critical security vulnerability found - immediate dhis upgrade required

Hi all,

a critical vulnerability has been detected in one of the software libraries used by DHIS 2. This vulnerability allows an attacker to run remote commands on the server as the user running Tomcat/DHIS 2.

We have patched all DHIS 2 versions from 2.21 to 2.26 / master. You can find new WAR file builds here:

https://www.dhis2.org/downloads

We strongly recommend all DHIS 2 server admins to upgrade immediately to a patched version.

Keep in mind that your server might already be compromised. As a result one should look for suspicious activity on the server (bandwidth usage, tmp folders, etc). If you run Tomcat as a user with sudo privileges (not recommended) this means that your server might be fully compromised. To be on the absolute safe side it might be necessary to do a full wipe and re-install of your server environment.

More info on the exploit:

We are sorry about this. The vulnerable library is the Struts2 web framework, which we are in the process of writing out of the system.

regards,

Lars

···

Lars Helge Øverland

Lead developer, DHIS 2

University of Oslo

Skype: larshelgeoverland

lars@dhis2.org

http://www.dhis2.org

Thank you Lars

···

On Mar 13, 2017 11:40 PM, “Lars Helge Øverland” lars@dhis2.org wrote:

Hi all,

a critical vulnerability has been detected in one of the software libraries used by DHIS 2. This vulnerability allows an attacker to run remote commands on the server as the user running Tomcat/DHIS 2.

We have patched all DHIS 2 versions from 2.21 to 2.26 / master. You can find new WAR file builds here:

https://www.dhis2.org/downloads

We strongly recommend all DHIS 2 server admins to upgrade immediately to a patched version.

Keep in mind that your server might already be compromised. As a result one should look for suspicious activity on the server (bandwidth usage, tmp folders, etc). If you run Tomcat as a user with sudo privileges (not recommended) this means that your server might be fully compromised. To be on the absolute safe side it might be necessary to do a full wipe and re-install of your server environment.

More info on the exploit:

We are sorry about this. The vulnerable library is the Struts2 web framework, which we are in the process of writing out of the system.

regards,

Lars


Lars Helge Øverland

Lead developer, DHIS 2

University of Oslo

Skype: larshelgeoverland

lars@dhis2.org

http://www.dhis2.org


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

Thanks Lars.

···

On Tue, Mar 14, 2017 at 12:10 AM, Lars Helge Øverland lars@dhis2.org wrote:

Hi all,

a critical vulnerability has been detected in one of the software libraries used by DHIS 2. This vulnerability allows an attacker to run remote commands on the server as the user running Tomcat/DHIS 2.

We have patched all DHIS 2 versions from 2.21 to 2.26 / master. You can find new WAR file builds here:

https://www.dhis2.org/downloads

We strongly recommend all DHIS 2 server admins to upgrade immediately to a patched version.

Keep in mind that your server might already be compromised. As a result one should look for suspicious activity on the server (bandwidth usage, tmp folders, etc). If you run Tomcat as a user with sudo privileges (not recommended) this means that your server might be fully compromised. To be on the absolute safe side it might be necessary to do a full wipe and re-install of your server environment.

More info on the exploit:

We are sorry about this. The vulnerable library is the Struts2 web framework, which we are in the process of writing out of the system.

regards,

Lars

Lars Helge Øverland

Lead developer, DHIS 2

University of Oslo

Skype: larshelgeoverland

lars@dhis2.org

http://www.dhis2.org


Mailing list: https://launchpad.net/~dhis2-users

Post to : dhis2-users@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-users

More help : https://help.launchpad.net/ListHelp

Muhammad Abdul Hannan Khan

DHIS2 Country coordinator & Secretary

HISP Bangladesh

T +880-2- 8816459, 8816412 ext 118

F +88 02 8813 875

M+88 01819 239 241

M+88 01534 312 066

E hannank@gmail.com

S hannan.khan.dhaka

B hannan-tech.blogspot.com

L https://bd.linkedin.com/in/hannankhan

Dear Lars

I find problem downloading from https://ci.dhis2.org/. The download was very slow and interrupted.

Is the links https://www.dhis2.org/download/releases/2.22/dhis.war has updated war files?

Regards

Hannan

···

On Tue, Mar 14, 2017 at 12:10 AM, Lars Helge Øverland lars@dhis2.org wrote:

Hi all,

a critical vulnerability has been detected in one of the software libraries used by DHIS 2. This vulnerability allows an attacker to run remote commands on the server as the user running Tomcat/DHIS 2.

We have patched all DHIS 2 versions from 2.21 to 2.26 / master. You can find new WAR file builds here:

https://www.dhis2.org/downloads

We strongly recommend all DHIS 2 server admins to upgrade immediately to a patched version.

Keep in mind that your server might already be compromised. As a result one should look for suspicious activity on the server (bandwidth usage, tmp folders, etc). If you run Tomcat as a user with sudo privileges (not recommended) this means that your server might be fully compromised. To be on the absolute safe side it might be necessary to do a full wipe and re-install of your server environment.

