Update for CVE-2018-19276: 2019-02-04?

Tags: #<Tag:0x00007f23e0e48850>

(Andrew W) #1

Hi All,

Following the alert that there’s a critical vulnerability in the REST Web Services module of OpenMRS, I was wondering whether there are any instructions for Bahmni admins to upgrade their deployments to patch the vulnerability?

Is it as simple as downloading a newer OMOD file from the OpenMRS add-ons page and installing it into OpenMRS? Will there be a new update for Bahmni and EndTB to patch this issue? If so, when should we expect the patch to be released?

Thanks so much!

(Angshuman Sarkar) #2

We are looking at the compatibility aspects. If APIs (external and internal) are not effected, and dependencies (e.g. EMR API) then yes - its a matter of replacing the module. Request you to try this out (in a safe environment) as well, and please report (direct msg) to @angshuonline, @mksd, @binduak.

Also, for reporting any security vulnerability, please do not use public forum and mail to security[at the rate]bahmni[dot]org

(Angshuman Sarkar) #3

As of now, with our testing, we have not come across any compatibility issues. Our https://demo-us.mybahmni.org site has been upgraded with 2.24 version of Webservices REST. Please consider updating the module. This would be particularly be important for cloud hosted instances of Bahmni.

(Alekhya Yalla) #4

We have upgraded Webservices REST to 2.24.0 in few of our implementations having Bahmni core versions 0.89, 0.90, 0.92. We tested our implementations and haven’t come across any compatibility issues.