Security advisory for Orthanc deployments running versions before 1.12.0

General
1

Hi all,

An issue has been discovered in Orthanc that allows authenticated users with access to the Orthanc API to overwrite arbitrary files on the filesystem, and in specific deployment scenarios allow the attacker to overwrite the configuration, which can then be exploited to trigger remote code execution.

This issue has been fixed in 1.12.0, so as a first step, it is strongly recommended to upgrade Orthanc to release version 1.12.0 or higher as soon as possible.

Secondly, make sure to always follow the guidelines for Securing Orthanc for production installations - the instructions have recently been updated to include mitigations against this particular vulnerability.

Finally, in the next release, there will be additional improvements to the Docker image to run the Orthanc container as a non-privileged user.

Regards
Walco

3 Likes
2

Hi everyone,

First of all, great thanks to Walco and Colin for their work on finding this security issue + helping in the resolution and documentation; a great collaborative work !

The latest osimis/orthanc:23.6.0 Docker images have been released with a pre-configured ‘orthanc’ user that has non-root privileges. Here’s a sample on how to use it. By default, to ensure backward compatibility, the image is still running as root.

Best regards,

Alain.

1 Like