IMPORTANT: Vulnerability discovered in DHIS2 version 2.16 and some versions of trunk.

From: Dhis2-devs [mailto:dhis2-devs-bounces+dapo_adejumo=yahoo.com@lists.launchpad.net] On Behalf Of Jason Pickering
Sent: Monday, September 1, 2014 4:46 PM
To: dhis2-devs; dhis2-users@lists.launchpad.net
Subject: [Dhis2-devs] IMPORTANT: Vulnerability discovered in DHIS2 version 2.16 and some versions of trunk.

A potentially serious vulnerability of DHIS2 has been discovered by members of the core development team this afternoon (2014-09-01).
The development team is working on a permanent solution for this, but in the meantime, all users of DHIS2 are advised to review their system for potential vulnerabilities.

**Potentially affected versions: **

All version of DHIS2 2.16 and any version of trunk, from revision 15124 and up.

**Vulnerability Details: **

Hazelcast is a component of DHIS2 used to provide caching. By default, Hazelcast will open a port (5701) on the machine which is running DHIS2. The Hazelcast cluster may be vulnerable to attack. The Hazelcast cluster API may expose critical information about the system, including network information and other runtime data. It is not currently known to what extent the information contained inside of DHIS2 might be exposed through this vulnerability.

**Risk: **
When running DHIS2 on a network that’s directly attached to the Internet or other unsecured network, an attacker may access and inject critical information into the Hazelcast component. The exposed API could be used to influence systems availability by injecting arbitrary into the DHIS2 caching system.

Steps to confirm if your server is vulnerable:

Replace “server” with your IP address or the name of your server and attempt to access the resulting address through your web browser

http://server:5701/hazelcast/rest/cluster/

Affected versions of DHIS2 will show something like the response below.

Members [1] {
Member [XXX.XXX.XXX.XX]:5701 this
}

ConnectionCount: 4
AllConnectionCount: 5

If you see any response, even different from this one, your DHIS2 server is vulnerable, and should be upgraded immediately.

**Mitigation: **

If you are running DHIS 2.15 or lower, do not upgrade at this point, until advised otherwise. Further testing of the solution will need to be confirmed.

If you are running DHIS2 version 2.16 or higher, or any version of trunk past revision 15124, or any branch of trunk including revision 15124 and up, you should immediately use a software based firewall to block all non-localhost traffic on port 5701. The package UFW is a simple firewall, which can be easily installed and enable as below

sudo apt-get install ufw (only if you have not installed this package previously)
sudo ufw allow 22 (change this if need be to whatever port your ssh is listening on)
sudo ufw allow 80
sudo ufw allow 443
sudo ufw enable

Additionally, you should immediately upgrade your DHIS2 server software version to at least the following revisions.
Trunk: Revision 16603
2.16: 16386

The core development team will communicate further on this issues, once we have had time to determine the extent of the problem, as well as to confirm a final fix. If you have any questions about this mail, please do not hesitate to ask!

Best regards,
Jason Pickering

On Mon, Sep 1, 2014 at 5:46 PM, Jason Pickering jason.p.pickering@gmail.com wrote:

A potentially serious vulnerability of DHIS2 has been discovered by members of the core development team this afternoon (2014-09-01).
The development team is working on a permanent solution for this, but in the meantime, all users of DHIS2 are advised to review their system for potential vulnerabilities.

**Potentially affected versions: **
All version of DHIS2 2.16 and any version of trunk, from revision 15124 and up.

**Vulnerability Details: **

Hazelcast is a component of DHIS2 used to provide caching. By default, Hazelcast will open a port (5701) on the machine which is running DHIS2. The Hazelcast cluster may be vulnerable to attack. The Hazelcast cluster API may expose critical information about the system, including network information and other runtime data. It is not currently known to what extent the information contained inside of DHIS2 might be exposed through this vulnerability.

**Risk: **
When running DHIS2 on a network that’s directly attached to the Internet or other unsecured network, an attacker may access and inject critical information into the Hazelcast component. The exposed API could be used to influence systems availability by injecting arbitrary into the DHIS2 caching system.

