A very urgent security issue was made public today in a well-used library that affects many web services (see CVE-2021-44228 - Log4j 2 Vulnerability Analysis - Randori Attack Team).
We have checked and can confirm that this issue also affects the following DHIS2 versions:
- 2.32 (patch 2.32.5 and above)
- 2.34 (all patches)
- 2.35 (all patches)
- 2.36 (all patches)
- 2.37 (all patches)
The issue can result in an attacker obtaining control of the server.
Due to the serious nature, and the fact that this vulnerability is public, we urge everyone to take the following mitigations AS SOON AS POSSIBLE:
- Shutdown your DHIS2 instance
- Apply the following option to the
JAVA_OPTSvariable for your DHIS2 environment :
- Restart your DHIS2 instance
You may not require these mitigation steps if you are using JDK versions greater than 8u191 and 11.0.1. We will confirm in a subsequent post.
Update! You are NOT protected from this vulnerability by only running a recent JDK, the only way to protect yourself is to apply the mitigation or upgrade to the latest patched DHIS2 version.
The above steps will ensure that your DHIS2 instance is secure from anyone trying to exploit the vulnerability.
Our core team is already planning to provide patched .war files for the affected versions as soon as possible, but the mitigation mentioned above should be enough to keep your implementation safe until a patched version is available.
The DHIS2 Security Team
PATCHES NOW AVAILABLE - we are adding the patched releases here as they become available:
These patch releases differ from the previous patches only in the addition of this security hotfix:
2.32: 2.32-eos - SUPERSEDED*
2.35: 2.35.9 - SUPERSEDED*
2.36: 2.36.5 - SUPERSEDED*
2.37: 2.37.1 - https://releases.dhis2.org/2.37/dhis2-stable-2.37.1.war + docker
This is a nominal patch release with the security hotfix included:
2.34: 2.34.8 - SUPERSEDED*
*PLEASE REFER TO THIS NEW POST FOR THE LATEST PATCHES: Latest Patches for Log4j vulnerability - SUPERSEDE PREVIOUS PATCHES
- If you are using dhis2-tools-ng this is OS dependent, for example in Ubuntu the default file can be found on /etc/default/tomcat9
- If you have followed the System Administration Guide when installing DHIS2 you should modify the tomcat-dhis/bin/setenv.sh file.
Update! The most recent updates (CVE-2021-45046) online have indicated ongoing concerns beyond the upstream Log4j fix announced previously, but based on the information that we have, DHIS2 should not be affected by these concerns. Read more here