Bahmni Security Advice Date: 05-10-2018

Date: 05-10-2018

Severity: Critical

Exploit: Atomfeed-console api exposes all Bahmni Apps database passwords of atomfeed-console user

Affected Bahmni versions: all Bahmni versions > 0.86

Do I need to do anything?

If you are not using atomfeed-console - NO. Check using the following commands from command line.

If the above commands do not list anything, then you do not need to do anything and may ignore the rest of the document. Otherwise please read on,

Immediate mitigation:

  1. Stop atomfeed-console service in production.
  1. Stop atomfeed-console service in production.
  1. Change all potentially-compromised passwords

Recommendations :

Everyone running Bahmni (version >= 0.89), with atomfeed-console, since only Bahmni release-0.89 onwards is supported by Bahmni Product community) should immediately upgrade atomfeed-console rpm to the latest released version 1.1.1, which is available here.

Below are the steps to apply patch fix.

  1. Take backup of /opt/atomfeed-console folder. cp -rf /opt/atomfeed-console /opt/atomfeedConsole.backup

  2. Install atomfeed-console latest rpm

  1. Replacing /opt/atomfeeed-console/etc with /opt/atomfeedConsole.backup/etc folder contents
  1. Now start atomfeed-console service

It is recommended to change the database: mysql/openmrs(Not required for postgresql/clinlims, postgresql/openerp, postgresql/bahmni_pacs since it is user based login) password for atomfeed-console user. Please find the steps below to do the same.

  • Login to mysql as root user, use openmrs database
  • Update the dbPassword to the new password for appName:OpenMRS in /opt/atomfeed-console/etc/application.yml as below


Please communicate this information to all the implementations that you support.