dhis2-devs team mailing list archive

Thread
Date

Re: [Dhis2-users] critical security vulnerability found - immediate dhis upgrade required

To: Hannan Khan <hannank@xxxxxxxxx>
From: Lars Helge Øverland <lars@xxxxxxxxx>
Date: Wed, 15 Mar 2017 12:33:29 +0100
Cc: DHIS 2 Users list <dhis2-users@xxxxxxxxxxxxxxxxxxx>, DHIS 2 Developers list <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CADQSvRdcPc1++h_hE_GvMj2MqTnkargq-56F=NGrU5KgGA8_Kg@mail.gmail.com>

Yes please download from https://www.dhis2.org/downloads .

On Wed, Mar 15, 2017 at 11:58 AM, Hannan Khan <hannank@xxxxxxxxx> wrote:

> Dear Lars
>
> I find problem downloading from https://ci.dhis2.org/. The download was
> very slow and interrupted.
>
> Is the links https://www.dhis2.org/download/releases/2.22/dhis.war has
> updated war files?
>
> Regards
>
> Hannan
>
> On Tue, Mar 14, 2017 at 12:10 AM, Lars Helge Øverland <lars@xxxxxxxxx>
> wrote:
>
>> Hi all,
>>
>> a critical vulnerability has been detected in one of the software
>> libraries used by DHIS 2. This vulnerability allows an attacker to run
>> remote commands on the server as the user running Tomcat/DHIS 2.
>>
>> We have patched all DHIS 2 versions from 2.21 to 2.26 / master. You can
>> find new WAR file builds here:
>>
>> https://www.dhis2.org/downloads
>>
>> We strongly recommend all DHIS 2 server admins to *upgrade immediately*
>> to a patched version.
>>
>> Keep in mind that your server might already be compromised. As a result
>> one should look for suspicious activity on the server (bandwidth usage, tmp
>> folders, etc). If you run Tomcat as a user with sudo privileges (not
>> recommended) this means that your server might be fully compromised. To be
>> on the absolute safe side it might be necessary to do a full wipe and
>> re-install of your server environment.
>>
>> More info on the exploit:
>>
>> - https://arstechnica.com/security/2017/03/critical-vulnerab
>> ility-under-massive-attack-imperils-high-impact-sites/
>>
>> - http://www.javaworld.com/article/3179215/security/hackers-
>> exploit-apache-struts-vulnerability-to-compromise-corporate-
>> web-servers.html#tk.rss_all
>>
>>
>> We are sorry about this. The vulnerable library is the Struts2 web
>> framework, which we are in the process of writing out of the system.
>>
>> regards,
>>
>> Lars
>>
>>
>>
>> --
>> Lars Helge Øverland
>> Lead developer, DHIS 2
>> University of Oslo
>> Skype: larshelgeoverland
>> lars@xxxxxxxxx
>> http://www.dhis2.org <https://www.dhis2.org/>
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~dhis2-users
>> Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~dhis2-users
>> More help   : https://help.launchpad.net/ListHelp
>>
>>
>
>
> --
> Muhammad Abdul Hannan Khan
> DHIS2 Country coordinator & Secretary
> HISP Bangladesh
>
> T +880-2- 8816459 <+880%202-8816459>, 8816412 ext 118
> F +88 02 8813 875
> M+88 01819 239 241
> M+88 01534 312 066
> E hannank@xxxxxxxxx
> S hannan.khan.dhaka
> B hannan-tech.blogspot.com
> L https://bd.linkedin.com/in/hannankhan
>
>
>


-- 
Lars Helge Øverland
Lead developer, DHIS 2
University of Oslo
Skype: larshelgeoverland
lars@xxxxxxxxx
http://www.dhis2.org <https://www.dhis2.org/>

References

critical security vulnerability found - immediate dhis upgrade required
From: Lars Helge Øverland, 2017-03-13
Re: [Dhis2-users] critical security vulnerability found - immediate dhis upgrade required
From: Hannan Khan, 2017-03-15