Notice of Potential for Data Overwrite [IMPORTANT]

Dear DHIS2 Implementers

We would like to raise awareness to a potential for data loss when using specific versions of DHIS2 combined with data entry through the Android Capture app.

What is the issue?

For the affected versions of DHIS2 using tracker programs, the TEI lastUpdated date is not updated when underlying event data is updated. Android app uses that date to know what new data to synchronise to the local device.
This means that the device may not always have the up-to-date data for a TEI, and if changes to that TEI are made on that device, they may overwrite other changes from other apps when sent to the server.

Which versions of DHIS2 are affected?

The following DHIS2 versions are affected:

  • ALL versions of 2.35 up to and including 2.35.7-EMBARGOED
  • ALL versions of 2.36 up to and including 2.36.3

Who is affected?

Your implementation may be affected if all of the following apply:

  1. You are using one of the affected versions of DHIS2 (see above)
  2. You are using tracker programs with Android Capture app (or another app that uses TEI lastUpdated value to trigger synchronisation)
  3. Your implementation involved updating same TEIs from different clients if at least one of them is using the event endpoint (tracker web does it like this).

For example:

  • If you use DHIS2 only via web to update TEIs you are NOT affected by this bug
  • If you use only the official DHIS2 Android App to update the same, or different, TEIs you are NOT affected by this bug.
  • If you use both DHIS2 web and the official DHIS2 Android App to update the same TEIs you ARE affected
  • If you use any App that uses the event endpoint to create/update events and the official DHIS2 Andorid App for the same TEI you ARE affected.

What can I do if affected?

Firstly we advise you to make sure you update to the latest patch version to avoid further risk:

  • If you are on 2.35, update to 2.35.8-EMBARGOED
  • If you are on 2.36, update to 2.36.4-EMBARGOED

Secondly, you should evaluate the extent of the problem for your implementation.

Finally, if after evaluating your own use cases you feel you need more support, please reach out to the @dhis2-security team.

4 Likes

Hi @phil, what about 2.34, is it safe to assume that this issue is not happening previous to 2.35?

1 Like

Hi @SferaDev ,

Yes, that’s correct, versions before 2.35 are not affected by this specific issue.

1 Like