Latest Patches for Log4j vulnerability - SUPERSEDE PREVIOUS PATCHES

Dear All,

As noted in some previous announcements, our security team have decided to release new patches for the last Log4j vulnerability (CVE-2021-45046). We don’t believe the DHIS2 codebase is exposed to this particular exploit, but consider it prudent to ensure that we have the full patch (from Apache) in place.

PATCHES NOW AVAILABLE - we are adding the patched releases here as they become available:

These patch releases differ from the previous patches only in an update from Log4j 2.15.0 to 2.16.0:
2.32: 2.32-eos -
2.34: 2.34.9 - + docker
2.35: 2.35.10 - + docker
2.36: 2.36.6 - + docker
2.37: 2.37.2 - + docker


The DHIS2 Security Team


Would be great to that you release a bunch of patches with log4j-2.17, this would remove any doubt or false positive by security scanners.

1 Like

Hi @Stephan_Mestach ,

The DHIS 2 Team evaluated the issue linked to log4j-2.17 at the weekend, and currently do not feel that DHIS 2 instances are at risk. Currently our plan is to incorporate that update into the next maintenance patch releases as part of the nominal cycle.

Kind regards,