[CircleCI Security Alert] Rotate Any Secrets Stored in CircleCI (Updated)

UPDATE (January 16, 2023) – CircleCI has published a full report that includes more details about the incident. VIP recommends affected customers review this document and reach out to support if you have any further questions or concerns.

UPDATE (January 6, 2023) – CircleCI has updated their initial post with more information and instructions. They now recommend rotating all secrets, keys, and tokens of any kind stored on their service. Please refer to CircleCI’s disclosure post for the most up-to-date information and instructions concerning this incident.

On Wednesday, January 4, 2023, CircleCI disclosed a security incident that affects VIP customers who use CircleCI. At this time, CircleCI reports the incident is contained and no unauthorized actors are active in their system, but recommends that CircleCI users rotate any secrets stored on their service. 

If you have never used CircleCI, no action is necessary. We are communicating this to all customers as part of our ongoing commitment to security. We are also reaching out directly to the WordPress VIP customers that have used CircleCI.

If you have used CircleCI, you should take the following preventative actions as soon as possible:

  • Immediately review and rotate any and all secrets stored in CircleCI. These may be stored in project environment variables, in contexts, or in other areas.
  • Review any internal logs of your systems for any unauthorized access starting from December 21, 2022, through the completion of your secrets rotation.
  • Rotate any SSH keys used for CircleCI to communicate with GitHub or any other system. You may have set these up initially, and our documentation details how to rotate these keys.

CircleCI’s blog post has the most up to date information about their ongoing. WordPress VIP will update you if any further action is necessary.

As always, if you have any questions or concerns, please open a support ticket.

WordPress VIP Protected Against Log4Shell (CVE-2021-44228)

Update: The WordPress VIP and Automattic security teams continue to monitor the Log4j situation and apply all patches and mitigations to our platform and systems as needed.

Recently, a critical vulnerability (CVE-2021-44228) nicknamed “Log4Shell” was discovered in the widely-used Log4j logging library maintained by the Apache Foundation.

We have mitigated this vulnerability across our systems, including Parse.ly, and have found no evidence of exploitation.

Immediately upon learning of this vulnerability, our teams started a comprehensive review of our systems for the presence of Log4j and applied the recommended mitigations anywhere that Log4j is used. Where appropriate, we also deployed mitigating firewall rules.

We will continue to monitor the situation closely and we strongly recommend all WordPress VIP customers review their own systems outside of WordPress VIP for the presence of vulnerable versions of Log4j and take any necessary action. A mitigation guide can be found here.

As always, if you have any questions or concerns, please open a support ticket.

New Release: WordPress 5.2.4

WordPress 5.2.4, a security release, has been rolled out to all VIP sites across WordPress.com and VIP Go.

The release contains 6 security fixes and enhancements.

For more details about this release (including specific changes), please see the announcement post, release notes, or changelog.

Have questions?

If you have any questions related to this release, please open a support ticket and we will be happy to assist.

Rescheduled: Jetpack 7.5 Upgrade

UPDATE: Jetpack 7.5.3 has been rolled out to all sites on VIP Go.

The previously planned upgrade to Jetpack 7.5 has been rescheduled for Monday, July 22nd at 15:00 UTC / 11:00 AM EDT. This deployment date and time are subject to change if issues are discovered during testing of the Jetpack release.

NOTE – VIP Go sites will be upgraded to the current patch release, 7.5.3.

What is being added or changed?

Jetpack 7.5 includes some navigation and wording updates within the Dashboard alongside some improvements to thumbnail handling within VideoPress and a new option—Magic Links. If you use one of the WordPress mobile apps, you’ll now be able to send an email to yourself, from the Jetpack dashboard, with a magic link that will allow you to log in to the mobile app in one click.

The release also includes internal architecture updates that rename or move many classes, methods, and constants. While we strive to ensure full backward compatibility, there is a higher-than-usual likelihood that if you include files or classes directly in plugins or integrations that an incompatibility issue could be introduced. Although actions and filters are unchanged in the update, we strongly recommend testing the update using the instructions below to minimize potential issues/concerns.

You can find a full list of changes in the release notes and the commit log.

What do I need to do?

We recommend:

  1. Installing the beta release on your non-production sites using these instructions.
  2. Running through the testing flows outlined in the Jetpack Testing Guide.

If you have testing feedback or questions related to this release (or Jetpack in general), please open a support ticket with details and we will be happy to assist.

Jetpack 7.5 Delayed

Due to issues identified during the final testing of Jetpack 7.5.2 on VIP Go, we’re delaying this upgrade until a later time. We will update the VIP Lobby once a new date and time are determined.

