For anyone using the 0mero data system

 

 

From: Butcher, Sarah A
Sent: 03 August 2016 10:07
To: Magee, Tony
Subject: security vulnerability in OMERO - news

 

Dear Prof Magee

The OMERO team have just released details of a serious security issue with OMERO server as below:

 

http://www.openmicroscopy.org/site/products/omero/secvuln/2016-SV2-share

Improper Access Control Vulnerability.

The OMERO.shares system bypasses intended security restrictions and grants elevated privileges to read otherwise-restricted data.

A user can retrieve data belonging to users across all groups by using the API. The user must be able to authenticate remotely using the standard 4063 and 4064 ports and have exploit code to make use of the vulnerability.

There are several things we can do to mitigate this issue but all will effect some aspects of OMERO functionality for the medium term. We are only seeing about 12 logins a month on OMERO but there is quite a lot of data associated with it, including a number of ‘shares’ belonging to FILM.

 

The security issue affects the share function and their patch scripts simply dump all active shares and stop new ones being created. All information regarding the current shares will be removed by the ‘patch’, and while we can keep a snapshot of the current version of the database as a record,  direct merging of any shares information  in that with  new data accumulated subsequent to the patch, in a  new version  will not be possible.  This does not mean that images will be deleted, but it does mean that lists of people who can access specific ‘shared’ datasets will be lost, along with shared access.

 

We currently have a number of shares in our OMERO deployment and FILM are associated with some of them – there is also a ‘public’ share but the OMERO code does not make it all easy to see who may be using the public share.  If we remove the ‘shares’ function by using the patch, it will not be re-instated until we move to a completely new version of OMERO.  I do not have a timeline for this at present as they have dropped support for the current Red Hat release and we will have to set up a completely new system in a new VM with a different OS on a different server, which will require extensive testing. We will do this, but not until later in the year when a number of other big infrastructure upgrades are further down the line.

 

In order to exploit the vulnerability a user has to access the named ports via the API. We have instigated a less draconian workaround that also protects against this vulnerability as follows:

 

We have disabled all access to the Java client – access is normal via the web interface. The vulnerable ports are now blocked. This combination stops the necessary access for the exploit.  I would like to send an update to users via the FILM mailing list later today but wanted to let you know the situation first. I have also informed Paul French as his group are heavy users.

 

If the java client is absolutely required, we will have to apply the patch which will remove all shares instead.

I am in today and tomorrow and I will be  available to talk about this until Saturday, when I go on leave until the 22nd August. I am not sure who to send a message for the FILM list to at present?

                                                                                                                                                                                                                                                        

Best wishes

Sarah

 

-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

Dr Sarah Butcher

Head, Bioinformatics Data Science Group (BDSG)

Please note new  group name, department and location:

Room 129, Sir Alexander Fleming Building

Department of Surgery and Cancer

Faculty of Medicine

South Kensington Campus

Imperial College London SW72AZ

+44 (0)20 759 45734

www.imperial.ac.uk/bioinfsupport

-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-