Critical Security Advisory CVE-2018-19276: 2019-02-04


(Cynthia Antwi) #1

**Critical Security Advisory CVE-2018-19276: 2019-02-14 **

Severity: Critical

Exploit: Insecure object deserialization allows Arbitrary Code Execution without needing to log in

IP restrictions on Webservices module do not prevent this attack.

What versions are affected?

All versions of OpenMRS with module webservices.rest < 2.24.0 are affected.

That would include:

  • all versions of OpenMRS Platform 2.1.x < 2.1.4
  • all versions of OpenMRS Platform 2.0.x < 2.0.8
  • all versions of OpenMRS Platform 1.12.x < 1.12.1
  • all versions of OpenMRS Reference Application 2.8.x < 2.8.1
  • all versions of OpenMRS Reference Application 2.7.x < 2.7.2
  • all versions of OpenMRS Reference Application 2.6.x < 2.6.2

While OpenMRS Platform versions 1.11.8 and 1.11.9 couldn’t be easily exploited, we strongly recommend treating them as vulnerable as well.

Recommendations

  1. Make sure your application is not vulnerable anymore:a. Update to version 2.24.0 of the webservices module. https://wiki.openmrs.org/display/docs/Administering+Modulesb. Or upgrade platform or reference application
  2. Check your logs for search for the following string: Failed to convert value of type 'java.util.HashMap' to required type 'org.openmrs.module.webservices.rest.SimpleObject This log entry would only appear in the logs is as a result of an exploitation attempt.

Acknowledgements:

We’d like to thank Bishopfox, namely researcher Nicola Serra, for finding and reporting this vulnerability. And thanks to @isears for providing yet another security fix.


Update for CVE-2018-19276: 2019-02-04?
Question about Web Services CVE on Older versions of OpenMRS
(Andrew Kanter) #2

Thanks for jumping all over this (and spamming my twitter feed with all the communication about the vulnerability). I think we need to make this a clearer communication from OpenMRS regarding the detection part, and what is required for those using older versions of the platform? Do they get a patched version or do they have to upgrade ( which is likely to not be feasible, particularly on short notice )? @burke


(system) closed #3

This topic was automatically closed after 60 minutes. New replies are no longer allowed.