PWNScriptum Security Issue

[ UPDATE 2017-01-16 ]

The Magento team has published a new blog post about this security issue. They recommend to turn off the "Set Return-Path" setting (switch to "No") at "Stores-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path"

We also want to inform you that the standard Bitnami Magento deployments are not affected as that field is set to "No" by default.

https://magento.com/security/news/new-zend-framework-1-security-vulnerability

----

During the past couple of weeks, vulnerabilities were discovered in the most widely used PHP Mailing Libraries: PHPMailer (CVE-2016-10033 and CVE-2016-10045), Swiftmailer (CVE-2016-10074) and ZendMail (CVE-2016-10034). There are several stacks in the Bitnami library that could be potentially affected. Because this issue is related to the implementation of the applications themselves, it must be addressed by their original developers.

From the moment this issue was reported, our security team started a very thorough review of all our PHP applications (including contacting developers directly in several cases.) We will release fixed versions of all affected apps as soon as they are available.

Note that in several cases, the application was developed in a way that made it impossible for the vulnerability to be exploited. Examples include:

• WordPress: “Presently, WordPress Core (and as a result, anything utilising wp_mail()) are unaffected by the recent disclosures, the vulnerabilities require the usage of a PHPMailer feature which WordPress & wp_mail() does not use. This applies to WordPress 4.7, 4.6.x, and all previous secure versions.” [more info]
• Drupal: “The SMTP module has a modified third party PHPMailer library in its codebase. The modified version of the library is not affected.” [more info]
• Joomla: “After analysis [..] there are additional validations in place which make executing this vulnerability impractical within the Joomla environment.” [more info]
• Moodle: “So my current conclusion is that Moodle sites are not affected by the Sender vulnerability discovered in phpmailer < 5.2.18.” [more info]
• Phabricator: “No immediate action is necessary because we don't expose any way to get at these vulnerabilities.” [more info] 

Affected Bitnami PHP applications with recently released fixes: Akeneo, Dreamfactory, Mahara, Mantis, Mautic, ModX, Owncloud, OroCRM, TinyTinyRSS, PHPList. Please make sure you update your stacks by following the documentation in docs.bitnami.com.

Unaffected Bitnami PHP applications: SEO Panel, CMS Made Simple, Piwik, Magento, Prestashop, EspoCRM, Pimcore, Shopware and Oxid.

Please stay tuned if you are using a Bitnami PHP application, as we will continue releasing apps as soon as a fix is available.

Bitnami Applications for Oracle Bare Metal Cloud Services

At Oracle World in 2015, Bitnami and Oracle jointly announced the availability of the Bitnami catalog of more than 150 applications for Oracle Cloud Platform.

Fast forward a little more than a year later, and Bitnami is proud to be collaborating with the Oracle Bare Metal Cloud Services (BMCS) team to extend selected Bitnami offerings to BMCS, as well.

We've worked with the Oracle BMCS team to select the first 21 applications, including Java-related infrastructure such as JBoss, Liferay, Node.JS, and Tomcat; databases such as MongoDB and MySQL, as well as popular line of business applications like WordPress, Magento, and Moodle.

Bitnami-packaged applications are tested and approved to run on Oracle Cloud, secure, and kept up to date.

To see the complete list:

1. Go to the Oracle Cloud Marketplace

2. Type "bitnami bare metal" into the search box

You're now ready to download the installer for the application of your choice and use it on your Oracle BMCS account.

'MongoDB with Replication' Security Issue

[UPDATE 2017-01-11]

The steps to restrict access to port 27017 on Google Cloud Platform have been updated

[UPDATE 2017-01-10]

The Bitnami Team has been working on creating new guides to securing the database and recovering the data using MongoDB Oplog. Please find below the "How to enable authentication for securing your installation" and "Restoring your database" sections below.

----

In the past few days, it has been reported that attackers have been scanning for and vandalizing unsecured MongoDB databases accessible over the internet. (See https://www.scmagazine.com/mongodb-databases-under-attack-worldwide/article/629601/)

Our security team follows these reports closely and began a review of our existing images. As a result, we confirmed Bitnami virtual machines and single cloud images are not vulnerable to this attack because they require the administrator to authenticate. However, one Bitnami listing is vulnerable when left in it’s default configuration: Bitnami’s MongoDB with Replication. This template is offered in Google Cloud Launcher and Microsoft Azure.

We are working with Google to remove and replace the template on the Google Cloud Launcher.  If you launch or have launched a “MongoDB with Replication” application prior to version 3.4.1, please take immediate steps to secure your application, instructions below.

For Microsoft Azure users, a replacement template, which implements MongoDB authentication to prevent users from remotely performing CRUD operations on the database, is available now in the Azure Marketplace here. The fixed template version is MongoDB 3.4.1-0 (Debian 8).

While the scale of the attack across the internet was large, only a small number of Bitnami users were affected and not already secured. We are working with the cloud vendors to contact these users and replace the default settings. In the meantime, if you think your installation could be affected, please see below for steps that you can take to safeguard your data.

If you are currently using installations based on the Bitnami MongoDB with Replication template that have not already been secured:

The following steps are recommended immediately

1. Restricting external access to default port 27017
2. Enabling authentication to secure your installation
3. Restoring your database

How to restrict access to port 27017 on Google Cloud Platform

1. Login to Google Cloud Platform.
2. Using the left hand menu, navigate to the “Networking” section.
3. Under the networking section choose “Firewall Rules”.

In this section find the firewall rules that correspond with your MongoDB instance. If you launched through the Google Cloud Launcher the name is likely to be “mongodb-multivm-1-node-0-firewall”.

4. Click on the 'Firewall Rule Details' for each MongoDB instance to show firewall rules details:

5. Remove port 27017 from the list of allowed protocols and ports. Remove the bitnami-mongodb tag if it is set.

6. Click “Save”.

7. Using the left hand menu, navigate to the “Compute Engine” section. In this section find the instances that correspond with your MongoDB deployment. Look for the different nodes of the deployment, if you launched through the Google Cloud Launcher the name is likely to be “mongodb-multivm”.

8. Remove the bitnami-mongodb tag in all the instances if it is set.

9. Click “Save”.