dhis2-devs team mailing list archive
-
dhis2-devs team
-
Mailing list archive
-
Message #48904
Re: [Dhis2-users] critical security vulnerability found - immediate dhis upgrade required
Yes please download from https://www.dhis2.org/downloads .
On Wed, Mar 15, 2017 at 11:58 AM, Hannan Khan <hannank@xxxxxxxxx> wrote:
> Dear Lars
>
> I find problem downloading from https://ci.dhis2.org/. The download was
> very slow and interrupted.
>
> Is the links https://www.dhis2.org/download/releases/2.22/dhis.war has
> updated war files?
>
> Regards
>
> Hannan
>
> On Tue, Mar 14, 2017 at 12:10 AM, Lars Helge Øverland <lars@xxxxxxxxx>
> wrote:
>
>> Hi all,
>>
>> a critical vulnerability has been detected in one of the software
>> libraries used by DHIS 2. This vulnerability allows an attacker to run
>> remote commands on the server as the user running Tomcat/DHIS 2.
>>
>> We have patched all DHIS 2 versions from 2.21 to 2.26 / master. You can
>> find new WAR file builds here:
>>
>> https://www.dhis2.org/downloads
>>
>> We strongly recommend all DHIS 2 server admins to *upgrade immediately*
>> to a patched version.
>>
>> Keep in mind that your server might already be compromised. As a result
>> one should look for suspicious activity on the server (bandwidth usage, tmp
>> folders, etc). If you run Tomcat as a user with sudo privileges (not
>> recommended) this means that your server might be fully compromised. To be
>> on the absolute safe side it might be necessary to do a full wipe and
>> re-install of your server environment.
>>
>> More info on the exploit:
>>
>> - https://arstechnica.com/security/2017/03/critical-vulnerab
>> ility-under-massive-attack-imperils-high-impact-sites/
>>
>> - http://www.javaworld.com/article/3179215/security/hackers-
>> exploit-apache-struts-vulnerability-to-compromise-corporate-
>> web-servers.html#tk.rss_all
>>
>>
>> We are sorry about this. The vulnerable library is the Struts2 web
>> framework, which we are in the process of writing out of the system.
>>
>> regards,
>>
>> Lars
>>
>>
>>
>> --
>> Lars Helge Øverland
>> Lead developer, DHIS 2
>> University of Oslo
>> Skype: larshelgeoverland
>> lars@xxxxxxxxx
>> http://www.dhis2.org <https://www.dhis2.org/>
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~dhis2-users
>> Post to : dhis2-users@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~dhis2-users
>> More help : https://help.launchpad.net/ListHelp
>>
>>
>
>
> --
> Muhammad Abdul Hannan Khan
> DHIS2 Country coordinator & Secretary
> HISP Bangladesh
>
> T +880-2- 8816459 <+880%202-8816459>, 8816412 ext 118
> F +88 02 8813 875
> M+88 01819 239 241
> M+88 01534 312 066
> E hannank@xxxxxxxxx
> S hannan.khan.dhaka
> B hannan-tech.blogspot.com
> L https://bd.linkedin.com/in/hannankhan
>
>
>
--
Lars Helge Øverland
Lead developer, DHIS 2
University of Oslo
Skype: larshelgeoverland
lars@xxxxxxxxx
http://www.dhis2.org <https://www.dhis2.org/>
References