← Back to team overview

dhis2-devs team mailing list archive

Re: critical security vulnerability found - immediate dhis upgrade required

 

Thank you Lars

On Mar 13, 2017 11:40 PM, "Lars Helge Øverland" <lars@xxxxxxxxx> wrote:

> Hi all,
>
> a critical vulnerability has been detected in one of the software
> libraries used by DHIS 2. This vulnerability allows an attacker to run
> remote commands on the server as the user running Tomcat/DHIS 2.
>
> We have patched all DHIS 2 versions from 2.21 to 2.26 / master. You can
> find new WAR file builds here:
>
> https://www.dhis2.org/downloads
>
> We strongly recommend all DHIS 2 server admins to *upgrade immediately*
> to a patched version.
>
> Keep in mind that your server might already be compromised. As a result
> one should look for suspicious activity on the server (bandwidth usage, tmp
> folders, etc). If you run Tomcat as a user with sudo privileges (not
> recommended) this means that your server might be fully compromised. To be
> on the absolute safe side it might be necessary to do a full wipe and
> re-install of your server environment.
>
> More info on the exploit:
>
> - https://arstechnica.com/security/2017/03/critical-
> vulnerability-under-massive-attack-imperils-high-impact-sites/
>
> - http://www.javaworld.com/article/3179215/security/
> hackers-exploit-apache-struts-vulnerability-to-compromise-
> corporate-web-servers.html#tk.rss_all
>
>
> We are sorry about this. The vulnerable library is the Struts2 web
> framework, which we are in the process of writing out of the system.
>
> regards,
>
> Lars
>
>
>
> --
> Lars Helge Øverland
> Lead developer, DHIS 2
> University of Oslo
> Skype: larshelgeoverland
> lars@xxxxxxxxx
> http://www.dhis2.org <https://www.dhis2.org/>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help   : https://help.launchpad.net/ListHelp
>
>

References