OpenMRS Concept Reference Range Utility Apache Velocity Template Injection Vulnerability Allowing Remote Code Execution

A critical vulnerability exists in OpenMRS versions 2.7.0 prior to 2.7.9 and 2.8.0 prior to 2.8.6. The issue arises in the ConceptReferenceRangeUtility.evaluateCriteria() method, which processes database-stored criteria strings as Apache Velocity templates without proper sandboxing. The VelocityEngine is configured only for logging, lacking a SecureUberspector, and allowing unrestricted Java reflection through template expressions. Users with the Manage Concepts privilege can inject malicious Velocity template expressions into a concept's reference range criteria. These payloads are executed automatically when validating observations against the affected concept, exposing patient data and potentially leading to arbitrary code execution on the server.

Impact

Exploitation of this vulnerability allows for persistent remote code execution on the server, with the injected payload executed in the context of the Tomcat application server process. The vulnerability also facilitates privilege escalation, as the Manage Concepts privilege is typically held by non-admin staff, and direct access to patient data is available through the Velocity context objects.

Remediation

Users should update to OpenMRS versions 2.7.9 or 2.8.6. It is also recommended to restrict the Manage Concepts privilege to authorized users and audit ConceptReferenceRanges in the database.