Bitnami applications unaffected by recently announced CUPS server vulnerabilities

Several critical vulnerabilities for UNIX systems targeting the CUPS server were discovered and disclosed today. The researcher who discovered them published a technical report at https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

The vulnerabilities are listed below:

- CVE-2024-47176 | cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker controlled URL.

- CVE-2024-47076 | libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker controlled data to the rest of the CUPS system.

- CVE-2024-47175 | libppd <= 2.1b1 ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker controlled data in the resulting PPD.

- CVE-2024-47177 | cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter.

The impact is very high because a possible attacker can replace a printer resulting in arbitrary remote command execution (RCE).

Are Bitnami applications affected? Are Tanzu Application Catalog applications affected? No. 

No applications packaged by Bitnami or our enterprise version VMware Tanzu Application Catalog are affected: none of our containers, Helm charts, OVAs or Cloud Images ship the CUPS server or packages. For OVAs and Cloud Images, even the server is not installed by default, the firewall does not expose the CUPS default port.

Bitnami Vulnerability Database integrated with Trivy

A journey towards comprehensive vulnerability assessment

Authored by Juan Ariza, Senior member of technical staff

Bitnami images and the CVE Security Feed for Bitnami Components

Bitnami-packaged container images are well-known and trusted for being secure, hardened, and ready to use. They are built with best practices, put through extensive automated tests and verifications to run in their target platforms with the expected behavior and performance, and delivered as ready-to-use packages. Furthermore, they are kept up to date with the latest official upstream application versions and this has enabled Bitnami to offer updates including security fixes even before CVEs were announced or detected by the scanners on numerous occasions. In addition, they are continuously scanned to detect security vulnerabilities in the sources and components used by the application. The results of all these tests and validations are available for the enterprise version of these packages through the VMware Tanzu Application Catalog UI. 

Open Source Software (OSS) scanners have consistently identified most of the CVEs that impact our images. Nevertheless, because of Bitnami components’ custom build and packaging, some vulnerability scanners have struggled to detect vulnerabilities in them.

To better enable vulnerability scanners to detect vulnerabilities in our components, we have launched the Bitnami Vulnerability Database, a public CVE security feed available on GitHub with extensive information about the vulnerabilities on Bitnami components. 

Behind the scenes of Bitnami Vulnerability Database

In July 2023, Bitnami published its first CVE security feed — Bitnami Vulnerability Database — which is available on its public GitHub repository.

As part of getting this vulnerability database set up and ready to go, our team had to analyze how some popular scanners work, identify gaps in them, research how to make those scanners locate Bitnami Software Bill of Materials (SBoM), explore available vulnerabilities sources; and took inspiration from other public CVE security feeds available on GitHub such as the Golang Vulnerability database. After collecting the needed information, we created a cron job that uses the data from the National Vulnerability Database (NVD). This cronjob would extract all the CVE data required for analyzing Bitnami’s packaged applications, tools, and libraries, which enables us to report the vulnerabilities affecting each Bitnami component, and periodically update them.

Bitnami Vulnerability Database follows the Open Source Vulnerability schema — a standard format for distributing vulnerability information for open source — to create the JSON files that will assemble the security feed. Additionally, this enables the inclusion of the Bitnami Vulnerability Database as a part of the aggregated vulnerability database available at the Open Source Vulnerability Database (OSV). We see this as a significant accomplishment that can benefit our users as this initiative has been developed in collaboration with Open Source communities and has been adopted by several important security advisories. Also, this makes it possible for any security scanner that supports OSV schema to consume the Bitnami CVE security feed. 

As a culmination of all this work, we have been able to set up the Bitnami CVE security feed on GitHub, which can be browsed by anyone to find information about vulnerabilities in Bitnami components.

Integration of Bitnami Vulnerability database with Trivy

Trivy v0.42.0 came with support for analyzing Bitnami images’ SPDX files, and since then Trivy has been able to detect Bitnami SBOMs. However, Trivy couldn’t report vulnerabilities affecting the Bitnami components described in the SBOMs till now, as there was not a Bitnami CVE security feed available. 

After the Bitnami Vulnerability Database was published, the Bitnami team actively collaborated with Trivy to include this security feed as a part of its scanning capabilities. This enhancement was added as an experimental feature on version v0.45.0 and highlighted on Trivy release notes:

Trivy announcement of the Bitnami Vulnerability database integration 

Bitnami container images have a long-standing reputation for trustworthiness and security, consistently adhering to industry best security practices. We take pride in this integration, as it enhances users' awareness of Bitnami components, which have been specifically designed to contribute to a more secure software supply chain.

Trivy becomes the first security scanner to consume Bitnami Vulnerability Database but the journey doesn't end here. We will continue working on ensuring other popular security scanners consume it. Meanwhile, users who don’t use Trivy as their primary vulnerability scanner can also consume it since it is publicly available and works with any security scanner that supports OSV schema, and there are already a few scanners that have capabilities for detecting Bitnami SBOMs.

