Difference between revisions of "Critical Security Fix for OpenEMR setup.php"

From OpenEMR Project Wiki
 
(19 intermediate revisions by the same user not shown)
Line 1: Line 1:
<br>
== Overview ==
== Overview ==
:In November of 2017, there were 2 critical security vulnerabilities regarding the setup.php script reported in OpenEMR 5.0.0 .
:In November of 2017, there were 2 critical security vulnerabilities regarding the setup.php script reported in OpenEMR 5.0.0 before patch 5 and patch 6, respectively.
:*Details of the first vulnerability can be found here: https://nvd.nist.gov/vuln/detail/CVE-2017-16540
:*Details of the first vulnerability can be found here: [[Critical_Security_Fix_for_CVE-2017-16540|Critical Security Fix for CVE-2017-16540]]
:*And details of the second vulnerability (it also does a nice job covering the first vulnerability): https://www.helpnetsecurity.com/2017/11/29/openemr-flaw-medical-records-exposed/
:*And details of the second vulnerability can be found in this article (this article also does a nice job covering the first vulnerability): https://www.helpnetsecurity.com/2017/11/29/openemr-flaw-medical-records-exposed/
<br>


== Secure Your OpenEMR ==
== Secure Your OpenEMR ==
:In order to protect yourself from this vulnerability:
:In order to protect yourself from these vulnerabilities:
::*If using OpenEMR 5.0.0:
::*If using OpenEMR 5.0.0:
:::#Update to the most recent patch via following instructions: [[OpenEMR Patches]]
:::#Update to the most recent patch via following instructions: [[OpenEMR Patches]]
Line 11: Line 13:
::*If using OpenEMR 4.2.2 or lower:
::*If using OpenEMR 4.2.2 or lower:
:::#Remove the setup.php file from the openemr web directory.
:::#Remove the setup.php file from the openemr web directory.
<br>


== OpenEMR Community Response ==
== OpenEMR Community Response ==
:OpenEMR is an open source project that is worked on by many folks around the world. Security is taken very seriously and both of the above vulnerabilities were fixed and patches were announced within several says of initial contact by the security firms. The OpenEMR community is proud of the OpenEMR product and also proud of it's very fast time to fix and release/announce the security patches. There have been several negative articles and quotes by security firms in order to market their own security products or firms at the cost of OpenEMR. Rather than focus on the end goal, which is to provide users a clear path to secure their OpenEMR systems, these negative articles have instead focused on marketing doom and gloom, so their security firms can profit and in the end have not made it clear for how OpenEMR users can secure their OpenEMR systems from these vulnerabilities. A fair article, and something that these security firms should strive for in the future, can be found here: https://www.helpnetsecurity.com/2017/11/29/openemr-flaw-medical-records-exposed/
:OpenEMR is an open source project and community that includes many professionals, volunteers, and physicians around the world. Security is taken very seriously and both of the above vulnerabilities were fixed and these patches were announced within several days of initial contact by the security firms. The OpenEMR community is proud of the OpenEMR product and also proud of the very fast turn around time to fix and release/announce the security patches. There have been several negative articles and quotes by security firms in order to market their own security products or firms at the cost of OpenEMR. Rather than focus on the end goal, which is to provide users a clear path to secure their OpenEMR systems, these negative articles have instead focused on marketing blame along with doom and gloom, so their security firms can profit; and in the end they have made it less clear for how OpenEMR users can secure their OpenEMR systems from these vulnerabilities. A fair article by a journalist that focuses on the facts (rather than sensationalism), discusses the vulnerabilities and provides a clear route for OpenEMR users to secure their systems, can be found here: https://www.helpnetsecurity.com/2017/11/29/openemr-flaw-medical-records-exposed/ .
<br>
<br>

Latest revision as of 18:05, 2 December 2017


Overview

In November of 2017, there were 2 critical security vulnerabilities regarding the setup.php script reported in OpenEMR 5.0.0 before patch 5 and patch 6, respectively.


Secure Your OpenEMR

In order to protect yourself from these vulnerabilities:
  • If using OpenEMR 5.0.0:
  1. Update to the most recent patch via following instructions: OpenEMR Patches
  2. Remove the setup.php file from the openemr web directory (if you need this file in the future, then can download it at setup.php).
  • If using OpenEMR 4.2.2 or lower:
  1. Remove the setup.php file from the openemr web directory.


OpenEMR Community Response

OpenEMR is an open source project and community that includes many professionals, volunteers, and physicians around the world. Security is taken very seriously and both of the above vulnerabilities were fixed and these patches were announced within several days of initial contact by the security firms. The OpenEMR community is proud of the OpenEMR product and also proud of the very fast turn around time to fix and release/announce the security patches. There have been several negative articles and quotes by security firms in order to market their own security products or firms at the cost of OpenEMR. Rather than focus on the end goal, which is to provide users a clear path to secure their OpenEMR systems, these negative articles have instead focused on marketing blame along with doom and gloom, so their security firms can profit; and in the end they have made it less clear for how OpenEMR users can secure their OpenEMR systems from these vulnerabilities. A fair article by a journalist that focuses on the facts (rather than sensationalism), discusses the vulnerabilities and provides a clear route for OpenEMR users to secure their systems, can be found here: https://www.helpnetsecurity.com/2017/11/29/openemr-flaw-medical-records-exposed/ .