packaging consolidates the code and other artifacts with the policies and automation required to run it whenever there is a change and places a trusted Application Package back into the artifact repository.  Changes can be triggered by new code updates or external events such as a CVE that affects an included system package.  Downstream, a CD tool or orchestrator would pick up that Application Package and deploy it.  The deployment automatically wires up everything that was packaged in as a requirement, such as operational monitoring and logging tooling.

By acknowledging and packaging the hand-off of applications from Dev to Ops, we are  establishing new trust in the Enterprise between these teams, that their requirements, policies and opinions will be factored in.  We are allowing them to work with their preferred tooling and specialize in their domain knowledge.  We’re advancing our understanding of immutability by applying those principles to the entire application.  And we’re preparing ourselves for the next wave of disruption as applications continue to break apart into microservices, functions, and whatever the next building blocks will be called.

Packaging applications is as easy as v1, v2, v3 with Bitnami Stacksmith.  Stacksmith does the packaging, logs everything that goes into them and continuously monitors components and repackages applications with security and system package updates.  It provides a self-service and/or API-driven way for Dev and Ops to finally close the gap.

Security Release: Jenkins 2.121.2

The Jenkins project released a new version that fixes multiple security vulnerabilities. These vulnerabilities allow unauthenticated users to reset parts of the Jenkins configuration as well as to read arbitrary files inside the installation, cancel builds, or abort agent launches.

We recommend that you update your Jenkins installations to the latest version. You can follow our documentation to learn how to upgrade your application. If you are using the Bitnami Jenkins Docker container image, please follow the documentation in our GitHub repository.

You can find more information about this Jenkins security issue in the Jenkins Security Advisory.

Bitnami has released Jenkins 2.121.2 containers, Helm Charts, Multi-Tier solutions, installers, virtual machines and cloud images that address these vulnerabilities.

https://bitnami.com/stack/jenkins

The Bitnami Jenkins stack offered in bitnami.com/stacks and in our cloud-specific launchpads has been updated to that new version. New launches of Bitnami Jenkins via our launchpad are secure and do not need to be updated further.

Users launching Bitnami Jenkins via a cloud marketplace are advised to select version 2.121.2 of Bitnami Jenkins, once it is published. Installations based on previous versions will need to be upgraded as described above.

If you have further questions about Bitnami Jenkins or this security issue, please post to our community forum and we will be happy to help you.

Meet the team: Randy Chang

The Bitnami team is a diverse group of talented people distributed all over the world. Get to know them better through this series of blog posts.

Based in our San Francisco office, Randy works on our Accounting team as our Controller.

A Brief Bio

I was born in Los Angeles but moved around a lot as a kid.  I was blessed with the opportunity to experience multiple cultures in my developmental years, living in Paraguay, Taiwan, and Singapore.  This has taught me that the world is larger that what we know it as and everything comes with perspective.

All the movement growing up shook my focus, and I was constantly bored in my studies and academics. My mother, being a tiger parent always wanted a doctor, lawyer and an accountant in the family. My sister became a surgeon, my brother an attorney, and I was left with slim pickings.

I studied business administration/accounting at San Francisco State, juggling full-time work and school for 6 years.  In those years, I funded my college education through online poker, worked at a regional tax firm (through a partner who I met at the tables) and developed a regional market for a consumer goods company.

Enjoying the sites in Sydney

Being in San Francisco, growth companies were the hype and I had to see what it was about.  I joined as an accountant and quickly fell in love with fast-paced high-growth startups.  In a short amount of time, I went through a series of acquisitions and promotions and landed as the Finance Director for a pre-IPO Marketing technology company.

In 2014, I flew to Taiwan for my 10-year high school reunion where I met my now wife.  In the span of 36 months, I’ve uprooted 3 times, living in Sydney, London and Toronto, got married, travelled the world, while managing the finance and operations of a midsize company.




Why you joined Bitnami and what excites you about working here? 

I joined Bitnami because I felt like I could add a lot of value to an organization that I’m used to working in.  I think Bitnami is at a very interesting point in its maturity and has major potential.

What excites me the most is the opportunity to work with people from different cultures and backgrounds. To me, one of my greatest joys is collaborating with various teams on cross-functional projects.

What are you working on?

As the controller, I work closely with Philip and Susana to ensure the finances are in order.  Aside from managing cash, spend, and financial reporting, I work with internal and external stakeholders to ensure information is reported in a timely and orderly fashion.

This translates to is making sure the company has visibility into all aspects of the business, which means I will partner with all teams to gather, parse, analyze and deliver the information that is requested.

What do you like to do for fun?

These days I like to go to the gym and spend time with my wife and my parents. I can enjoy a good hike, camping, golf, water sports, or scuba diving. And I can talk about anything, but can really enjoy a conversation about commerce, people, or travel.

Interested in working with Bitnami and Randy? Apply for one of our open positions!

