As announced yesterday ([SECURITY] Urgent zero-day spring4shell - protect your DHIS2 instance against remote code execution), we are working to ensure that instances remain protected from the spring4shell vulnerability.
We are preparing patches to address the vulnerability and the following are now available:
- 2.35: DHIS2 patch release 2.35.13 is now available - [SECURITY HOTFIX]
- 2.36: DHIS2 patch release 2.36.10 is now available - [SECURITY HOTFIX]
- 2.37: DHIS2 patch release 2.37.5 is now available - [SECURITY HOTFIX]
We will continue to update you here as other versions are patched.
It is important to reiterate that the vulnerability only affects implementations running on Java 9 and above. Implementations may have been advised to upgrade their Java versions from Java 8 in the past, for some performance benefits, but currently a very effective mitigation is to run your implementation on Java 8. All currently maintained versions are compatible with Java 8, and this will ensure you are protected from this vulnerability until you are able to patch your system.