LimeSurvey (https://limesurvey.partners.org/limesurvey) experienced an unexpected outage due to PostgreSQL database platform issues from 9:15AM to 9:45AM EST on March 3rd, 2016.  

If you have any concerns, please email edcsupport@partners.org

Applies To: OpenSSL 1.0.2 and 1.0.1

A high severity cross-protocol attack on TLS using SSLv2 (DROWN) [CVE-2016-0800] was discovered and could lead to decryption of TLS sessions by using a server supporting SSLv2 and some EXPORT cipher suits.

Users can avoid the attack by completely disabling SSLv2 protocol in the servers. However, we highly recommend that you patch your server immediately as well and restart and services depending on OpenSSL.

OpenSSL 1.0.2 users should upgrade to 1.0.2.g
OpenSSL 1.0.1 users should upgrade to 1.0.1s

ERIS proxy and all current ERIS CentOS builds have disabled SSLv2 and have been patched. Please restart any services that rely on OpenSSL for encryption (that might be Apache, Tomcat, JBoss, LDAP, etc).

DIPR VM users with custom builds (such as ubuntu, debian or other non-standard builds) will need to be patched by you or your system administrator.

Distribution specific versions should follow vendor guidelines (as they might also patch other bugs):

• Red Hat : https://rhn.redhat.com/errata/RHSA-2016-0301.html
• SuSE : https://www.suse.com/support/update/announcement/2016/suse-su-20160624-1.html
• Ubuntu : http://www.ubuntu.com/usn/usn-2914-1/

OpenSSL original security advisory (reference): http://www.openssl.org/news/secadv/20160301.txt

Additionally, we recommend you to harden default configurations shipped with some distributions. Bellow you will find a suggestion (minimum approach), if you server supports all these options (and if you can set your server to use only those ciphers):

SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

Associated CVEs: CVE-2015-3197, CVE-2016-0702, CVE-2016-0705, CVE-2016-0797, CVE-2016-0800, CVE-2016-0799, CVE-2016-0703, CVE-2016-3197, CVE-2016-0704, CVE-2016-0293 

​Please patch your servers accordingly.

REDCap (https://redcap.partners.org/redcap) experienced an unexpected outage due to MySQL database platform issues from 10PM to 12AM EST on February 11th, 2016. 

Please review your projects if surveys were scheduled to send during this time.  Manage Survey Participants > Survey Invitation Log.  You can filter on “Invitations that failed to send” and resend as needed.

Survey data may not have been collected at this time and participants received a web-browser error message when attempting to click on a survey link.

If you have any concerns, please email edcsupport@partners.org

Websites hosted on DIPR VMs were offline for approximately one hour on Wednesday, February 10, 2016. due to a proxy server issue. 

If you have any questions, please contact ERIS by emailing rcc@partners.org, a ticket will automatically be opened for you.

LimeSurvey (https://limesurvey.partners.org/limesurvey) upgrades scheduled for Monday, Feb. 1 at 8:00 PM EST are complete. Downtime was 1 hour.  

This upgrade will include a number of new features. Full release notes can be found here.

A condensed list of new features can be found here.

If you have any concerns about LimeSurvey being offline at this time, please email edcsupport@partners.org  

Applies To: All Linux Server/Workstations using Kernel 3.8 (or higher)

A new local privilege escalation vulnerability has been found in Linux Kernel 3.8 (and higher) [CVE 2016-0728]. 

This vulnerability affects multiple Linux distributions including Red Hat 7, CentOS 7, Ubuntu 14.04 LTS and others (mostly all distributions using kernel 3.8 or higher).

Patches are already available for most known distributions. Please patch your server/workstation and reboot it as soon as possible. This is considered high-risk, specially if your device is using a public IP.

References:
https://access.redhat.com/solutions/2130791
http://www.ubuntu.com/usn/usn-2870-1/
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00021.html

Applies To: All Partners institutions & affiliates (except DFCI)

Since Harvard announced they were exiting the retail sales and services business last fall, ERIS has been working to secure Apple product purchasing services for the Partners community. We're pleased to announce that effective January 4, 2016, Partners will be working with the Apple Professional Services (APS) division for higher education customers as our official vendor.

