Java 15+ cryptography vulnerability

Recently a new vulnerability in Java affecting ECDSA signatures, mostly used in signed JWTs, SAML assertions, OIDC id tokens and WebAuthn authentication messages, has been discovered and reported.

The vulnerability affects Java code running on Java from 15 to 18.

Our advice remains (since DHIS2 2.35) that implementations run tomcat under Java 11 and that, in production settings, it is configured behind a reverse proxy server configured to do SSL/TLS termination. For implementations following that advice, no action is required.

Even in the rare case when DHIS2 might be running on a vulnerable Java version, to the best of our knowledge DHIS2 is not affected by this bug thanks to mitigations in place in the library we use for JWT token authentication (you can read more here).

If you’re running DHIS2 or any other application alongside an affected Java version, please apply April’s critical patch update from Oracle.