My testing environment was vulnerable to this and I confirm UFW temporally solved the issue. I m running 2.16
regards JPaul Mutali On Mon, Sep 1, 2014 at 5:46 PM, Jason Pickering <jason.p.picker...@gmail.com > wrote: > A potentially serious vulnerability of DHIS2 has been discovered by > members of the core development team this afternoon (2014-09-01). > The development team is working on a permanent solution for this, but in > the meantime, all users of DHIS2 are advised to review their system for > potential vulnerabilities. > > *Potentially affected versions: * > All version of DHIS2 2.16 and any version of trunk, from revision 15124 > and up. > > *Vulnerability Details: * > Hazelcast is a component of DHIS2 used to provide caching. By default, > Hazelcast will open a port (5701) on the machine which is running DHIS2. > The Hazelcast cluster may be vulnerable to attack. The Hazelcast cluster > API may expose critical information about the system, including network > information and other runtime data. It is not currently known to what > extent the information contained inside of DHIS2 might be exposed through > this vulnerability. > > > *Risk: * > When running DHIS2 on a network that's directly attached to the Internet > or other unsecured network, an attacker may access and inject critical > information into the Hazelcast component. The exposed API could be used to > influence systems availability by injecting arbitrary into the DHIS2 > caching system. > > *Steps to confirm if your server is vulnerable:* > > Replace "server" with your IP address or the name of your server and > attempt to access the resulting address through your web browser > > http://server:5701/hazelcast/rest/cluster/ > > > Affected versions of DHIS2 will show something like the response below. > > Members [1] { > Member [XXX.XXX.XXX.XX]:5701 this > } > > ConnectionCount: 4 > AllConnectionCount: 5 > > > If you see any response, even different from this one, your DHIS2 server > is vulnerable, and should be upgraded immediately. > > > *Mitigation: * > > If you are running DHIS 2.15 or lower, do not upgrade at this point, until > advised otherwise. Further testing of the solution will need to be > confirmed. > > > If you are running DHIS2 version 2.16 or higher, or any version of trunk > past revision 15124, or any branch of trunk including revision 15124 and > up, you should immediately use a software based firewall to block all > non-localhost traffic on port 5701. The package UFW is a simple firewall, > which can be easily installed and enable as below > > > sudo apt-get install ufw (only if you have not installed this package > previously) > sudo ufw allow 22 (change this if need be to whatever port your ssh is > listening on) > sudo ufw allow 80 > sudo ufw allow 443 > sudo ufw enable > > Additionally, you should immediately upgrade your DHIS2 server software > version to at least the following revisions. > > > *Trunk: Revision 166032.16: 16386* > > The core development team will communicate further on this issues, once we > have had time to determine the extent of the problem, as well as to confirm > a final fix. If you have any questions about this mail, please do not > hesitate to ask! > > > Best regards, > Jason Pickering > > _______________________________________________ > Mailing list: https://launchpad.net/~dhis2-devs > Post to : dhis2-devs@lists.launchpad.net > Unsubscribe : https://launchpad.net/~dhis2-devs > More help : https://help.launchpad.net/ListHelp > >
_______________________________________________ Mailing list: https://launchpad.net/~dhis2-devs Post to : dhis2-devs@lists.launchpad.net Unsubscribe : https://launchpad.net/~dhis2-devs More help : https://help.launchpad.net/ListHelp
