dhis2-devs team mailing list archive

Thread
Date

IMPORTANT: Vulnerability discovered in DHIS2 version 2.16 and some versions of trunk.

To: dhis2-devs <dhis2-devs@xxxxxxxxxxxxxxxxxxx>, "dhis2-users@xxxxxxxxxxxxxxxxxxx" <dhis2-users@xxxxxxxxxxxxxxxxxxx>
From: Jason Pickering <jason.p.pickering@xxxxxxxxx>
Date: Mon, 1 Sep 2014 17:46:07 +0200

A potentially serious vulnerability of DHIS2 has been discovered by members
of the core development team this afternoon (2014-09-01).
The development team is working on a permanent solution for this, but in
the meantime, all users of DHIS2 are advised to review their system for
potential vulnerabilities.

*Potentially affected versions: *
  All version of DHIS2 2.16 and any version of trunk, from revision 15124
and up.

*Vulnerability Details: *
Hazelcast is a component of DHIS2 used to provide caching. By default,
Hazelcast will open a port (5701) on the machine which is running DHIS2.
The Hazelcast cluster may be vulnerable to attack. The Hazelcast cluster
API may expose critical information about the system, including network
information and other runtime data.  It is not currently known to what
extent the information contained inside of DHIS2 might be exposed through
this vulnerability.


*Risk: *
When running DHIS2 on a network that's directly attached to the Internet or
other unsecured network, an attacker may access and inject critical
information into the Hazelcast component. The exposed API could be used to
influence systems availability by injecting arbitrary into the DHIS2
caching system.

*Steps to confirm if your server is vulnerable:*

Replace "server" with your IP address or  the name of your server and
attempt to access the resulting address through your web browser

 http://server:5701/hazelcast/rest/cluster/


Affected versions of DHIS2 will show something like the response below.

Members [1] {
Member [XXX.XXX.XXX.XX]:5701 this
}

ConnectionCount: 4
AllConnectionCount: 5


If you see any response, even different from this one, your DHIS2 server is
vulnerable, and should be upgraded immediately.


*Mitigation: *

If you are running DHIS 2.15 or lower, do not upgrade at this point, until
advised otherwise. Further testing of the solution will need to be
confirmed.


If you are running DHIS2 version 2.16 or higher, or any version of trunk
past revision 15124, or any branch of trunk including revision 15124 and
up, you should immediately use a software based firewall to block all
non-localhost traffic on port 5701. The package UFW is a simple firewall,
which can be easily installed and enable as below


sudo apt-get install ufw (only if you have not installed this package
previously)
sudo ufw allow 22  (change this if need be to whatever port your ssh is
listening on)
sudo ufw allow 80
sudo ufw allow 443
sudo ufw enable

Additionally, you should immediately upgrade your DHIS2 server software
version to at least the following revisions.


*Trunk: Revision 166032.16: 16386*

The core development team will communicate further on this issues, once we
have had time to determine the extent of the problem, as well as to confirm
a final fix. If you have any questions about this mail, please do not
hesitate to ask!


Best regards,
Jason Pickering

Follow ups

Re: IMPORTANT: Vulnerability discovered in DHIS2 version 2.16 and some versions of trunk.
From: J. Paul Mutali, 2014-09-02
Re: IMPORTANT: Vulnerability discovered in DHIS2 version 2.16 and some versions of trunk.
From: Dapo Adejumo, 2014-09-01