Make Existing Apps Faster, More Scalable, And Cost Effective To Operate With Stacksmith, Kubernetes & Spotinst

Written by Ido Bar Oz, Director Strategic Partnerships at Spotinst

Kubernetes is one of the hottest topics in the IT industry at the moment. As you have learned in Spotinst’s previous blog post about the state of the Kubernetes ecosystem, many companies offer solutions around container-orchestration. In this blog post you will learn how to use Bitnami Stacksmith to package an application for Kubernetes, then leverage Spotinst’s Elastigroup to reduce compute costs, while maintaining high availability of that application as it runs on your Kubernetes cluster.

What is Kubernetes?

Kubernetes is an open-source container orchestration system for automating deployment, scaling and management of containerized applications. Originally designed by Google, Kubernetes was born from a need to run cloud-native applications on a massively scaled network, and that’s exactly what it enables its growing user base to do. The demand for platforms that can run web-scalable workloads means Kubernetes is increasingly under consideration by IT engineering teams, and many are choosing to adopt it.

Bitnami Stacksmith – Automating Application Packaging and Simplifying DevOps

Bitnami Stacksmith removes the complexity associated with packaging and maintaining your applications for today’s cloud and container platforms. Stacksmith does this by utilizing sophisticated tooling and automation that Bitnami has developed over its many years packaging open-source applications and run time environments for all the major cloud providers.   Supply your application code and scripts, select the appropriate template and a few parameters, and hit create. Stacksmith then automates the packaging of your application, optimizes it for your target, and delivers everything you will need to deploy it.

But the benefits of Stacksmith don’t stop when the application is deployed. During the packaging process, Stacksmith documents the components and dependencies that go into your application.  Armed with this, Stacksmith continuously monitors trusted sites for new releases and security updates to these components, and alerts you when they become available. It also provides a simple way to re-package your application to incorporate the updates, to ensure your applications stay up-to-date and secure. 

Stacksmith is an end-to-end tool that automates and simplifies development and IT operations tasks associated with packaging and maintaining your applications for the cloud. 

Kubernetes and Stacksmith

Bitnami Stacksmith works by providing a set of pre-defined application architectures using “templates”. When packaging applications for Kubernetes, Stacksmith will create a Helm chart and a container with all the necessary dependencies for that application. This means that customers can deploy Kubernetes applications in a matter of minutes, and are able to enjoy all the benefits of Kubernetes without having to go through the complex task of containerizing their environment themselves.

Containerization Simplified – What’s the Next Step?

Using Stacksmith can help to alleviate the complexities surround creating a Kubernetes environment, but once the environment is created, what comes next? Often, managing the underlying infrastructure of Kubernetes workloads can be an unwelcome, complex and time-consuming task. Spotinst Managed Container Service (MCS) can remove this unnecessary demand on developer teams.

Spotinst MCS allows customers to run their containerized environments without having to think about the infrastructure layer of servers their containers are running on. MCS provisions, manages and scales infrastructure underneath various containerized environments, including Kubernetes. With Spotinst MCS’s simple import process, all that is needed to migrate Kubernetes workloads to the Spotinst platform is to import the ASG that was created by Stacksmith into Spotinst Elastigroup.

Through dynamically scaling infrastructure and smart container packing to fit the need of customer workloads, MCS doesn’t only automate the infrastructure management but also considerably improve the efficiency of the environments.

Spotinst MCS smart scaling activities:

• Headroom – a buffer of spare capacity (in terms of memory and CPU) will be provisioned to make sure that there is no need to wait for new instances when scaling up whilst simultaneously ensuring instances won’t become over-utilized.
• Smart Scaling Down – Spotinst Elastigroup will monitor the cluster for idle instances which remain underutilized for a specified amount of consecutive periods. Once identified, MCS will find spare capacity in other instances, drain those instance tasks and reschedule those on other instances before terminating the idle instance.
• Tetris Scaling – Elastigroup records the events written when an Kubernetes task is pending and analyzes why they are yet to be started (i.e. Insufficient Memory / CPU, No Ports Available, etc.). It will then spin up instances inside the customer’s cluster to accommodate for the incoming tasks.

Cost Reduction for Spotinst MCS

Spotinst MCS doesn’t only fully automate the provisioning and managing of the underlying infrastructure for Kubernetes environments, it also significantly reduces their costs – by as much as 80%. Spotinst MCS utilizes Spotinst Elastigroup technology to spin up the infrastructure on Spot Instances instead of On-Demand Instances, reducing costs by as much as 80% whilst utilizing predictive analytics to ensure availability.

Spotinst Elasitgroup uses both real-time and historical data to predict Spot Instance terminations or price increases and, once these events are predicted, Elastigroup will preemptively and seamlessly migrate customer workloads to a different Spot Instance of either another instance type or across AZs. If no suitable Spot Instance is found, Elastigroup will automatically fall-back to On-Demand Instances, meaning that customers can enjoy a 70-80% cost reduction whilst still enjoying a 99.99% SLA – the same SLA as provided by AWS.

Through using Bitnami Stacksmith to deploy containerized environments and Spotinst MCS to handle the instance management for the containers, you can spin-up containers and have them running with significant cost reductions all without increasing demand on your developer teams. To see this process in action, you can register for Bitnami and Spotinst’s joint webinar here!

Original post located here.