OpenMRS Critical Security Advisory
Please be aware of the following critical security updates available for download from OpenMRS.
- Authenticated users can leverage this vulnerability to execute arbitrary code on the server within the context of the tomcat server process.
- The exploit code enabling this attack has been made publicly available.
- HTML Form Entry Module: any version older than 3.11.0
- UI Framework Module: any version older than 3.19
- Attachment Module: any version older than 2.4.0
Anyone running the HTML Form Entry, UI Framework, or Attachment modules (included in the Reference Application) should immediately upgrade to the latest released versions of the modules, which are all available in their pages on the OpenMRS Add-Ons Directory here. Tips for upgrading individual modules in the Reference Application can be found on the wiki here.
This includes anyone running any version of the OpenMRS Reference Application, as well as anyone who has installed the above modules on top of an OpenMRS Platform release. OpenMRS Reference Application versions >=2.8.1 should support the updated modules. The latest RefApp v2.11.0 release includes these updated modules.
For questions, please directly contact email@example.com and our OpenMRS Security Group will get back to you as soon as we can.