Following this announcement by Lars back in March it is really troubling to report that we are still hearing of servers being hacked as a result of this vulnerability. The most recent case brought to my attention just over a week ago (a tomcat server running as root with a dhis2 war file from nov 2016). The server was collecting tracker demographic data on patients and was cracked "wide open".
Please do ensure that you respond to these warnings responsibly. apologies for cross-posting. Regards Bob On 13 March 2017 at 18:10, Lars Helge Øverland <l...@dhis2.org> wrote: > Hi all, > > a critical vulnerability has been detected in one of the software libraries > used by DHIS 2. This vulnerability allows an attacker to run remote commands > on the server as the user running Tomcat/DHIS 2. > > We have patched all DHIS 2 versions from 2.21 to 2.26 / master. You can find > new WAR file builds here: > > https://www.dhis2.org/downloads > > We strongly recommend all DHIS 2 server admins to upgrade immediately to a > patched version. > > Keep in mind that your server might already be compromised. As a result one > should look for suspicious activity on the server (bandwidth usage, tmp > folders, etc). If you run Tomcat as a user with sudo privileges (not > recommended) this means that your server might be fully compromised. To be > on the absolute safe side it might be necessary to do a full wipe and > re-install of your server environment. > > More info on the exploit: > > - > https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/ > > - > http://www.javaworld.com/article/3179215/security/hackers-exploit-apache-struts-vulnerability-to-compromise-corporate-web-servers.html#tk.rss_all > > > We are sorry about this. The vulnerable library is the Struts2 web > framework, which we are in the process of writing out of the system. > > regards, > > Lars > > > > -- > Lars Helge Øverland > Lead developer, DHIS 2 > University of Oslo > Skype: larshelgeoverland > l...@dhis2.org > http://www.dhis2.org > > > _______________________________________________ > Mailing list: https://launchpad.net/~dhis2-devs > Post to : dhis2-d...@lists.launchpad.net > Unsubscribe : https://launchpad.net/~dhis2-devs > More help : https://help.launchpad.net/ListHelp > -- I am travelling from Sat 24 June to Sunday 2 July. Access to my email will be sporadic. Please be patient and I will respond when I can. _______________________________________________ Mailing list: https://launchpad.net/~dhis2-users Post to : dhis2-users@lists.launchpad.net Unsubscribe : https://launchpad.net/~dhis2-users More help : https://help.launchpad.net/ListHelp
