dhis2-devs team mailing list archive

Thread
Date

Re: [Dhis2-users] critical security vulnerability found - immediate dhis upgrade required

To: Lars Helge Øverland <lars@xxxxxxxxx>
From: Hannan Khan <hannank@xxxxxxxxx>
Date: Wed, 15 Mar 2017 15:32:32 +0600
Cc: DHIS 2 Users list <dhis2-users@xxxxxxxxxxxxxxxxxxx>, DHIS 2 Developers list <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAD_DPKzL3Wh5=AqAs4EdS7kza4=bvX5a0H9bTkgY6xjU3ov6cA@mail.gmail.com>

Thanks Lars.

On Tue, Mar 14, 2017 at 12:10 AM, Lars Helge Øverland <lars@xxxxxxxxx>
wrote:

> Hi all,
>
> a critical vulnerability has been detected in one of the software
> libraries used by DHIS 2. This vulnerability allows an attacker to run
> remote commands on the server as the user running Tomcat/DHIS 2.
>
> We have patched all DHIS 2 versions from 2.21 to 2.26 / master. You can
> find new WAR file builds here:
>
> https://www.dhis2.org/downloads
>
> We strongly recommend all DHIS 2 server admins to *upgrade immediately*
> to a patched version.
>
> Keep in mind that your server might already be compromised. As a result
> one should look for suspicious activity on the server (bandwidth usage, tmp
> folders, etc). If you run Tomcat as a user with sudo privileges (not
> recommended) this means that your server might be fully compromised. To be
> on the absolute safe side it might be necessary to do a full wipe and
> re-install of your server environment.
>
> More info on the exploit:
>
> - https://arstechnica.com/security/2017/03/critical-
> vulnerability-under-massive-attack-imperils-high-impact-sites/
>
> - http://www.javaworld.com/article/3179215/security/
> hackers-exploit-apache-struts-vulnerability-to-compromise-
> corporate-web-servers.html#tk.rss_all
>
>
> We are sorry about this. The vulnerable library is the Struts2 web
> framework, which we are in the process of writing out of the system.
>
> regards,
>
> Lars
>
>
>
> --
> Lars Helge Øverland
> Lead developer, DHIS 2
> University of Oslo
> Skype: larshelgeoverland
> lars@xxxxxxxxx
> http://www.dhis2.org <https://www.dhis2.org/>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-users
> Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-users
> More help   : https://help.launchpad.net/ListHelp
>
>


-- 
Muhammad Abdul Hannan Khan
DHIS2 Country coordinator & Secretary
HISP Bangladesh

T +880-2- 8816459, 8816412 ext 118
F +88 02 8813 875
M+88 01819 239 241
M+88 01534 312 066
E hannank@xxxxxxxxx
S hannan.khan.dhaka
B hannan-tech.blogspot.com
L https://bd.linkedin.com/in/hannankhan

References

critical security vulnerability found - immediate dhis upgrade required
From: Lars Helge Øverland, 2017-03-13