Support and Resources

Refer to the Bitnami and VMware Tanzu Application Catalog documentation to learn more about Kubernetes and Bitnami Helm charts and containers. 

To solve the problems you may have with the Bitnami community packages — including deployment support, operational support, and bug fixes — please open an issue in the Bitnami Helm charts or containers GitHub repository.  Also, if you want to contribute to the catalog, feel free to send us a pull request, and the team will check it and guide you in the process for a successful merge.   

If you are interested in learning more about the enterprise version of Bitnami packages — VMware Tanzu Application Catalog —  check out the product webpage, Tech Zone page,  application library, and additional resources. If you would like to get in touch,  contact us.

Fix Available: Load Problems in Let’s Encrypt Servers due to Bitnami Cloud Images

Our colleagues from the Let’s Encrypt team have informed us that they have identified an issue with the certificate renewal process that is causing load problems in Let’s Encrypt servers.  

This issue affects Bitnami users that are using the Bitnami HTTPS Configuration tool (Bncert tool) to configure HTTPS on their Bitnami cloud deployments. To solve this issue, you must update your Lego installation as explained below. 

How to update your Lego installation 

A fix has been included in the Lego tool version 4.8.0 which adds a random 0-8 minute delay to avoid such spikes in the specific 0:00 minute. However, Bitnami cannot propagate this change to users unless they execute the tool. 

In order to avoid problems in case the renewal fails for several days in a row, and to avoid load problems, users should follow the steps below:  

• Execute Bncert again to renew the certificates. The tool will request to be updated - press “Yes”. This will also randomize the times in the crontab and add the user-agent to the crontab. 

 $ curl -L https://github.com/go-acme/lego/releases/download/v4.8.0/lego_v4.8.0_linux_amd64.tar.gz | tar xz -C /opt/bitnami/letsencrypt l 

ego  

• Manually update the lego version by running the following command:  

$ curl -L https://github.com/go-acme/lego/releases/download/v4.8.0/lego_v4.8.0_linux_amd64.tar.gz | tar xz -C /opt/bitnami/letsencrypt l 

ego  

• Randomize the renewal time. E.g. from 0:00: 

0 0 * * * sudo /opt/bitnami/letsencrypt/lego ... 

         To a random time, such as 21:40: 

40 21 * * * sudo /opt/bitnami/letsencrypt/lego … 

Once executed, the command {{sudo crontab -u bitnami -l}} should show something like this: 

 40 21 * * * sudo /opt/bitnami/letsencrypt/lego ... 

Where 21:40 is the new randomized time - you will probably see a different value - at which point the renewal will happen every day. 

Support and Resources   

Looking to learn more or have any questions? Check out the new Bitnami GitHub repository for virtual machines. If you need to get a resolution on issues or want to send us your feedback, please open an issue. A markdown template is provided by default to open new issues, with certain information requested to help us prioritize and respond as soon as possible.  

To learn more about how to generate and install a Let’s Encrypt certificate for a Bitnami application, refer to this tutorial.

 

Bitnami Sealed Secrets Team Collaborates with Students from the Aix-Marseille University

Authored by Alfredo García, R&D Manager at VMware

Bitnami’s Sealed Secrets has been a popular GitOps Secret Management solution ever since its launch back in 2017. With 5.4K starts and more than a million downloads per month, this project has a lot of traction and is widely adopted amongst the open-source community.

The Bitnami by VMware team encourages and fosters collaboration with university institutions. Examples of such collaborations can be found in the more than 20 training sessions delivered by our experts during this year's VMware Multi-cloud Academy.

While we regularly collaborate with institutions, opportunities to collaborate directly with computer science students are few and far between. For this reason, when Aix-Marseille University approached us with an offer to collaborate with some of their Reliability and IT Security Master’s Degree students, we quickly jumped on the idea. This proposal was translated into a two-month collaboration period in which several important features have been implemented in the Sealed Secrets project. 

Collaboration Scope

The collaboration started early in 2022 with some meetings with the faculty responsible for the Master’s Degree in Reliability and IT Security of the Aix-Marseille University, in order to define the scope and the approach of our cooperation. We agreed that five students will incorporate their work on the Sealed Secrets project as a part of their final dissertation for the Master’s degree they were undertaking. 

Those students had neither a previous background in collaborating with open source projects nor any proven experience in developing with Golang. To help them to be more efficient, the Bitnami by VMware Sealed Secrets team provided a minimum onboarding plan. This plan included the set-up of a GitHub account, a brief introduction to the project contributing guidelines, and a list of recommended readings that could help them better understand Sealed Secrets design and purpose.

