dhis2-devs team mailing list archive

["J. Paul Mutali" <mutali@xxxxxxxxx>]

My testing environment was vulnerable to this and I confirm UFW temporally
solved the issue. I m running 2.16

regards

JPaul Mutali


On Mon, Sep 1, 2014 at 5:46 PM, Jason Pickering <jason.p.pickering@xxxxxxxxx
> wrote:

> A potentially serious vulnerability of DHIS2 has been discovered by
> members of the core development team this afternoon (2014-09-01).
> The development team is working on a permanent solution for this, but in
> the meantime, all users of DHIS2 are advised to review their system for
> potential vulnerabilities.
>
> *Potentially affected versions: *
>   All version of DHIS2 2.16 and any version of trunk, from revision 15124
> and up.
>
> *Vulnerability Details: *
> Hazelcast is a component of DHIS2 used to provide caching. By default,
> Hazelcast will open a port (5701) on the machine which is running DHIS2.
> The Hazelcast cluster may be vulnerable to attack. The Hazelcast cluster
> API may expose critical information about the system, including network
> information and other runtime data.  It is not currently known to what
> extent the information contained inside of DHIS2 might be exposed through
> this vulnerability.
>
>
> *Risk: *
> When running DHIS2 on a network that's directly attached to the Internet
> or other unsecured network, an attacker may access and inject critical
> information into the Hazelcast component. The exposed API could be used to
> influence systems availability by injecting arbitrary into the DHIS2
> caching system.
>
> *Steps to confirm if your server is vulnerable:*
>
> Replace "server" with your IP address or  the name of your server and
> attempt to access the resulting address through your web browser
>
>  http://server:5701/hazelcast/rest/cluster/
>
>
> Affected versions of DHIS2 will show something like the response below.
>
> Members [1] {
> Member [XXX.XXX.XXX.XX]:5701 this
> }
>
> ConnectionCount: 4
> AllConnectionCount: 5
>
>
> If you see any response, even different from this one, your DHIS2 server
> is vulnerable, and should be upgraded immediately.
>
>
> *Mitigation: *
>
> If you are running DHIS 2.15 or lower, do not upgrade at this point, until
> advised otherwise. Further testing of the solution will need to be
> confirmed.
>
>
> If you are running DHIS2 version 2.16 or higher, or any version of trunk
> past revision 15124, or any branch of trunk including revision 15124 and
> up, you should immediately use a software based firewall to block all
> non-localhost traffic on port 5701. The package UFW is a simple firewall,
> which can be easily installed and enable as below
>
>
> sudo apt-get install ufw (only if you have not installed this package
> previously)
> sudo ufw allow 22  (change this if need be to whatever port your ssh is
> listening on)
> sudo ufw allow 80
> sudo ufw allow 443
> sudo ufw enable
>
> Additionally, you should immediately upgrade your DHIS2 server software
> version to at least the following revisions.
>
>
> *Trunk: Revision 166032.16: 16386*
>
> The core development team will communicate further on this issues, once we
> have had time to determine the extent of the problem, as well as to confirm
> a final fix. If you have any questions about this mail, please do not
> hesitate to ask!
>
>
> Best regards,
> Jason Pickering
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help   : https://help.launchpad.net/ListHelp
>
>