More info on the exploit:

We are sorry about this. The vulnerable library is the Struts2 web framework, which we are in the process of writing out of the system.

regards,

Lars

Lars Helge Øverland

Lead developer, DHIS 2

University of Oslo

Skype: larshelgeoverland

lars@dhis2.org

http://www.dhis2.org


Mailing list: https://launchpad.net/~dhis2-users

Post to : dhis2-users@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-users

More help : https://help.launchpad.net/ListHelp

Muhammad Abdul Hannan Khan

DHIS2 Country coordinator & Secretary

HISP Bangladesh

T +880-2- 8816459, 8816412 ext 118

F +88 02 8813 875

M+88 01819 239 241

M+88 01534 312 066

E hannank@gmail.com

S hannan.khan.dhaka

B hannan-tech.blogspot.com

L https://bd.linkedin.com/in/hannankhan

Yes please download from https://www.dhis2.org/downloads .

···

On Wed, Mar 15, 2017 at 11:58 AM, Hannan Khan hannank@gmail.com wrote:

Dear Lars

I find problem downloading from https://ci.dhis2.org/. The download was very slow and interrupted.

Is the links https://www.dhis2.org/download/releases/2.22/dhis.war has updated war files?

Regards

Hannan

On Tue, Mar 14, 2017 at 12:10 AM, Lars Helge Øverland lars@dhis2.org wrote:

Hi all,

a critical vulnerability has been detected in one of the software libraries used by DHIS 2. This vulnerability allows an attacker to run remote commands on the server as the user running Tomcat/DHIS 2.

We have patched all DHIS 2 versions from 2.21 to 2.26 / master. You can find new WAR file builds here:

https://www.dhis2.org/downloads

We strongly recommend all DHIS 2 server admins to upgrade immediately to a patched version.

Keep in mind that your server might already be compromised. As a result one should look for suspicious activity on the server (bandwidth usage, tmp folders, etc). If you run Tomcat as a user with sudo privileges (not recommended) this means that your server might be fully compromised. To be on the absolute safe side it might be necessary to do a full wipe and re-install of your server environment.

More info on the exploit:

We are sorry about this. The vulnerable library is the Struts2 web framework, which we are in the process of writing out of the system.

regards,

Lars

Lars Helge Øverland

Lead developer, DHIS 2

University of Oslo

Skype: larshelgeoverland

lars@dhis2.org

http://www.dhis2.org


Mailing list: https://launchpad.net/~dhis2-users

Post to : dhis2-users@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-users

More help : https://help.launchpad.net/ListHelp


Muhammad Abdul Hannan Khan

DHIS2 Country coordinator & Secretary

HISP Bangladesh

T +880-2- 8816459, 8816412 ext 118

F +88 02 8813 875

M+88 01819 239 241

M+88 01534 312 066

E hannank@gmail.com

S hannan.khan.dhaka

B hannan-tech.blogspot.com

L https://bd.linkedin.com/in/hannankhan

Lars Helge Øverland

Lead developer, DHIS 2

University of Oslo

Skype: larshelgeoverland

lars@dhis2.org

http://www.dhis2.org

Following this announcement by Lars back in March it is really
troubling to report that we are still hearing of servers being hacked
as a result of this vulnerability. The most recent case brought to my
attention just over a week ago (a tomcat server running as root with a
dhis2 war file from nov 2016). The server was collecting tracker
demographic data on patients and was cracked "wide open".

Please do ensure that you respond to these warnings responsibly.
apologies for cross-posting.

Regards
Bob

···

On 13 March 2017 at 18:10, Lars Helge Øverland <lars@dhis2.org> wrote:

Hi all,

a critical vulnerability has been detected in one of the software libraries
used by DHIS 2. This vulnerability allows an attacker to run remote commands
on the server as the user running Tomcat/DHIS 2.

We have patched all DHIS 2 versions from 2.21 to 2.26 / master. You can find
new WAR file builds here:

https://www.dhis2.org/downloads

We strongly recommend all DHIS 2 server admins to upgrade immediately to a
patched version.

Keep in mind that your server might already be compromised. As a result one
should look for suspicious activity on the server (bandwidth usage, tmp
folders, etc). If you run Tomcat as a user with sudo privileges (not
recommended) this means that your server might be fully compromised. To be
on the absolute safe side it might be necessary to do a full wipe and
re-install of your server environment.

More info on the exploit:

-
https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/

-
http://www.javaworld.com/article/3179215/security/hackers-exploit-apache-struts-vulnerability-to-compromise-corporate-web-servers.html#tk.rss_all

We are sorry about this. The vulnerable library is the Struts2 web
framework, which we are in the process of writing out of the system.

regards,

Lars

--
Lars Helge Øverland
Lead developer, DHIS 2
University of Oslo
Skype: larshelgeoverland
lars@dhis2.org
http://www.dhis2.org

_______________________________________________
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp

--
I am travelling from Sat 24 June to Sunday 2 July. Access to my email
will be sporadic. Please be patient and I will respond when I can.