On March 12, 2020, we were notified by Bishop Fox about a slew of security vulnerabilities they found in LibreHealth EHR 2.0.0. A good number of these were high severity vulnerabilities that could have lead to the compromise of the entire server(s) potentially.
Internally, we discussed what the next action would be and decided on a plan as to how to get these fixed. Immediately after triaging, it was decided it was a good idea to spin down the demo server for LibreHealth EHR, and it remains in such a state until the fixes are finalized and confirmed to be fixed. We contracted the work of addressing these issues out to two of our former Outreachy interns, @maggie, and @elizabeth, both of whom got going before the contract was even generated. This was greatly appreciated as the time of the essence. Due to the pandemic, we were given a gracious 30-day extension to the industry standard of 90 days, to 120 days. The @lsc cannot begin to express our gratitude to these two ladies and to @KoniKodes who has advocated for them from the beginning and she is a huge asset to the community.
As of this writing, the fixes are almost finished, and we’ll cut a release soon and update Bishop Fox on the patch version. When a patch release is made, we strongly advise all users to update it to that version. In the meantime, please ensure that your system is not publicly accessible on the internet in any way.
We would like to thank Chris Davis and Bishop Fox for being accomodating and communicating these to us.
You can read Bishop Fox’s full report about their findings below.
@elizabeth and @maggie have been great at working on this project and keeping us in the loop regarding their updates and pull requests. I am so proud of both of them.
Do we have a date for when the demo might be available? There is a high school competition org (HOSA) that would like to use the demo for competitions. That also raises the question whether the demo can be used by a group. I know that others (Fatima) are looking for an operational EHR
Hope you are still healthy and remain untouched by this nasty virus going around.
The fixes need to be completed and validated before I’m comfortable putting it back online.
Once this is done, then I will put it back up, but I cannot put it back online right now as I’d like to be able to sleep. I did the coordination of the fixes and acted as the LibreHealth point of contact, but reached the limit of what I can do unfortunately.
FYI. Dr. Fatima Merchant has asked me to lecture on EHRs to her students on September 22nd. It would be great if we had the demo up and running so I could do a live demonstration
I think @sunbiz was going to throw up an instance behind a VPN for you…not sure what’s up. I’d like to get our demo back up ASAP but need all the fixes merged, I’m not a PHP expert. But @mua_rachmannis doing some great work on finishing up @pri2si17’s prior GSoC work on migrating to laravel, that will eliminate a lot of the issues. I’m waiting for those to be merged, I don’t want to run the demo with vulnerabilities.
Hey @muarachmann, would it be possible to review the remaining PRs for the fixes? If not, it’s okay, just let me know. I’d like to get the ladies paid .
I would like to resign my position on the Committee based on many external demands and the fact the demo EHR does not seem to be going anywhere. My best wishes to everyone in 2021
Sorry about the demo, been waiting on @muarachmann – I’m not experienced enough to review the codebase. I did my best to coordinate things and acted as the point of contact between us and Bishop Fox. This is taking longer than I wanted it to, but we’re in the middle of a pandemic, so things are different now.
I didn’t do a deep review but suffice to say, we should make a decision on what to do here. I know we are porting it to Laravel, so we could link to the new repo in the lh-ehr repo and archive the old one – that’s one option.
We should also try to figure out if we want to withdraw or make a notice to not use 2.0.0.
.