ACTION REQUIRED NOW: Critical security release of OMERO.server 5.6.1 and OMERO.web 5.6.3

As previously announced, today we are releasing OMERO.server 5.6.1 which fixes several security vulnerabilities, one of them critical, so we urge everyone to upgrade as soon as possible. There are no known workarounds to the most severe vulnerability. We are also releasing OMERO.web 5.6.3 which fixes one security vulnerability and OMERO.py 5.6.2.

OMERO.server 5.6.1 runs in the same deployment environments as OMERO.server 5.6.0 and the Bio-Formats Memoizer cache will not be invalidated so the upgrade should be minor. The only client that you must upgrade is OMERO.web though we also recommend upgrading OMERO.py.

Security Fixes:

OMERO security fixes are available for only OMERO.server 5.6 and greater. The vulnerabilities fixed by this release are:

Mitigation:

If you cannot perform the upgrade at this time then we strongly recommend that you shut down your OMERO server until upgrade is possible. At the very least you should switch your server into read-only mode and block OMERO.blitz API access to all but omero-web. If you hold any private data on OMERO.server then you should firewall it so that login is available only to those who may read all the data. We have not determined that running OMERO 5.6.0 or earlier even with these restrictions is at all safe.

Installing the Software:

For full details of the changes with the OMERO 5.6 series see the OMERO 5.6.0 release announcement. OMERO.server 5.6.1 is designed to be a small step beyond the 5.6.0 release in order to simplify upgrade. Full documentation for this release is available under https://docs.openmicroscopy.org/omero/5.6.1/.

OMERO.server 5.6.1 is available from archived downloads and omero-web 5.6.3 also includes security fixes. These have been tested with omero-py 5.6.2 so we recommend that you upgrade OMERO.py on both server and web deployments.

Official Docker images are available as usual on Docker Hub with either the latest or the 5.6 tag:

You’re invited to discuss this announcement here but installation issues may best be raised in a new topic.

All the best with your upgrades,

The OME Team

3 Likes