dhis2-devs team mailing list archive

[Lars Helge Øverland <lars@xxxxxxxxx>]

Hi all,

a critical vulnerability has been detected in one of the software libraries
used by DHIS 2. This vulnerability allows an attacker to run remote
commands on the server as the user running Tomcat/DHIS 2.

We have patched all DHIS 2 versions from 2.21 to 2.26 / master. You can
find new WAR file builds here:

https://www.dhis2.org/downloads

We strongly recommend all DHIS 2 server admins to *upgrade immediately* to
a patched version.

Keep in mind that your server might already be compromised. As a result one
should look for suspicious activity on the server (bandwidth usage, tmp
folders, etc). If you run Tomcat as a user with sudo privileges (not
recommended) this means that your server might be fully compromised. To be
on the absolute safe side it might be necessary to do a full wipe and
re-install of your server environment.

More info on the exploit:

-
https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/

-
http://www.javaworld.com/article/3179215/security/hackers-exploit-apache-struts-vulnerability-to-compromise-corporate-web-servers.html#tk.rss_all


We are sorry about this. The vulnerable library is the Struts2 web
framework, which we are in the process of writing out of the system.

regards,

Lars



-- 
Lars Helge Øverland
Lead developer, DHIS 2
University of Oslo
Skype: larshelgeoverland
lars@xxxxxxxxx
http://www.dhis2.org <https://www.dhis2.org/>