CVE-2021-43094 – This SQL injection vulnerability in OpenMRS all... (How to Fix)

Q: What is the severity of CVE-2021-43094?

CVE-2021-43094 has a CVSS score of 9.8 (CRITICAL). This SQL injection vulnerability in OpenMRS allows attackers to execute arbitrary SQL commands via GET request parameters on the patient.page endpoint. It affects OpenMRS Reference Application Standalone Edition up to version 2.11 and Platform Standalone Edition up to version 2.4.0. Healthcare organizations using these vulnerable versions are at risk of data breaches.

📋 TL;DR

This SQL injection vulnerability in OpenMRS allows attackers to execute arbitrary SQL commands via GET request parameters on the patient.page endpoint. It affects OpenMRS Reference Application Standalone Edition up to version 2.11 and Platform Standalone Edition up to version 2.4.0. Healthcare organizations using these vulnerable versions are at risk of data breaches.

💻 Affected Systems

Products:

OpenMRS Reference Application Standalone Edition
OpenMRS Platform Standalone Edition

Versions: Reference Application <= 2.11, Platform <= 2.4.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the patient.page endpoint specifically. The vulnerability exists in the default configuration.

📦 What is this software?

Openmrs by Openmrs

View all CVEs affecting Openmrs →

Reference Application by Openmrs

View all CVEs affecting Reference Application →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to theft of all patient health records, authentication bypass, remote code execution, and potential destruction of healthcare data.

🟠

Likely Case

Unauthorized access to sensitive patient health information (PHI), modification of medical records, and potential data exfiltration.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and network segmentation in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via GET parameters is a well-understood attack vector with many available tools. The CVSS 9.8 score indicates critical severity and ease of exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Reference Application > 2.11, Platform > 2.4.0

Vendor Advisory: https://issues.openmrs.org/browse/TRUNK-6043

Restart Required: Yes

Instructions:

1. Upgrade to OpenMRS Reference Application Standalone Edition version > 2.11 or Platform Standalone Edition > 2.4.0. 2. Apply the patch from the vendor advisory. 3. Restart the OpenMRS application server. 4. Verify the fix by testing the patient.page endpoint.

🔧 Temporary Workarounds

Web Application Firewall (WAF) Rules

all

Implement WAF rules to block SQL injection patterns in GET parameters targeting patient.page

Input Validation Filter

all

Add server-side input validation to sanitize all GET parameters before processing

🧯 If You Can't Patch

Implement network segmentation to isolate OpenMRS from internet access
Deploy a web application firewall with SQL injection detection rules

🔍 How to Verify

Check if Vulnerable:

Test the patient.page endpoint with SQL injection payloads in GET parameters (e.g., patient.page?param=1' OR '1'='1). Monitor for SQL errors or unexpected behavior.

Check Version:

Check OpenMRS version in administration interface or via application logs

Verify Fix Applied:

After patching, repeat the SQL injection tests. The application should reject malicious input without executing SQL commands.

📡 Detection & Monitoring

Log Indicators:

SQL syntax errors in application logs
Unusual database query patterns from patient.page requests
Multiple failed login attempts following SQL injection patterns

Network Indicators:

HTTP GET requests to patient.page with SQL keywords in parameters
Unusual outbound database connections from application server

SIEM Query:

source="openmrs.log" AND ("SQL" OR "syntax" OR "error" OR "patient.page")

📊 Metadata

CVE ID: CVE-2021-43094

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: May 10, 2022

Last Updated: November 21, 2024

🔗 References

https://issues.openmrs.org/browse/TRUNK-6043 Issue Tracking,Third Party Advisory,Vendor Advisory
https://openmrs.org/demo/ Product
https://wiki.openmrs.org/display/docs/Reporting+Bugs Vendor Advisory
https://issues.openmrs.org/browse/TRUNK-6043 Issue Tracking,Third Party Advisory,Vendor Advisory
https://openmrs.org/demo/ Product
https://wiki.openmrs.org/display/docs/Reporting+Bugs Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43094, you might also want to check these: