dhis2-devs team mailing list archive

[Lars Helge Øverland <larshelge@xxxxxxxxx>]

Hi,

we have recently detected a security exploit on a couple of servers running
dhis. The exploit seems to result in shell access with permissions of the
user which is running tomcat.


*Symptoms* of the exploit are presence of:

- a file /tmp/fake.cfg.
- various files with numeric-only names in /tmp directory.
- massive outgoing network traffic (> 200 Gb per day).

The files will be owned by the user running tomcat. The outgoing network
traffic is likely to be part of denial-of-service attacks against other
servers.


*Cause* of the exploit is likely to be one or more weaknesses in Struts 2,
which is a web framework used in dhis. These weaknesses have been fixed in
Struts version 2.3.15.1. We have upgraded dhis version 2.12, 2.13 and
snapshot/trunk with the new version. You can download the new WAR files
from dhis2.org/downloads as usual.


*To remove* the exploit you should do the following:

- stop tomcat
- upgrade your dhis version (to 2.12 or 2.13)
- remove all of the above mentioned files from /tmp (all owned by tomcat
user).
- kill all processes owned by the tomcat user, or simply reboot the server.
- delete all files and folders under <tomcat-install-dir>/work/Catalina
(not confirmed but to be on the safe side).

If you have been running tomcat as root (sudo) then a full operating system
re-install is recommended. There is no way to completely verify what an
exploit can do with full permissions. Running tomcat as root is strictly
discouraged in any case.


*Summary*

- In any case you should upgrade your dhis version, whether you see the
symptoms or not.
- If you see the symptoms but have been running dhis with regular, non-root
privileges, you will be fine by following the removal steps.
- If you see the symptoms and have been running dhis with root privileges,
you should do a clean server installation.


regards,

Lars