Log4j vulnerability update CVE-2021-45046, 14 December

Our security team is following the developments of the Log4j vulnerability closely. The most recent updates (CVE-2021-45046) online have indicated ongoing concerns beyond the upstream Log4j fix announced previously (Urgent Log4j server security vulnerability - REQUIRES IMMEDIATE ATTENTION!), but based on the information that we have, DHIS2 should not be affected by these concerns.

The remaining vulnerability is relevant to a specific configuration of Log4j that DHIS2 does not use. If you apply the fix recommended previously, your DHIS2 instance should be protected from both RVE and DOS attacks.

We will continue to provide updates as more information is made available. Please comment here if you have any questions about what to do to protect your DHIS2 instance.

6 Likes

Hi,

please double check if this message is still applicable after the recent finding came in, that known mitigations on CVE-2021-44228 won’t work: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

Best,
Frank

@fhauptmann thank you for being thorough here - if you follow the link in the post above you will find that this update (posted yesterday 14 December) is addressing the CVE-2021-45046 update you reference. I am editing the post to explicitly reference that CVE.

To be explicit, we have evaluated DHIS2’s use of log4j and determined that we are not vulnerable to this particular exploit - DHIS2 does utilize %X to embed a Thread Context Map sessionId in our log4j pattern, however the MCP input is exclusively a base64 hash of a system-generated unique identifier and so cannot be manually crafted by an attacker to inject vulnerable JNDI lookup commands.

We will also be removing all JNDI functionality from log4j (by upgrading to 2.16.0 or higher) shortly in another fleet of patch releases out of an abundance of caution.

3 Likes

Hi @austin,

thanks for pointing this out.

Best,
Frank

1 Like

As Austin pointed out, we have now released updated patches with the upgrade to Log4j 2.16.0: Latest Patches for Log4j vulnerability - SUPERSEDE PREVIOUS PATCHES

3 Likes