The collaboration lasted from March to April 2022, and during that time, the students took ownership of several tasks in our project backlog focusing mainly on solving security and software supply chain issues. All these tasks were closely related to the content of their Master’s degree curriculum, so they dealt with them efficiently. 

These activities were grouped into three major blocks:

• Secure software supply chain
• Static code analysis and vulnerability scanning
• Sealed Secrets cryptographic review 

Secure Software Supply Chain

Needless to say, the software supply chain is a big concern for any organization. Given the importance of the Sealed Secrets project within the Kubernetes Security area, it is essential to control our dependencies and to provide a solid provenance for our deliverables.

Because of that, we asked the students to incorporate cosign verifications over the Sealed Secrets distroless and base images. They also included a cosign signature for the Controller images, Kubeseal CLI, and for the project’s official Helm chart. These improvements will make it easier for our users to verify the provenance of Sealed Secrets once included in their clusters.

Static Code Analysis and Vulnerability Scanning

Static code analysis is a great way to detect inefficiencies or security concerns on a codebase. Additionally, vulnerability scanning is a critical step in any continuous integration (CI) pipeline. In our case, we decided to include two complementary tools within the project CI process: gosec and trivy. For this last integration, in particular, Sealed Secrets leverages VMware Image Builder verification capabilities so that vulnerabilities are detected as part of the project release process. 

This task was related not only to integrating the tools but to analyzing the different reports and deciding which among various incidents were false positives and which could be added to the project as recommended code practices. The students included ten different Pull Requests (PRs) and some important improvements in Sealed Secrets security stance.

Sealed Secrets Cryptographic Review

The Sealed Secrets project had a few documents about cryptography, with little internal cohesion between them. It was difficult for new developers to understand the security stance of the project with these guides, so we decided to review and consolidate our Cryptography-related documentation.

A hot topic in cybersecurity is how to protect encrypted information against brute-force attacks executed with the help of quantum computers. These kinds of attacks are not yet possible with the current quantum processing power, but many security providers are designing algorithms that will be quantum resistant. To anticipate future developments, the students included in the Cryptographic documentation some recommendations and good practices regarding Post-quantum cryptography.  

Conclusion

The collaboration between the Aix-Marseille Cybersecurity Master students and the Sealed Secrets team has resulted in the merging of 18 Pull Requests into the project. These PRs include several important features that have improved the security posture of Sealed Secrets. Furthermore, the students have demonstrated great skills and determination by identifying key improvements and implementing them in the project. We recommend checking out their GitHub profiles and following them to discover this and other contributions to the open-source community. 

• Adrien MOLLET - @volker-carstein
• Luc BOBO - @luhko
• M'hamed BELHACHEMI M'HAMED - @Belhach
• Nicolas THOMAS - @JeNeComprendPas
• Nicolas BOURRAS - @vivescere

 We’d like to acknowledge their efforts and contributions and wish them the best in their next ventures!

Use Enterprise-Grade Bitnami Apps in Production with VMware Application Catalog

Originally published on the VMware Tanzu blog

Shagun Tewari and Raquel Campuzano Godoy co-wrote this post.

For the past fifteen years, the Bitnami team has delivered pre-packaged open source applications to millions of developers. Over that time, we have evolved our application catalog from delivering our stacks in the form of installers and virtual machines, to cloud native applications, containers, and Helm charts that help you build applications on any platform. Developers use the Bitnami solutions through the Bitnami Application Catalog, which is our name for the catalog available through marketplaces and on Bitnami.com. 

With over three million developers using our solutions today, there’s no doubt that Bitnami Application Catalog solutions are extremely popular and are ideal for testing purposes in development environments. 

There are, however, constraints with trying to deploy any open-source software in production/enterprise environments, including those from Bitnami Application Catalog. According to a VMware Tanzu survey taken in 2021 on the state of the software supply chain, 95 percent of respondents mentioned that there is no guarantee that vulnerabilities will be remediated, given that ownership of open-source software, in general, remains unclear. Moreover, respondents stated that it’s difficult to keep up-to-date on vulnerabilities so that they can be addressed in time. In reality, keeping up-to-date on every software and dependency vulnerability, and patching in upstream source code, is an enormous effort that few organizations can afford. It is not viable for developer teams to manually track every dependency and to make sure that application components are always updated, healthy, and patched with the latest vulnerability fixes—while guaranteeing internal compliance—instead of focusing on building new business solutions. 

This is where VMware Application Catalog comes in. With VMware Application Catalog, development teams can utilize a rich library of custom, pre-packaged, and trusted building blocks for private enterprise consumption delivered as containers, Helm charts, and virtual machines. These application building blocks are tested on multiple deployment platforms and are continuously and automatically updated for every new vulnerability fix, including those for all dependencies, thanks to an internal automatic build pipeline. 

What is VMware Application Catalog? 

