Hi, we have recently detected a security exploit on a couple of servers running dhis. The exploit seems to result in shell access with permissions of the user which is running tomcat.
*Symptoms* of the exploit are presence of: - a file /tmp/fake.cfg. - various files with numeric-only names in /tmp directory. - massive outgoing network traffic (> 200 Gb per day). The files will be owned by the user running tomcat. The outgoing network traffic is likely to be part of denial-of-service attacks against other servers. *Cause* of the exploit is likely to be one or more weaknesses in Struts 2, which is a web framework used in dhis. These weaknesses have been fixed in Struts version 2.3.15.1. We have upgraded dhis version 2.12, 2.13 and snapshot/trunk with the new version. You can download the new WAR files from dhis2.org/downloads as usual. *To remove* the exploit you should do the following: - stop tomcat - upgrade your dhis version (to 2.12 or 2.13) - remove all of the above mentioned files from /tmp (all owned by tomcat user). - kill all processes owned by the tomcat user, or simply reboot the server. - delete all files and folders under <tomcat-install-dir>/work/Catalina (not confirmed but to be on the safe side). If you have been running tomcat as root (sudo) then a full operating system re-install is recommended. There is no way to completely verify what an exploit can do with full permissions. Running tomcat as root is strictly discouraged in any case. *Summary* - In any case you should upgrade your dhis version, whether you see the symptoms or not. - If you see the symptoms but have been running dhis with regular, non-root privileges, you will be fine by following the removal steps. - If you see the symptoms and have been running dhis with root privileges, you should do a clean server installation. regards, Lars
_______________________________________________ Mailing list: https://launchpad.net/~dhis2-users Post to : dhis2-users@lists.launchpad.net Unsubscribe : https://launchpad.net/~dhis2-users More help : https://help.launchpad.net/ListHelp