Steps to confirm if your server is vulnerable:

Replace “server” with your IP address or the name of your server and attempt to access the resulting address through your web browser

http://server:5701/hazelcast/rest/cluster/

Affected versions of DHIS2 will show something like the response below.

Members [1] {
Member [XXX.XXX.XXX.XX]:5701 this
}

ConnectionCount: 4
AllConnectionCount: 5

If you see any response, even different from this one, your DHIS2 server is vulnerable, and should be upgraded immediately.

**Mitigation: **

If you are running DHIS 2.15 or lower, do not upgrade at this point, until advised otherwise. Further testing of the solution will need to be confirmed.

If you are running DHIS2 version 2.16 or higher, or any version of trunk past revision 15124, or any branch of trunk including revision 15124 and up, you should immediately use a software based firewall to block all non-localhost traffic on port 5701. The package UFW is a simple firewall, which can be easily installed and enable as below

sudo apt-get install ufw (only if you have not installed this package previously)
sudo ufw allow 22 (change this if need be to whatever port your ssh is listening on)
sudo ufw allow 80
sudo ufw allow 443

sudo ufw enable

Additionally, you should immediately upgrade your DHIS2 server software version to at least the following revisions.
Trunk: Revision 16603
2.16: 16386

The core development team will communicate further on this issues, once we have had time to determine the extent of the problem, as well as to confirm a final fix. If you have any questions about this mail, please do not hesitate to ask!

Best regards,
Jason Pickering

---

Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

On 2 September 2014 09:48, J. Paul Mutali mutali@gmail.com wrote:

My testing environment was vulnerable to this and I confirm UFW temporally solved the issue. I m running 2.16

regards

JPaul Mutali

---

Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

On Mon, Sep 1, 2014 at 5:46 PM, Jason Pickering jason.p.pickering@gmail.com wrote:

A potentially serious vulnerability of DHIS2 has been discovered by members of the core development team this afternoon (2014-09-01).
The development team is working on a permanent solution for this, but in the meantime, all users of DHIS2 are advised to review their system for potential vulnerabilities.

**Potentially affected versions: **
All version of DHIS2 2.16 and any version of trunk, from revision 15124 and up.

**Vulnerability Details: **

Hazelcast is a component of DHIS2 used to provide caching. By default, Hazelcast will open a port (5701) on the machine which is running DHIS2. The Hazelcast cluster may be vulnerable to attack. The Hazelcast cluster API may expose critical information about the system, including network information and other runtime data. It is not currently known to what extent the information contained inside of DHIS2 might be exposed through this vulnerability.

**Risk: **
When running DHIS2 on a network that’s directly attached to the Internet or other unsecured network, an attacker may access and inject critical information into the Hazelcast component. The exposed API could be used to influence systems availability by injecting arbitrary into the DHIS2 caching system.

Steps to confirm if your server is vulnerable:

Replace “server” with your IP address or the name of your server and attempt to access the resulting address through your web browser

http://server:5701/hazelcast/rest/cluster/

Affected versions of DHIS2 will show something like the response below.

Members [1] {
Member [XXX.XXX.XXX.XX]:5701 this
}

ConnectionCount: 4
AllConnectionCount: 5

If you see any response, even different from this one, your DHIS2 server is vulnerable, and should be upgraded immediately.

**Mitigation: **

If you are running DHIS 2.15 or lower, do not upgrade at this point, until advised otherwise. Further testing of the solution will need to be confirmed.

If you are running DHIS2 version 2.16 or higher, or any version of trunk past revision 15124, or any branch of trunk including revision 15124 and up, you should immediately use a software based firewall to block all non-localhost traffic on port 5701. The package UFW is a simple firewall, which can be easily installed and enable as below

sudo apt-get install ufw (only if you have not installed this package previously)
sudo ufw allow 22 (change this if need be to whatever port your ssh is listening on)
sudo ufw allow 80
sudo ufw allow 443

sudo ufw enable

Additionally, you should immediately upgrade your DHIS2 server software version to at least the following revisions.
Trunk: Revision 16603
2.16: 16386

The core development team will communicate further on this issues, once we have had time to determine the extent of the problem, as well as to confirm a final fix. If you have any questions about this mail, please do not hesitate to ask!

Best regards,
Jason Pickering

---

Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp