← Back to team overview

dhis2-devs team mailing list archive

Re: critical security vulnerability found - immediate dhis upgrade required

 

Following this announcement by Lars back in March it is really
troubling to report that we are still hearing of servers being hacked
as a result of this vulnerability.  The most recent case brought to my
attention just over a week ago (a tomcat server running as root with a
dhis2 war file from nov 2016).  The server was collecting tracker
demographic data on patients and was cracked "wide open".

Please do ensure that you respond to these warnings responsibly.
apologies for cross-posting.

Regards
Bob

On 13 March 2017 at 18:10, Lars Helge Øverland <lars@xxxxxxxxx> wrote:
> Hi all,
>
> a critical vulnerability has been detected in one of the software libraries
> used by DHIS 2. This vulnerability allows an attacker to run remote commands
> on the server as the user running Tomcat/DHIS 2.
>
> We have patched all DHIS 2 versions from 2.21 to 2.26 / master. You can find
> new WAR file builds here:
>
> https://www.dhis2.org/downloads
>
> We strongly recommend all DHIS 2 server admins to upgrade immediately to a
> patched version.
>
> Keep in mind that your server might already be compromised. As a result one
> should look for suspicious activity on the server (bandwidth usage, tmp
> folders, etc). If you run Tomcat as a user with sudo privileges (not
> recommended) this means that your server might be fully compromised. To be
> on the absolute safe side it might be necessary to do a full wipe and
> re-install of your server environment.
>
> More info on the exploit:
>
> -
> https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/
>
> -
> http://www.javaworld.com/article/3179215/security/hackers-exploit-apache-struts-vulnerability-to-compromise-corporate-web-servers.html#tk.rss_all
>
>
> We are sorry about this. The vulnerable library is the Struts2 web
> framework, which we are in the process of writing out of the system.
>
> regards,
>
> Lars
>
>
>
> --
> Lars Helge Øverland
> Lead developer, DHIS 2
> University of Oslo
> Skype: larshelgeoverland
> lars@xxxxxxxxx
> http://www.dhis2.org
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help   : https://help.launchpad.net/ListHelp
>



-- 
I am travelling from Sat 24 June to Sunday 2 July.  Access to my email
will be sporadic.  Please be patient and I will respond when I can.


References