APS will take the place of the work Harvard previously performed for us. Apple products will continue to be ordered with proposal and Purchase Order (PO) through Apple, then shipped to an APS provider to be inventoried and asset tagged. Macintosh laptops/desktops will be enrolled in the PEAS program as part of this process. After professional services have been rendered for each device, the product(s) will then be shipped directly to the Ship To recipient specified in the PO. 

Purchasing through Apple direct will allow our community to pay educational cost for products, as well as the opportunity to receive additional promotional savings, which are offered for most laptops and desktops. As part of this service transition, fees will be reinstated for each of the following products ordered:

• Laptops/desktops (MacBook, MacBook Air, MacBook Pro, iMac, Mac Mini, Mac Pro) $26.95
• iPads (iPad Air, Pro or Mini) $20.95 
• Apple Thunderbolt Display $20.95 

We are also pleased to let you know that you can now develop your own proposal to purchase Apple products. Instructions can be found on our website, including step-by-step directions, videos, and the opportunity to participate in a training webinar.

If you have any questions or concerns, please contact the PEAS team for assistance by opening an IS Service Desk request. We thank you for your patience during this transition and expect these new services will better serve our community.

This website and KnowledgeBase were unavailable while work was completed on Monday, December 7, 2015 from 7-7:20a.m. The updates addressed security, small bugs and feature updates. Please contact rcc@partners.org if you have any questions or concerns.  

We are aware of several issues that you might experience with the Lyris List Manager system (https://researchlist.partners.org). The following issues will be resolved with the next upgrade. 

• The Image Library does not support an image located at an SSL site
  • Workaround: Contact rcc@partners.org and we can upload your images to the server.
• List Manager not working in Firefox browser version 39
  • Workaround: Upgrade to the current Firefox browser version (https://www.mozilla.org/en-US/firefox/desktop/) 
• Paste from word option in the HTML editor not working with IE 11
  • Workaround: Use Firefox, Chrome or Safari to use the paste from word option
• Unable to add a clickable link in a mailing or create a merge tag, when using Windows 7 with IE11
  • Workaround: Use Firefox, Chrome or Safari to create hyperlink or merge tag

The exact upgrade schedule will be posted and communicated to List Administrators as soon as it is confirmed. If you have any questions or additional issues, please email rcc@partners.org and a ticket will be opened for you.

Applies to: MySQL instance - MySQL2.dipr.partners.org

MySQL.dipr.partners.org experienced a heavy load from 9:50 am to 10:27 am this morning, October 26, 2015, which caused MySQL to be non responsive. MySQL is now running under normal load, and has no issues to report. 

We will be investigating the cause of disruption of service this morning and work to rectify the issue. If you are still experiencing connecting issues, please email us at rcc@partners.org, and we will assist you with your connection issues.

Partners HealthCare is introducing a new policy and procedures website, Policy Central. This replaces Trove Library. All active policies for Partners HealthCare, Spaulding Rehabilitation Network, and Partners Community Physicians Organization have been migrated to Policy Central.              

How do I access Policy Central?

• From a Partners-managed Windows device, Go to Partners Applications > Policies and Procedures > Partners Policies and Procedures > You are redirected to Policy Central > Select your institution from dropdown menu.
  • Note: If you do not see Partners Policies and Procedures in your Partners Applications right away, please log off and log back in.
• From a Mac or a non-standard Partners Windows device, visit: https://grcarcher.partners.org/

Users must have a Partners network ID and password in order to access Policy Central. More information and a user guide is available in the IS Service Desk: https://partnershealthcare.service-now.com/kb_view.do?sysparm_article=KB0023481.   

If you have any questions, please contact the IS Service Desk.

Thank you,

Jigar Kadakia
Chief Information Security and Privacy Officer