On the 11th December we became aware of a security vulnerability in the OpenVPMS application that could be exploited to gain access to the server OpenVPMS is running on.

This security vulnerability exists in a library that is part of the OpenVPMS application called Log4j which is responsible for logging messages in OpenVPMS.  The vulnerabilty is called Log4Shell (https://www.abc.net.au/news/2021-12-11/log4shell-techs-race-to-fix-software-flaw/100692876).

OpenVPMS releases 2.2 and up use a version of this library that is affected by this security vulnerability.  OpenVPMS releases prior to this are not affected.

The latest release of OpenVPMS 2.3 (2.3.0.3) includes a fix to this vulnerability.

In prior versions, the vulnerabilty can be fixed by making a change to the startup options of the Apache Tomcat service used to run OpenVPMS, followed by restarting the service. The process for doing this on various operating systems is shown below. 

For customers utilising Amazon AWS cloud hosted servers setup by OpenVPMS, or running our fully managed cloud hosted solution, we will work on the necessary changes over the next week. 

For anyone running their own on-premise server and OpenVPMS 2.2 or greater, it is important you get your local IT company to make the changes detailed below.  If they need any assistance please get them to email us at support[at]openvpms[dot]com

Windows:

As an administrator on the Windows server running OpenVPMS, run the Tomcat configuration utility. The utility can be typically found at these locations depending on the version of Apache Tomcat running.

C:\Program Files\Apache Software Foundation\Tomcat 8.5\bin  (64 bit)

C:\Program Files (x86)\Apache Software Foundation\Tomcat 8.5\bin (32 bit)

Once running click on the Java tab and in the Java options area add the following option.

-Dlog4j2.formatMsgNoLookups=true

Click OK to save the changes.

Restart the Apache Tomcat service to make the changes take effect. This can be done using the Windows services application shown below.

Right click the Apache Tomcat 8.5 Tomcat8  service and click Restart.

Please note that the OpenVPMS application will not be available during the restart so this is best done out of clinic hours. 

Linux :

The method to add the java configuration option varies depending on your version of Linux and Tomcat.

We suggest you contact the company that manages your OpenVPMS Linux server to make the appropriate changes but below are some of the more common options.

SystemD:

Many linux operating systems utilise systemd  to manage services and the Tomcat service.

The file /etc/systemd/system/tomcat.service needs to be edited and the line that sets the Java Options needs to be changed to include the new Java option. i.e

Environment='JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true -Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom'

Once changed and saved the following command needs to be run to register the changes and restart Tomcat.

systemctl daemon-reload
systemctl restart tomcat.service

UpStart

Some older Linux operating systems use upstart to manage services.

The file /etc/init/tomcat.conf needs to be edited and the line that sest the Java options needs to be changed to include the new Java option. i.e.

env JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true -Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom"

Once changed and saved the following commands need to be run to restart Tomcat.

service tomcat stop
service tomcat start

There may be variations of the file names and Apache Tomcat restart commands required depending on your specific installation.