Developers love open source software because it helps energize their application development cycles and offers a wide variety of community-backed technology to choose from. How do we bring these benefits into enterprise environments while avoiding any potential security pitfalls? 

VMware Application Catalog is a customizable selection of trusted, pre-packaged open-source application components that are continuously maintained and verifiably tested for use in production environments.  

It is a library of production-ready Open Virtual Appliances (OVAs), containers, and Helm charts ranging from solutions to integrated code, development applications, automation tools, databases, and other backing services. These catalog images can be plugged into any stage of your company's software lifecycle.

VMware Application Catalog brings users a rich library of pre-packaged open source components in the form of Helm charts, containers, and OVAs. 

So what exactly is special about these images? This catalog can be custom-packaged on any base operating system (OS) provided by a customer. Customers may provide custom golden base OS images or choose from a set of OS images provided by VMware. 

Then, multiple functional and verification tests are run on the packaged image, including build-time Common Vulnerabilities and Exposures (CVE), antivirus scanning, and deployment testing on various platforms. 

Finally, the hardened image, along with the image metadata that contains all vulnerability, antivirus scan, and deployment test results, is pushed to a registry of the customer’s choice for secure, private consumption. 

And last but not the least, VMware Application Catalog offers continuous monitoring of upstream source code changes to automatically trigger image rebuild, testing, and pushes to register new and fixed images. This means that the catalog is always up-to-date. 

How is VMware Application Catalog different from Bitnami Application Catalog?  

A legitimate question for current Bitnami Application Catalog users is: how does VMware Application Catalog differ from Bitnami’s free content? We can sum up the differences by saying that Bitnami Application Catalog is a standard catalog built for the community, while VMware Application Catalog is a custom catalog designed for the enterprise. This statement condenses a list of significant differences such as: 

• Individual vs enterprise: Bitnami Application Catalog provides software that is intended for a wide range of developers, while VMware Application Catalog supplies a library of assets specifically built to address the security needs of a specific enterprise. 
• Customization flexibility: Bitnami Application Catalog stacks are built on only one standardized base OS image: Debian. VMware Application Catalog customers can choose to have their images packaged on top of their own golden image (e.g., their own Center for Internet Security-certified Photon OS image), or choose from several hardened Linux flavors provided by VMware Application Catalog.

VMware Application Catalog provides many different base OS images to choose from.

 

• Automatic image library refresh: Bitnami Application Catalog releases a new version of its images every time there is a security fix, patch, or new major version available in the upstream code. However, if they’d like to use the refreshed images, developers are required to navigate to the catalog and redeploy the image to update it. With VMware Application Catalog, images are automatically rebuilt and pushed to the private registry every time there is a new version available in the upstream community to ensure the catalog is always fresh. 
• Detailed bill of materials and metadata for proof of provenance: To get information about the stacks they are running, Bitnami users go to DockerHub or GitHub repositories. VMware Application Catalog users have direct access to extensive metadata in their repositories, which eliminates the need to monitor any external sources. Extensive metadata is served in a JSON file that has information on how to consume the asset, its digest, its build, and release dates, and a complete list of included subcomponents or libraries with license information. We also provide detailed results for CVE, antivirus, and deployment to platform tests, as well as other functional and verification tests conducted on the image for full transparency and visibility. Further, this metadata is digitally signed using a cosignatory to protect it from tampering, which adds another layer of security to the catalog. 

Each asset available in the catalog provides users with all the information they need to consume it.

An example of a test results report which shows all the tests the application went through before being added to the customer’s catalog.

How Bitnami Application Catalog users can benefit from VMware Application Catalog 

Bitnami Application Catalog images are ideal for personal use or development environments, where the stakes are not so high. When it comes to enterprise-grade applications, software supply chain security is of the utmost importance, and developers must abide by strict IT compliance and security rules. VMware Application Catalog provides the goodness of open-source software that developers need to move faster while adhering to security and compliance regulations demanded by the operations and security teams. 

If an enterprise manages a dozen sites, this level of transparency and compliance may be achievable with the work of a single developer or by a small team. However, for large enterprises, moving to production usually means managing hundreds of thousands of applications and sites. In this scenario, companies are forced to dedicate part of their development and site-reliability engineering resources to more tedious tasks, such as tracking all application dependencies and making sure that they are kept up-to-date and patched with the latest CVE fixes to ensure internal compliance. 

VMware Application Catalog allows customers to request images that are custom-packaged on an OS of choice, hardened, security tested, and delivered to a private repository. This frees up developers from the necessity of building their own compliant application components, as well as monitoring external sources and the upstream code to keep their open-source images current. It also provides the security and operations team with detailed metadata for increased visibility and assurance that their software is secure and up-to-date. VMware Application Catalog promotes developer productivity while boosting operator and security team confidence.

Learn more about VMware Application Catalog 

To learn more about VMware Application Catalog, join our webinar session on June 23 at 10 AM PT. Register now for the session! 

For additional information, read about VMware Application Catalog on our product page, browse through all applications available on VMware Application Catalog, or read our newly updated technical documentation. 

For more questions, reach out to the product team directly at app-catalog@vmware.com.

GitLab security release: 12.2.5

The GitLab project has released a new update that contains some important security updates. We recommend that all GitLab installations be upgraded immediately to the new version of GitLab (GitLab 12.2.5).

Although the new version is now publicly available, the vulnerabilities details will not be made public on the GitLab issue tracker for approximately 30 days. The information disclosed to date is the following:

• Project template functionality could be used to access restricted project data (CVE-2019-16170)
• Security enhancements in GitLab pages
• Nginx HTTP 2 security update (CVE-2019-9511, CVE-2019-9513, and CVE-2019-9516)
• Mattermost updates

You can find more information about this issue in GitLab's official blog post.

Bitnami has released a new version of Bitnami GitLab 12.2.5 for both virtual machines and cloud images that fixes these vulnerabilities. If you are running an outdated version of GitLab, please follow the instructions to upgrade the application.

Do you have questions about Bitnami GitLab or this security issue? Please post them to our community forum. We will be happy to help you.

TCP SACK PANIC: Multiple TCP-based remote denial of service vulnerabilities

[UPDATE 2019-06-25]

- Bitnami has now released all the images with the new kernel available for all the supported platforms. These changes are being propagated across all the Marketplaces right now.

----

Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels.

They all are related to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. A malicious attacker can construct a specific sequence of TCP packets that can lead to a remotely-triggered kernel panic on recent Linux kernels.

The list of CVEs is as follows:

• CVE-2019-11477: SACK Panic (Linux >= 2.6.29): A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic.
• CVE-2019-11478: SACK Slowness (Linux < 4.15) or Excess Resource Usage (all Linux versions): It is possible to send a crafted sequence of SACKs which will fragment the TCP retransmission queue. 
• CVE-2019-5599: SACK Slowness (FreeBSD 12 using the RACK TCP Stack): It is possible to send a crafted sequence of SACKs which will fragment the RACK send map.
• CVE-2019-11479: Excess Resource Consumption Due to Low MSS Values (all Linux versions): An attacker can force the Linux kernel to segment its responses into multiple TCP segments, each of which contains only 8 bytes of data.

You can find more information about these vulnerabilities in the official security announcement.

Bitnami is working on updating all affected Virtual Machines and Cloud Images available through Bitnami, for all of our cloud provider partners. Once this update is complete, all new launches will be protected from these issues.

If you already have a running server (virtual machine) or if you have a Bitnami stack installed on your computer, you will need to update the operating system on your own. If a patched kernel is available from the operating system vendor, you can update it by following these instructions (depending on your distribution / operating system):

- Ubuntu / Debian

sudo apt-get update && sudo apt-get dist-upgrade 

- Oracle Linux, Red Hat, CentOS, and Amazon Linux

sudo yum update 

After completing the steps above, reboot your server to get the fixed version of the kernel / operating system. The versions of the package that fix these vulnerabilities are the following:

- Ubuntu 16.04: 4.4.0-151-generic
- Ubuntu 16.04 for Azure: 4.15.0-1047-azure
- Debian 9: 4.9.168-1+deb9u3
- Oracle Linux 7: 4.1.12-124.28.3.el7uek or 4.14.35-1902.2.0.el7uek
- Red Hat: 3.10.0-957.21.3.el7
- CentOS: 3.10.0-957.21.3.el7
- Amazon Linux: 4.14.123-86.109.amzn1

If you have any questions about this process, please post to the Bitnami community support forum. We will be happy to help!

MDS attacks against Intel CPUs and Zombieload vulnerability

Latest updates

[UPDATE 2019-05-19]

- Bitnami has now released all the images with the new kernel available for Debian, Ubuntu and Oracle Linux in the Bitnami Launchpad for Oracle Cloud and the Oracle Cloud Marketplace.

[UPDATE 2019-05-17]

- Bitnami has now submitted all the VMware affected images with the new kernel. Updates are being propagated to the VMware Marketplace. 

[UPDATE 2019-05-16]

- Bitnami has now released all the images with the new kernel available for Debian 9 in the Bitnami Launchpad for AWS Cloud. Updates with the new kernel available for Ubuntu 16.04 are being propagated to the AWS Marketplace.

- Bitnami has now released all the images with the new kernel available for Ubuntu 16.04 in the Bitnami Launchpad for Microsoft Azure. Updates are also being propagated to the Azure Marketplace.

- Bitnami has now released all the images with the new kernel available for Debian 9 in Bitnami Launchpad for Google Cloud Platform. Updates are being propagated to the Google Marketplace.

