On March 12, 2020, we were notified by Bishop Fox about a slew of security vulnerabilities they found in LibreHealth EHR 2.0.0. A good number of these were high severity vulnerabilities that could have lead to the compromise of the entire server(s) potentially.
Internally, we discussed what the next action would be and decided on a plan as to how to get these fixed. Immediately after triaging, it was decided it was a good idea to spin down the demo server for LibreHealth EHR, and it remains in such a state until the fixes are finalized and confirmed to be fixed. We contracted the work of addressing these issues out to two of our former Outreachy interns, @maggie, and @elizabeth, both of whom got going before the contract was even generated. This was greatly appreciated as the time of the essence. Due to the pandemic, we were given a gracious 30-day extension to the industry standard of 90 days, to 120 days. The @lsc cannot begin to express our gratitude to these two ladies and to @KoniKodes who has advocated for them from the beginning and she is a huge asset to the community.
As of this writing, the fixes are almost finished, and we’ll cut a release soon and update Bishop Fox on the patch version. When a patch release is made, we strongly advise all users to update it to that version. In the meantime, please ensure that your system is not publicly accessible on the internet in any way.
You can read Bishop Fox’s full report about their findings below.