You’re Invited! Nextcloud Conference on October 1 & 2 in Berlin!
We can't wait to see you again at the Nextcloud Conference 2022, our premier community event taking place from October 1-4 in Berlin!Read More
With growing political and technical challenges to privacy worldwide, keeping the software you run updated and secure is more important than ever before. Upgrading to Nextcloud from a legacy release brings not only new capabilities but protects crucial enterprise and personal data from data leaks and legal challenges.
The process of moving to a more secure server takes work and effort but community users are backed by our active forums and enterprise users can count on the expertise of the team that wrote their software.
When running an outdated private cloud server, data can be surprisingly easy to steal. Certainly very old releases like ownCloud 5 or 6 which in most cases enable attackers to trivially take over the entire server. But also a newer release like Nextcloud 9.0.0 which has not been updated constitutes a risk.
Improving security was Nextcloud’s core focus for version 11, and we had all our many improvements verified by the security experts from the NCC Group, a global expert in cyber security and risk mitigation.
Nextcloud 11 introduced 7 new security hardening techniques making it significantly harder for an adversary to breach the defenses. On top of that, it integrated new secure authentication technologies including two-factor authentication and Kerberos support. We also built a new App store which uses automated checks and signatures to prevent malicious apps from getting installed on user installations. Nextcloud 12 introduced further hardenings and we are committed to keeping your data secure with all technologies available to us!
You can find more details in our blog on security in Nextcloud 11, learn about enhancements in Nextcloud 12 and download the full analysis of our security work by the NCC Group on our website.
Besides security improvements, Nextcloud 11 also improved the scalability of Nextcloud servers by up to 80%, decreasing server load significantly. A migration of their 22.000 user installation by the TU Berlin from ownCloud 9.1 to Nextcloud 11 resulted in a nearly 50% decrease in database load, showing the improvements have a real life impact.
Combined with a support contract offering up to 15 years of bugfix and security updates to Nextcloud releases, the Total Cost of Ownership for newer Nextcloud setup is notably lower than for an older Nextcloud or ownCloud deployment.
Before upgrading from an old ownCloud or Nextcloud release, it is best to create a plan and download the correct releases you will need in advance. Take these points into consideration:
We realize updating has been unreliable in the past. We’ve developed our new updater for this reason and will continue to make improvements in future releases, for example in Nextcloud 12 which no longer will disable your apps on upgrade when you use PHP 7.x.
We will illustrate the upgrade with an example. Say you currently run ownCloud 5.0.3. This release is outdated and an attacker would be able to take over the entire server in a trivial way thanks to this vulnerability.
This is what you should be doing to protect your data:
First, you download the latest release in the 5.0.x series, that is ownCloud 5.0.19. You can find it on this page. Sadly, there is no manual available anymore, but the steps in the 7.x release should work.
You might wonder why you should first upgrade to the latest release in your stable series. 5.0.19 does indeed not provide much benefit over 5.0.3 from a security point of view, however, it is safer to start your upgrade path from the last stable release. So, no matter if you’re on 7.0.1 or 8.0.0 or 5.0.3, first upgrade to the latest bugfix version before moving to the next major release!
We strongly recommend to use the manual upgrade procedure. Sadly the shipped updater in old releases has been less than reliable. Nextcloud 9+ ships a more reliable updater that does the code placing for you but you can only use it from ownCloud 8.2 and onward.
These are the steps to go through for each update:
sudo -u www-data php occ maintenance:mode --on
sudo -u www-data php occ upgrade
sudo -u www-data php occ maintenance:mode --off
Note that the commands are examples and the exact command will vary by operating system and version. Consult the documentation!
On such an old release you are very likely to run in trouble re-enabling the apps. The app store no longer delivers them! You can often find the right version by looking on github. For example, here is a link to the Calendar app release page from the ownCloud Archive where you can find version 5.0.16. Here is the oldest link to Contacts I could find. Find these and other old apps in the ownCloud Archive, where apps have been put that were once maintained by people who now moved on to Nextcloud. Once you get to newer releases, the app store usually can deliver them to your ownCloud server when you click
'enable' and once you get to Nextcloud you’ll find the apps actively maintained and improved again.
You now run the latest ownCloud 5.0.19 – a release that is very insecure still, so time to move to the last bugfix release in the next major version: 6.0.9, released in July 2015. Get it here and go through the 7 steps again. Don’t forget to re-enable the apps so their data gets migrated, too!
Once you get to the latest ownCloud 8.2.9 I have good news: we can now move to Nextcloud. On top of features and security improvements, this will bring the benefits of a new updater, doing a number of the steps automatically for you. To move to the new updater (see also this blog) you follow these steps:
sudo -u www-data php occ maintenance:mode --on(replace www-data with the equivalent for your os.
updater/can be found in the subfolder of the folder where you installed your Nextcloud. If you don’t have it, easy – just create it and make sure the access rights are the same as those for the other files. You can see those witl
ls -laand change them with
chown www-data:www-data updater/or equivalent.
/config/config.phpfile, right before the line consisting of
'updater.server.url' => 'https://updates.nextcloud.com/updater_server/',
updater.pharin the updater subfolder of Nextcloud. Make sure to change ownership of the file to www-data or the equivalent on your distribution.
sudo -u www-data php updater.pharor the equivalent for your OS (replace www-run with wwwrun on openSUSE etc).
php -m | grep -i Pharand looking at the output. If you get nothing, phar is not installed. You have to install it, running
zypper in php7-pharor the equivalent for your distribution. Once you get notified that there is a new version, follow the instructions to install it.
updater.server.urlline that you’ve added to
If you run the command in step 5 but get no output whatsoever, check if the php-phar module is installed on your system by running
php -m | grep -i Phar and looking at the output. If you get nothing, phar is not installed. You have to install it, running
zypper in php7-phar or the equivalent for your distribution. Once you get notified that there is a new version for your server, follow the instructions of the updater to install it.
The hardest part is now over. After updating to Nextcloud 9 and removing the line you added from config.php (step 7) you can upgrade to 10, 11 and 12 as well, after which you know you have the most secure and private Nextcloud ever developed!