Date: 05-10-2018
Severity: Critical
Exploit: Atomfeed-console api exposes all Bahmni Apps database passwords of atomfeed-console user
Affected Bahmni versions: all Bahmni versions > 0.86
Do I need to do anything?
If you are not using atomfeed-console - NO. Check using the following commands from command line.
If the above commands do not list anything, then you do not need to do anything and may ignore the rest of the document. Otherwise please read on,
Immediate mitigation:
- Stop atomfeed-console service in production.
- Stop atomfeed-console service in production.
- Change all potentially-compromised passwords
Recommendations :
Everyone running Bahmni (version >= 0.89), with atomfeed-console, since only Bahmni release-0.89 onwards is supported by Bahmni Product community) should immediately upgrade atomfeed-console rpm to the latest released version 1.1.1, which is available here.
Below are the steps to apply patch fix.
-
Take backup of /opt/atomfeed-console folder. cp -rf /opt/atomfeed-console /opt/atomfeedConsole.backup
-
Install atomfeed-console latest rpm
- Replacing /opt/atomfeeed-console/etc with /opt/atomfeedConsole.backup/etc folder contents
- Now start atomfeed-console service
It is recommended to change the database: mysql/openmrs(Not required for postgresql/clinlims, postgresql/openerp, postgresql/bahmni_pacs since it is user based login) password for atomfeed-console user. Please find the steps below to do the same.
- Login to mysql as root user, use openmrs database
-
Update the dbPassword to the new password for appName:OpenMRS in /opt/atomfeed-console/etc/application.yml as below
Please communicate this information to all the implementations that you support.