Thanks JP for the feedback. If you are using dhis2-tools you can upgrade to the latest stable when you get the chance with:
dhis2-deploy-war <your instance name> But its always good to have ufw enabled anyway to provide some strength in depth and protect against mistakes, misconfigurations etc On 2 September 2014 09:48, J. Paul Mutali <mut...@gmail.com> wrote: > My testing environment was vulnerable to this and I confirm UFW temporally > solved the issue. I m running 2.16 > > regards > > JPaul Mutali > > > On Mon, Sep 1, 2014 at 5:46 PM, Jason Pickering < > jason.p.picker...@gmail.com> wrote: > >> A potentially serious vulnerability of DHIS2 has been discovered by >> members of the core development team this afternoon (2014-09-01). >> The development team is working on a permanent solution for this, but in >> the meantime, all users of DHIS2 are advised to review their system for >> potential vulnerabilities. >> >> *Potentially affected versions: * >> All version of DHIS2 2.16 and any version of trunk, from revision 15124 >> and up. >> >> *Vulnerability Details: * >> Hazelcast is a component of DHIS2 used to provide caching. By default, >> Hazelcast will open a port (5701) on the machine which is running DHIS2. >> The Hazelcast cluster may be vulnerable to attack. The Hazelcast cluster >> API may expose critical information about the system, including network >> information and other runtime data. It is not currently known to what >> extent the information contained inside of DHIS2 might be exposed through >> this vulnerability. >> >> >> *Risk: * >> When running DHIS2 on a network that's directly attached to the Internet >> or other unsecured network, an attacker may access and inject critical >> information into the Hazelcast component. The exposed API could be used to >> influence systems availability by injecting arbitrary into the DHIS2 >> caching system. >> >> *Steps to confirm if your server is vulnerable:* >> >> Replace "server" with your IP address or the name of your server and >> attempt to access the resulting address through your web browser >> >> http://server:5701/hazelcast/rest/cluster/ >> >> >> Affected versions of DHIS2 will show something like the response below. >> >> Members [1] { >> Member [XXX.XXX.XXX.XX]:5701 this >> } >> >> ConnectionCount: 4 >> AllConnectionCount: 5 >> >> >> If you see any response, even different from this one, your DHIS2 server >> is vulnerable, and should be upgraded immediately. >> >> >> *Mitigation: * >> >> If you are running DHIS 2.15 or lower, do not upgrade at this point, >> until advised otherwise. Further testing of the solution will need to be >> confirmed. >> >> >> If you are running DHIS2 version 2.16 or higher, or any version of trunk >> past revision 15124, or any branch of trunk including revision 15124 and >> up, you should immediately use a software based firewall to block all >> non-localhost traffic on port 5701. The package UFW is a simple firewall, >> which can be easily installed and enable as below >> >> >> sudo apt-get install ufw (only if you have not installed this package >> previously) >> sudo ufw allow 22 (change this if need be to whatever port your ssh is >> listening on) >> sudo ufw allow 80 >> sudo ufw allow 443 >> sudo ufw enable >> >> Additionally, you should immediately upgrade your DHIS2 server software >> version to at least the following revisions. >> >> >> *Trunk: Revision 166032.16: 16386* >> >> The core development team will communicate further on this issues, once >> we have had time to determine the extent of the problem, as well as to >> confirm a final fix. If you have any questions about this mail, please do >> not hesitate to ask! >> >> >> Best regards, >> Jason Pickering >> >> _______________________________________________ >> Mailing list: https://launchpad.net/~dhis2-devs >> Post to : dhis2-d...@lists.launchpad.net >> Unsubscribe : https://launchpad.net/~dhis2-devs >> More help : https://help.launchpad.net/ListHelp >> >> > > > _______________________________________________ > Mailing list: https://launchpad.net/~dhis2-devs > Post to : dhis2-d...@lists.launchpad.net > Unsubscribe : https://launchpad.net/~dhis2-devs > More help : https://help.launchpad.net/ListHelp > >
_______________________________________________ Mailing list: https://launchpad.net/~dhis2-users Post to : dhis2-users@lists.launchpad.net Unsubscribe : https://launchpad.net/~dhis2-users More help : https://help.launchpad.net/ListHelp
