Critical Security Advisory: 2020-12-15

OpenMRS Critical Security Advisory

Dear Community,

Please be aware of the following critical security updates available for download from OpenMRS.

Severity: Critical

Exploit

  • Authenticated users can leverage this vulnerability to execute arbitrary code on the server within the context of the tomcat server process.
  • The exploit code enabling this attack has been made publicly available.

Affected Versions

Recommendations

Anyone running the HTML Form Entry, UI Framework, or Attachment modules (included in the Reference Application) should immediately upgrade to the latest released versions of the modules, which are all available in their pages on the OpenMRS Add-Ons Directory here. Tips for upgrading individual modules in the Reference Application can be found on the wiki here.

This includes anyone running any version of the OpenMRS Reference Application, as well as anyone who has installed the above modules on top of an OpenMRS Platform release. OpenMRS Reference Application versions >=2.8.1 should support the updated modules. The latest RefApp v2.11.0 release includes these updated modules.

Acknowledgements

We would like to thank Contrast Labs for their discovery of this vulnerability. Special thanks to @ibacher and our Software Security Leader @isears for their direct support in resolving the issues.

Questions

For questions, please directly contact security@openmrs.org and our OpenMRS Security Group will get back to you as soon as we can.

7 Likes

This topic was automatically closed after 60 minutes. New replies are no longer allowed.