REMINDER: Critical security release of OMERO imminent!

At OME we are now working from home doing the final builds and tests in preparation for releasing OMERO.server 5.6.1 and OMERO.web 5.6.3 which include a fix for a CRITICAL SECURITY VULNERABILITY. Further to our previous announcement you should now have OMERO 5.6.0 running fine and be ready to upgrade all servers to OMERO 5.6.1 this Wednesday 25th.

Regards,

The OME team

1 Like

Hey all that sounds really cool but given the current situation (everyone should heard about the global crisis by now :mask: :thinking: ? ), what do you suggest to those sysadmins/institutes who run public instance where servers won’t be upgraded on time, what should they do?
It may be worth providing some guidence as a planB option, like VPN only, etc.

Ola

Hi there,

yes, it would be nice to have one week - or so - more to do the job

i hope everyone is fine
Andreas

1 Like

Thanks for the feedback, guys. And that certainly goes for anyone else out there who has been watching both this issue and that other real-life issue trying to figure out how to manage things.

At the same time, we’re also concerned that having announced the security vulnerabilities and announced a date, that schedules will be in place for others to update. We’d equally like to hear from them. Then we will try to make the least bad choice in this difficult time.

If the release proceeds and you are not able to upgrade immediately, a few words to the severity of the security vulnerabilities and mitigations:

  • None of the issues we’ve found allow a non-authenticated user to elevate their access or perform remote code execution.
  • Consequently, VPN or firewalls will not necessarily improve the situation.
  • Your best option for protecting your OMERO installation if you cannot upgrade is either network isolation or powering down until you are ready to upgrade.

~Josh

Well now you have me very interested, @joshmoore

For what it’s worth, we are ready to go at JAX, but if you need to postpone the release it would not be a huge deal.

For what is worth, we are ready to perform the update. We are pretty flexible with the schedule too.

@joshmoore Just to register that we would also appreciate some more time to get ready.

1 Like

Dear All-

Thanks for the feedback-- it is really important for us to hear these comments.

We’re definitely in difficult, unprecedented territory-- critical releases, COVID19 lockdowns, etc. Weighing everything, we believe the best option is to go ahead with our originally announced release date for OMERO 5.6.1 of Wednesday, March 25th, at 3pm UTC (11am EDT) . We will do what we can to assist those who cannot upgrade as proposed and announced in our earlier announcements.

We are very well aware of the challenges everyone is working under at this time. Many sysadmins have already scheduled the upgrade, and delaying by only a week requires a change to already complex schedules at short notice. A longer delay is likely to run into more constraints due to institutional restrictions and potential illness of staff. We also have to consider the varying impacts of COVID19 in different countries across the world. This effectively means postponing the release indefinitely, so we’ve taken the difficult decision to go ahead with the release as planned on 25 March.

If there are any further comments, please do get in touch.

Best wishes to the whole community-- stay healthy and strong.

Cheers,

Jason

2 Likes

OMERO 5.6.1 is now released..