Latest Patches for Log4j vulnerability - SUPERSEDE PREVIOUS PATCHES

phil · 16 December 2021 21:58

Dear All,

As noted in some previous announcements, our security team have decided to release new patches for the last Log4j vulnerability (CVE-2021-45046). We don’t believe the DHIS2 codebase is exposed to this particular exploit, but consider it prudent to ensure that we have the full patch (from Apache) in place.

PATCHES NOW AVAILABLE - we are adding the patched releases here as they become available:

These patch releases differ from the previous patches only in an update from Log4j 2.15.0 to 2.16.0:
2.32: 2.32-eos - https://releases.dhis2.org/2.32/dhis2-stable-2.32-eos.war
2.34: 2.34.9 - https://releases.dhis2.org/2.34/dhis2-stable-2.34.9.war + docker
2.35: 2.35.10 - https://releases.dhis2.org/2.35/dhis2-stable-2.35.10.war + docker
2.36: 2.36.6 - https://releases.dhis2.org/2.36/dhis2-stable-2.36.6.war + docker
2.37: 2.37.2 - https://releases.dhis2.org/2.37/dhis2-stable-2.37.2.war + docker

Regards,

The DHIS2 Security Team

Stephan_Mestach · 20 December 2021 10:47

Would be great to that you release a bunch of patches with log4j-2.17, this would remove any doubt or false positive by security scanners.

phil · 21 December 2021 09:56

Hi @Stephan_Mestach ,

The DHIS 2 Team evaluated the issue linked to log4j-2.17 at the weekend, and currently do not feel that DHIS 2 instances are at risk. Currently our plan is to incorporate that update into the next maintenance patch releases as part of the nominal cycle.

Kind regards,
Phil