For anyone using the 0mero data system From: Butcher, Sarah A Sent: 03 August 2016 10:07 To: Magee, Tony Subject: security vulnerability in OMERO - news Dear Prof Magee The OMERO team have just released details of a serious security issue with OMERO server as below: http://www.openmicroscopy.org/site/products/omero/secvuln/2016-SV2-share Improper Access Control Vulnerability. The OMERO.shares system bypasses intended security restrictions and grants elevated privileges to read otherwise-restricted data. A user can retrieve data belonging to users across all groups by using the API. The user must be able to authenticate remotely using the standard 4063 and 4064 ports and have exploit code to make use of the vulnerability. There are several things we can do to mitigate this issue but all will effect some aspects of OMERO functionality for the medium term. We are only seeing about 12 logins a month on OMERO but there is quite a lot of data associated with it, including a number of 'shares' belonging to FILM. The security issue affects the share function and their patch scripts simply dump all active shares and stop new ones being created. All information regarding the current shares will be removed by the 'patch', and while we can keep a snapshot of the current version of the database as a record, direct merging of any shares information in that with new data accumulated subsequent to the patch, in a new version will not be possible. This does not mean that images will be deleted, but it does mean that lists of people who can access specific 'shared' datasets will be lost, along with shared access. We currently have a number of shares in our OMERO deployment and FILM are associated with some of them - there is also a 'public' share but the OMERO code does not make it all easy to see who may be using the public share. If we remove the 'shares' function by using the patch, it will not be re-instated until we move to a completely new version of OMERO. I do not have a timeline for this at present as they have dropped support for the current Red Hat release and we will have to set up a completely new system in a new VM with a different OS on a different server, which will require extensive testing. We will do this, but not until later in the year when a number of other big infrastructure upgrades are further down the line. In order to exploit the vulnerability a user has to access the named ports via the API. We have instigated a less draconian workaround that also protects against this vulnerability as follows: We have disabled all access to the Java client - access is normal via the web interface. The vulnerable ports are now blocked. This combination stops the necessary access for the exploit. I would like to send an update to users via the FILM mailing list later today but wanted to let you know the situation first. I have also informed Paul French as his group are heavy users. If the java client is absolutely required, we will have to apply the patch which will remove all shares instead. I am in today and tomorrow and I will be available to talk about this until Saturday, when I go on leave until the 22nd August. I am not sure who to send a message for the FILM list to at present? Best wishes Sarah -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. Dr Sarah Butcher Head, Bioinformatics Data Science Group (BDSG) Please note new group name, department and location: Room 129, Sir Alexander Fleming Building Department of Surgery and Cancer Faculty of Medicine South Kensington Campus Imperial College London SW72AZ +44 (0)20 759 45734 www.imperial.ac.uk/bioinfsupport<http://www.imperial.ac.uk/bioinfsupport> -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-