- Bitnami has now released all the virtual machines (OVA and VMDK format) with the new kernel available for Debian 9. They are available at bitnami.com.

- If you are running a native installer on a bare metal server, you should update the kernel in your host as well as install the Intel microcode firmware. This package is available in the “contrib” and “non-free” repositories that you should previously enable in your distro.

----

On May the 14th, security researchers have disclosed a new attack impacting the speculative execution process. This is named as Microarchitectural Data Sampling (MDS) attacks and with Zombieload Vulnerabilities being considered the most dangerous of them. 

Similar to the previous Meltdown and Spectre attacks, it can effectively break all privacy protections that exist between apps. An attacker could allow data in the CPU’s cache to be exposed to unauthorized processes. It could use these flaws to read memory from a virtual or containerized instance or the underlying host system.

Bitnami team is working on updating all affected Virtual Machines and Cloud Images available through Bitnami, for all of our cloud provider partners. This will ensure that all new launches will be secured against these issues.

If you already have a running server (virtual machine) or if you have a Bitnami stack installed on your computer, you will need to update the operating system on your own.

Once a new, patched kernel is available from the operating system vendor, you can update it by following these instructions (depending on your distribution / operating system):

- Ubuntu / Debian

sudo apt-get update && sudo apt-get dist-upgrade 

- Oracle Linux, Red Hat, CentOS, and Amazon Linux

sudo yum update 

- Windows / OSX

Update your system packages when the operating system suggests to. Enable the "Check for updates" option in Windows in order to get the latest updates and patches.

Once you have completed the steps above, you will get the fixed version of the kernel / operating system after rebooting your server. The versions that fix these vulnerabilities are the following:

- Ubuntu 16.04: 4.4.0-148-generic
- Ubuntu 16.04 for Azure: 4.15.0-1045-azure
- Debian 9: 4.9.168-1+deb9u2
- Oracle Linux 7: 4.1.12-124.26.12.el7uek or 4.14.35-1844.4.5.2.el7uek
- Red Hat: 3.10.0-957.12.2.el7
- CentOS: 3.10.0-957.12.2.el7
- Amazon Linux: 4.14.114-83.126.amzn1

If you have any questions about this process, please post to the Bitnami community support forum. We will be happy to help!

For further information about these vulnerabilities, check the frequently asked questions page at the official Zombieloadattack website: https://zombieloadattack.com/#faq

Trusting Images from Docker Hub

On April 25th, Docker Hub reported a security breach that exposes credentials of 190,000 users. Bitnami has followed the security recommendations from Docker and immediately reset the credentials for all Bitnami developers and bots with access to the Bitnami Container Images.

We have verified that the public Bitnami Container Images available in Docker Hub have not been corrupted or modified. Lastly, we have validated the digest of all the container images that we build and test in our pipeline and compared them with the public ones in Docker Hub.

Bitnami signs all the containers in Docker Hub using Docker Content Trust (DCT). Content Trust gives you the ability to verify the integrity and the publisher of the container images from a registry and provides the ability to use digital signatures for data to send and receive from remote Docker registries.

Bitnami strongly recommends enabling Docker Content Trust to pull only signed container images from Docker Hub. To do so, use the command below:

$ export DOCKER_CONTENT_TRUST=1

This prevents the ability to pull container images that do not contain a valid signature.

You can also find Bitnami Container Images in alternative registries As with all of our images, these are maintained and up-to-date with all the available versions and tags. You can pull from these private and public registries:

- AWS Marketplace
- Azure Marketplace
- Red Hat Container Catalog
- Google Container Registry
- Quay.io

You can also find links to the different registries per container at https://bitnami.com/stacks/containers

Bitnami Container Images in the different registries

If you have further questions about Bitnami Container Images or this security issue, please create an issue in any of our GitHub repositories (example) and we will be happy to help you.

Apache 2.4.39 important security release (CVE-2019-0211, CVE-2019-0217 and CVE-2019-0215)

[Update 2019-04-12]

New versions of all the Bitnami affected solutions were submitted to the different cloud platforms.

----


The Apache project recently released a new version that includes the following important security updates that affect many different versions of the Apache server:

• Apache HTTP Server privilege escalation from modules' scripts (CVE-2019-0211): Code executing in less-privileged child processes or threads could execute arbitrary code with the privileges of the parent process.
• mod_auth_digest access control bypass (CVE-2019-0217): A race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username.
• mod_ssl access control bypass (CVE-2019-0215): A bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client supporting Post-Handshake Authentication to bypass configured access control restrictions.

Apart from these three vulnerabilities, the latest version of the server is also resolves other low-security issues. You can find more information about them in the official announcement.

Our team is working on updating the affected applications and we will release  updated versions of them soon.  We will be revisiting this blog post to keep you informed about the latest news on this security update.

