OpenMRS Critical Security Advisory
Dear Community,
Please be aware of the following critical security updates available for download from OpenMRS.
Severity: Critical
Exploit
- Authenticated users can leverage this vulnerability to execute arbitrary code on the server within the context of the tomcat server process.
- The exploit code enabling this attack has been made publicly available.
Affected Versions
- HTML Form Entry Module: any version older than 3.11.0
- UI Framework Module: any version older than 3.19
- Attachment Module: any version older than 2.4.0
Recommendations
Anyone running the HTML Form Entry, UI Framework, or Attachment modules (included in the Reference Application) should immediately upgrade to the latest released versions of the modules, which are all available in their pages on the OpenMRS Add-Ons Directory here. Tips for upgrading individual modules in the Reference Application can be found on the wiki here.
This includes anyone running any version of the OpenMRS Reference Application, as well as anyone who has installed the above modules on top of an OpenMRS Platform release. OpenMRS Reference Application versions >=2.8.1 should support the updated modules. The latest RefApp v2.11.0 release includes these updated modules.
Acknowledgements
We would like to thank Contrast Labs for their discovery of this vulnerability. Special thanks to @ibacher and our Software Security Leader @isears for their direct support in resolving the issues.
Questions
For questions, please directly contact security@openmrs.org and our OpenMRS Security Group will get back to you as soon as we can.