Hi all, a critical vulnerability has been detected in one of the software libraries used by DHIS 2. This vulnerability allows an attacker to run remote commands on the server as the user running Tomcat/DHIS 2.
We have patched all DHIS 2 versions from 2.21 to 2.26 / master. You can find new WAR file builds here: https://www.dhis2.org/downloads We strongly recommend all DHIS 2 server admins to *upgrade immediately* to a patched version. Keep in mind that your server might already be compromised. As a result one should look for suspicious activity on the server (bandwidth usage, tmp folders, etc). If you run Tomcat as a user with sudo privileges (not recommended) this means that your server might be fully compromised. To be on the absolute safe side it might be necessary to do a full wipe and re-install of your server environment. More info on the exploit: - https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/ - http://www.javaworld.com/article/3179215/security/hackers-exploit-apache-struts-vulnerability-to-compromise-corporate-web-servers.html#tk.rss_all We are sorry about this. The vulnerable library is the Struts2 web framework, which we are in the process of writing out of the system. regards, Lars -- Lars Helge Øverland Lead developer, DHIS 2 University of Oslo Skype: larshelgeoverland l...@dhis2.org http://www.dhis2.org <https://www.dhis2.org/>
_______________________________________________ Mailing list: https://launchpad.net/~dhis2-devs Post to : dhis2-devs@lists.launchpad.net Unsubscribe : https://launchpad.net/~dhis2-devs More help : https://help.launchpad.net/ListHelp
