**Critical Security Advisory CVE-2018-19276: 2019-02-14 **
Severity: Critical
Exploit: Insecure object deserialization allows Arbitrary Code Execution without needing to log in
IP restrictions on Webservices module do not prevent this attack.
What versions are affected?
All versions of OpenMRS with module webservices.rest < 2.24.0 are affected.
That would include:
- all versions of OpenMRS Platform 2.1.x < 2.1.4
- all versions of OpenMRS Platform 2.0.x < 2.0.8
- all versions of OpenMRS Platform 1.12.x < 1.12.1
- all versions of OpenMRS Reference Application 2.8.x < 2.8.1
- all versions of OpenMRS Reference Application 2.7.x < 2.7.2
- all versions of OpenMRS Reference Application 2.6.x < 2.6.2
While OpenMRS Platform versions 1.11.8 and 1.11.9 couldn’t be easily exploited, we strongly recommend treating them as vulnerable as well.
Recommendations
- Make sure your application is not vulnerable anymore:a. Update to version 2.24.0 of the webservices module. https://wiki.openmrs.org/display/docs/Administering+Modulesb. Or upgrade platform or reference application
- Check your logs for search for the following string:
Failed to convert value of type 'java.util.HashMap' to required type 'org.openmrs.module.webservices.rest.SimpleObjectThis log entry would only appear in the logs is as a result of an exploitation attempt.
Acknowledgements:
We’d like to thank Bishopfox, namely researcher Nicola Serra, for finding and reporting this vulnerability. And thanks to @isears for providing yet another security fix.