OpenMRS Security Advisories: 2015-11-30

We’ve released new versions of OpenMRS Platform 1.11.x, the Serialization.Xstream module, and the Metadata Sharing module to address the security issues below:

Affected: OpenMRS Core Severity: Major Exploit: Remote Code Execution by an authenticated user

Affected: Serialization.Xstream module Severity: Major Exploit: Remote Code Execution by an authenticated user

Affected: Metadata Sharing module Severity: Major Exploit: Remote Code Execution by an authenticated user

##Who is affected?##

• Anyone running OpenMRS Platform (1.9.0 and later)

• Anyone running OpenMRS Reference Application 2.0, 2.1, 2.2, 2.3

• Anyone that has installed the serialization.xstream module except for the newly released 0.2.10 version.

• Anyone that has installed the metadatasharing module except for the newly released 1.1.10 version.

##Recommendations##

Anyone running the OpenMRS Platform(1.9.0 and later) should upgrade to the latest releases of the platform which are 1.11.5, 1.10.3 and 1.9.10 of course one would have to get a version that is at least higher than what they’re currently running. If you are also running the serialization.xstream or metadatasharing modules you should upgrade to the latest version (0.2.10 for serialization.xstream; 1.1.10 for metadatasharing). Note that because of a bug in modules.openmrs.org the latest version of these modules is not at the top of the list, and the Download link on the top right is incorrect. Please carefully find the version numbers mentioned here.

Anyone running any version of the Reference Application released so far (2.0-2.3) needs to either upgrade to the 2.3.1(or later) version of the reference application, or else do the following:

• Replace the platform war file with any of the latest releases of the platform war file which are 1.11.5, 1.10.3 and 1.9.10 that is at least higher than what they are currently running.

• Install the following versions of the modules below:

• Reporting 0.9.8.1 or later (see the 25-Nov-2015 security announcement)

• Serialization.xstream 0.2.10 or later

• Metadata Sharing 1.1.10 or later

• Note that because of a bug in modules.openmrs.org the latest versions of the metadatasharing and serialization.xstream modules are not at the top of the list and the Download link at the top right is incorrect. Please carefully find the version numbers mentioned here.

We urge you to make the recommended changes as soon as possible.

A huge thanks to Brian D. Hysell and Gjoko Krstic who discovered and reported these issues. We also can’t forget to thank all the OpenMRS developers that have helped us in addressing these issues.enter link description here

This announcement was inadvertently sent out in draft form. Please re-read the edited version (there is no Critical-severity vulnerability being announced).

All the module versions mentioned in this security announcement are released and available to download on the OpenMRS Module Repository (but note that because of a bug you have to be careful to get the right version of the metadatasharing and serialization.xstream modules).

However the updated versions of the OpenMRS Platform mentioned in this advisory are not yet released. We are actively working on this, and @wyclif will comment again when these are available to download.

Our apologies for any confusion, and thanks for your patience.

The latest minor releases have been uploaded to sourceforge, you can download them at 1.11.5, 1.10.3 and 1.9.10, thank you for your patience.

The link to the OpenMRS-2.3.1 has been updated, and the new zip file for reference application 2.3.2 modules is ready for download here

The standalone zip files for the platform are now ready for download

The release notes are available at:

Platform Release Notes 1.11.5 Platform Release Notes 1.10.3 Platform Release Notes 1.9.10 Reference Application 2.3.1