As a reminder, we strongly suggest testing new versions of JP against your site. JP 7.5 has a variety of behind-the-scenes code-reorganizations, so it’s extra important to test this release.

Instructions for testing JP can be found in our documentation:

https://vip.wordpress.com/documentation/vip-go/testing-jetpack-on-vip-go/

As always, please let us know if you have any questions or concerns.

Call for Testing: WP-CLI (Beta)

Today, we’ve enabled our WP-CLI beta on all VIP environments! For the moment this is limited to a subset of core WP-CLI commands, but in time we plan to add more commands and allow custom commands.

What can I do with WP-CLI?

WP-CLI is a powerful and extensible way to interact with WordPress from the command line. This beta release allows you to run WP-CLI commands on your VIP environments from your local terminal application, using our VIP-CLI.

Most things you can do with WordPress core have an equivalent command in WP-CLI:

For the initial release, we have enabled a variety of core WP-CLI commands and will be adding support for custom commands in the coming weeks (stay tuned!) A complete list of available commands is at the bottom of this post.

How do I get it?

To get started, install the latest version of VIP-CLI. VIP-CLI is our command line tool for interacting with your VIP application and environments.

npm i -g @automattic/vip

How do I run WP-CLI commands?

The easiest way to use WP-CLI is to use the interactive shell. This feature provides a terminal-like interface into your WordPress environment:

vip -- wp

my-site.production> wp option get home
https://example.com

Commands can also be run directly, like any other VIP-CLI command:

vip @my-site.production -- wp option get home
vip @my-site.staging -- wp post list --posts_per_page=100 --url=example.com/fr
vip @my-site.develop -- wp cache delete some-key

Running commands directly allows the output to be redirected and piped for creating powerful workflows and tools:

vip @my-site.develop -- wp user list --format=json | jq

vip @my-site.staging -- wp term list category --format=csv > category.csv

Finally, to give your team greater visibility into how WP-CLI is being used, the VIP Dashboard includes a log of all WP-CLI commands run on your applications and environments. To view the log, log in to the Dashboard and select “WP-CLI” when viewing an application.

The VIP Dashboard includes a log of all WP-CLI commands run.

More information about WP-CLI on VIP can be found in our documentation.

If you have any feedback, questions, or issues with WP-CLI, please get in touch!

Note: In the examples above, the double dash (--) before wpseparates arguments of the vip command from those of the wp command. You should always include them to avoid unexpected issues due to parameter conflicts.

Click in for the list of allowed commands

VIP CLI Tool with Data Sync

This notice relates to the following platforms: VIP Go

We’re excited to announce VIP CLI, a new and direct way for developers to interact with applications hosted on the VIP Go platform.

VIP CLI is the first building block for the enhancements we have planned for developers. Developer Empowerment is a key focus as we continue to develop the VIP platform; we believe that empowered developers will deliver more value more easily for their businesses.

With our first release, you can run vip app (or vip app list) to get details about your applications hosted on VIP Go. You can also run vip sync to synchronize data from your production environment to non-production environments to facilitate faster debugging and accurate QA processes. For example, using the CLI tool and the first command you can run with it, data sync, allows you to synchronize data from your production environment to non-production environments to facilitate faster debugging and accurate QA processes.

Below you can see a video of the tool in action:

We know that using a CLI tool is not for everyone, so we also have a web based VIP Dashboard in the works: watch this space.

You can get started with VIP CLI here.

Please get in touch if there’s something you’d like to discuss about the VIP developer experience, or anything we can help with.

New Release: Jetpack 5.7.1

This notice relates to the following platforms: VIP Go

VIP Go has been upgraded to Jetpack 5.7.1, a maintenance release that fixes a few bugs.

What’s New

  • The Security tab of the Settings page is no longer polling for status and constantly updating the displayed information.
  • Users of multisite WordPress installations would sometimes encounter fatal errors when logging in to their sites.

You can find a full list of changes in the announcement post and changelog.

If you have any questions, please let us know!

VIP Go Upgraded to Jetpack 5.7

This notice relates to the following platforms: VIP Go

VIP Go has been upgraded to Jetpack 5.7, as scheduled.

What’s New

  • Easier customization for Jetpack Search
  • Improved theme compatibility with comment_form_after hook
  • Fixed bug in markdown processing in shortcodes
  • Misc. other improvements and bug fixes

You can find a full list of changes in the announcement post and changelog.

If you have any questions, please let us know!