If you have further questions about this security issue, please post to our community forum, where we will be happy to help.

Security release: Magento 2.3.1

The Magento project recently released new versions that fix several security vulnerabilities. The most important one is a critical SQL injection vulnerability, but these new versions also include over 30 security enhancements that help close cross-site scripting, arbitrary code execution, and sensitive data disclosure vulnerabilities as well as other security issues. A few of the notable fixes include:

• PRODSECBUG-2198: SQL Injection vulnerability through an unauthenticated user
• PRODSECBUG-2236: SQL Injection and cross-site scripting vulnerability in Catalog section (XSS)
• PRODSECBUG-2192: Remote code execution though crafted newsletter and email templates
• PRODSECBUG-2287: Remote code execution through email template

We highly recommend upgrading your existing Magento Community Edition 2.x sites. For more information about these security issues and many others fixed in Magento 2.3.1, please refer to this blog post in the Magento Security Center.

Bitnami has released Bitnami Magento 2.3.1 Helm charts, containers, installers, virtual machines, and cloud images in order to address these security vulnerabilities. If you already have Bitnami Magento running on any of these platforms, you can upgrade the application by following our documentation.

Users launching Bitnami Magento via a cloud provider's marketplace are advised to select version 2.3.1, once it is published. Installations based on previous versions will need to be upgraded as described above.

If you have additional questions about Bitnami Magento, post them in our community forum, and we will be happy to help you.

Drupal core SA-CORE-2019-004 Cross Site Scripting vulnerability

A new Drupal version was released recently to address a security issue. Under certain circumstances, the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability. You can find more information at SA-CORE-2019-004.

For new application deployments, including those performed through the Bitnami Launchpad, we have released Drupal 8.6.13 and 7.65 for containers, installers, virtual machines, cloud images, and Multi-Tier solutions. We also updated the Drupal based solutions (CiviCRM and OpenAtrium). If you deploy any of these solutions and they have not yet been updated to the latest version, you will need to follow the upgrade process described in our documentation.

If you have further questions about this security issue, please post to our community forum, where we will be happy to help.

GitLab security release: 11.8.3

The GitLab project has released a new update that contains several important security fixes. We recommend that all GitLab installations be upgraded immediately to the new version of GitLab (GitLab 11.8.3).

Although the new version is publicly available now, the vulnerability details will not be made public on the GitLab issue tracker for approximately 30 days. The information disclosed to date is as follows:

• Project Runner Token Exposed Through Issues Quick Actions. GitLab issues quick actions were vulnerable to an information disclosure issue that disclosed project runner tokens to unauthorized users. The issue is now mitigated in the latest release and is assigned CVE-2019-9866.

More information about this issue can be found in the official blog post.

Bitnami has released a new version of Bitnami GitLab 11.8.3 for both virtual machines and cloud images that fixes this vulnerability.

Do you have questions about Bitnami GitLab or this security issue? Please post them to our community forum. We will be happy to help you.

Rails security issue (CVE 2019-5418, 2019-5419, and 2019-5420)

New versions of Rails have been released recently to address several security issues:

• CVE-2019-5418 File Content Disclosure in Action View

• CVE-2019-5419 Denial of Service Vulnerability in Action View

• CVE-2019-5420 Possible Remote Code Execution Exploit in Rails Development Mode (only for 5.2.2.1 and 6.0.0.beta3)

It is highly recommended that you upgrade Rails to the new patched versions: 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2.1, and 6.0.0.beta3

Bitnami is publishing updates which will be available in all formats soon.

For more details about these security issues, please check the information provided in the official Ruby On Rails blog. If you have further questions about Ruby or this security issue, please post to our community forums and we will be happy to help you.

JasperReports 7.1.1 security release

TIBCO JasperReports has recently been updated to fix five security vulnerabilities in the application.

Community Edition versions 7.1.0 and below are affected by four vulnerabilities that allow unauthenticated read access to the contents of the host system and a race-condition vulnerability that may allow any user with domain save privileges to gain superuser privileges. More information about these security issues can be found in the official advisories:

• TIBCO JasperReports Library Directory Traversal Vulnerability - CVE-2018-18809
• TIBCO JasperReports Server Privilege Escalation Via Race Condition - CVE-2018-18808
• TIBCO JasperReports Persistent Cross Site Scripting Vulnerability - CVE-2018-18816
• TIBCO JasperReports Server XML Entity Expansion Vulnerability - CVE-2018-8986
• TIBCO JasperReports Server User Information Disclosure - CVE-2018-18815

TIBCO has released an updated version of the application which addresses these issues. For new application deployments, including the Bitnami Launchpad, we have released JasperReports 7.1.1 containers, installers, virtual machines and cloud images that include the security fixes to address these vulnerabilities. Users launching Bitnami JasperReports via a cloud marketplace are advised to select version 7.1.1, once it is published.

