dhis2-devs team mailing list archive
-
dhis2-devs team
-
Mailing list archive
-
Message #48902
Re: [Dhis2-users] critical security vulnerability found - immediate dhis upgrade required
Dear Lars
I find problem downloading from https://ci.dhis2.org/. The download was
very slow and interrupted.
Is the links https://www.dhis2.org/download/releases/2.22/dhis.war has
updated war files?
Regards
Hannan
On Tue, Mar 14, 2017 at 12:10 AM, Lars Helge Øverland <lars@xxxxxxxxx>
wrote:
> Hi all,
>
> a critical vulnerability has been detected in one of the software
> libraries used by DHIS 2. This vulnerability allows an attacker to run
> remote commands on the server as the user running Tomcat/DHIS 2.
>
> We have patched all DHIS 2 versions from 2.21 to 2.26 / master. You can
> find new WAR file builds here:
>
> https://www.dhis2.org/downloads
>
> We strongly recommend all DHIS 2 server admins to *upgrade immediately*
> to a patched version.
>
> Keep in mind that your server might already be compromised. As a result
> one should look for suspicious activity on the server (bandwidth usage, tmp
> folders, etc). If you run Tomcat as a user with sudo privileges (not
> recommended) this means that your server might be fully compromised. To be
> on the absolute safe side it might be necessary to do a full wipe and
> re-install of your server environment.
>
> More info on the exploit:
>
> - https://arstechnica.com/security/2017/03/critical-
> vulnerability-under-massive-attack-imperils-high-impact-sites/
>
> - http://www.javaworld.com/article/3179215/security/
> hackers-exploit-apache-struts-vulnerability-to-compromise-
> corporate-web-servers.html#tk.rss_all
>
>
> We are sorry about this. The vulnerable library is the Struts2 web
> framework, which we are in the process of writing out of the system.
>
> regards,
>
> Lars
>
>
>
> --
> Lars Helge Øverland
> Lead developer, DHIS 2
> University of Oslo
> Skype: larshelgeoverland
> lars@xxxxxxxxx
> http://www.dhis2.org <https://www.dhis2.org/>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-users
> Post to : dhis2-users@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-users
> More help : https://help.launchpad.net/ListHelp
>
>
--
Muhammad Abdul Hannan Khan
DHIS2 Country coordinator & Secretary
HISP Bangladesh
T +880-2- 8816459, 8816412 ext 118
F +88 02 8813 875
M+88 01819 239 241
M+88 01534 312 066
E hannank@xxxxxxxxx
S hannan.khan.dhaka
B hannan-tech.blogspot.com
L https://bd.linkedin.com/in/hannankhan
Follow ups
References