Dear DHIS2 Implementers
We would like to raise awareness to a potential for data loss when using specific versions of DHIS2 combined with data entry through the Android Capture app.
For the affected versions of DHIS2 using tracker programs, the TEI
lastUpdated date is not updated when underlying event data is updated. Android app uses that date to know what new data to synchronise to the local device.
This means that the device may not always have the up-to-date data for a TEI, and if changes to that TEI are made on that device, they may overwrite other changes from other apps when sent to the server.
The following DHIS2 versions are affected:
- ALL versions of 2.35 up to and including
- ALL versions of 2.36 up to and including
Your implementation may be affected if all of the following apply:
- You are using one of the affected versions of DHIS2 (see above)
- You are using tracker programs with Android Capture app (or another app that uses TEI
lastUpdatedvalue to trigger synchronisation)
- Your implementation involved updating same TEIs from different clients if at least one of them is using the event endpoint (tracker web does it like this).
- If you use DHIS2 only via web to update TEIs you are NOT affected by this bug
- If you use only the official DHIS2 Android App to update the same, or different, TEIs you are NOT affected by this bug.
- If you use both DHIS2 web and the official DHIS2 Android App to update the same TEIs you ARE affected
- If you use any App that uses the event endpoint to create/update events and the official DHIS2 Andorid App for the same TEI you ARE affected.
Firstly we advise you to make sure you update to the latest patch version to avoid further risk:
- If you are on 2.35, update to
- If you are on 2.36, update to
Secondly, you should evaluate the extent of the problem for your implementation.
Finally, if after evaluating your own use cases you feel you need more support, please reach out to the @dhis2-security team.