In case you already have a JasperReports server, use the official documentation to upgrade the application and address these issues.

If you have further questions about this security issue or about Bitnami JasperReports, please post in our community forum. Our support team will be happy to help you there!

Remote Code Execution Vulnerability in WordPress

A remote code execution vulnerability in the WordPress core has recently been found. The vulnerability affects all WordPress versions prior to 5.0.3.

This vulnerability has been present for over 6 years and can be exploited by an attacker with at least "author" privileges. More information about the vulnerability can be found in the announcement.

A fix that completely addresses this vulnerability will be included in the next WordPress release. In the meantime, we have released Bitnami WordPress 5.0.3 (and Multisite version) installers, virtual machines and cloud images for all platforms. We have also released updated WordPress containers and Helm Charts for Kubernetes.

Have questions about Bitnami WordPress or the security issue? Post to our community forum, and we would be happy to help you.

Drupal 8.6.10 security release

Drupal has released a new version that fixes a highly critical security vulnerability. This security vulnerability can affect your Drupal 8 and 7 sites.

SA-CORE-2019-003 can lead to arbitrary PHP code execution if one of the following conditions is met:

• The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests. 
• The site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.

Learn more about this vulnerability in the Drupal official announcement.

Bitnami images are not affected since none of our solutions meet the conditions above, but it is recommended to upgrade your Drupal application to Drupal 8.6.10 or later. You can follow our documentation to learn how to upgrade your application to strengthen its security. We highly recommend creating a backup before performing the upgrade.

For new application deployments, including the Bitnami Launchpad ones, we have released Drupal 8.6.10 for containers, installers, virtual machines, cloud images, and Multi-Tier solutions. If you deploy any of these solutions and they have not yet been updated to the latest version, you will need to follow the upgrade process described in our documentation.

If you have further questions about this security issue, please post to our community forum, where we will be happy to help.

Arbitrary code execution vulnerabilities in Kibana (CVE-2019-7609 and CVE-2019-7609)

Some security vulnerabilities in Kibana have been reported recently. Two of these vulnerabilities allow arbitrary code execution in the application.

Apart from these arbitrary code execution vulnerabilities in Kibana, the official announcement also mentions other security improvements in the Elasticsearch, Logstash and Kibana components. Versions prior to 6.6.1 are affected by these vulnerabilities. You can learn more about them in the official announcements.

We recommend that you upgrade your ELK deployments to the latest version. You can follow our documentation to learn how to upgrade your deployment to strengthen its security. We highly recommend creating a backup before performing the upgrade.

For new application deployments, including those made from the Bitnami Launchpad, we have updated and released the containers, installers, virtual machines, cloud images, and Multi-Tier solutions that contain any of the affected versions.

If you have further questions about this security issue, please post to our community forum, where we will be happy to help.

Security vulnerability in the PEAR download manager

The PEAR maintainers found a security breach in their server and published a security announcement about it. In this case, the PHP PEAR package manager (go-pear.phar) included malicious code and  the PEAR maintainers still in the process of analyzing it.

We would like to inform you that the "go-pear.phar" tool is not included in Bitnami solutions. All our solutions use PEAR from PHP source code that is not affected.

If you downloaded the go-pear.phar file after December 20th, 2018, you should get a new copy of the same release version from GitHub (pear/pearweb_phars) and compare file hashes. If the file hashes are different then you may have the infected file.

If you have additional questions about this security issue, post them in our community forum, and we will be happy to help you.

APT security update - CVE-2019-3462

A new security vulnerability was discovered in the Advanced Package Tool, or APT, the high-level package manager for Debian, Ubuntu, and related Linux distributions.

The tool does not sanitize fields in HTTP redirections and so could be used for man-in-the-middle attacks that inject malicious content in the HTTP connection between APT and a mirror. You can find more information in the official announcement.

You can now disable redirects to prevent exploitation or upgrade the system’s package to a version that fixes the security issue:

• Upgrade the package

Run the following commands to install the latest version of the package:

    sudo apt-get -o Acquire::http::AllowRedirect=false update

    sudo apt-get -o Acquire::http::AllowRedirect=false install apt -y

The fixed versions are:

• Debian 8.x: Version 1.0.9.8.5 and later versions
• Debian 9.x: Version 1.4.9 and later versions
• Ubuntu 14.04: Version 1.0.1ubuntu2.19 and later versions
• Ubuntu 16.04: Version 1.2.29ubuntu0.1 and later versions

To check the current version of your APT package, please run this command:

    apt --version

• Disable redirect

In case you can not upgrade the APT package right now, use the following option when running any apt command:

    -o Acquire::http::AllowRedirect=false

If you have additional questions about this security issue, post them in our community forum, and we will be happy to help you.