Urgent Log4j server security vulnerability - REQUIRES IMMEDIATE ATTENTION!

Hi @Hannan ,

Indeed, we don’t believe 2.33 is vulnerable to this exploit. There is no need to set the JAVA_OPTS variable, as long as you stay on that version or one of the patches that we plan to release soon.

Thanks, Phill,

We are scheduled to upgrade the instance to version 36.x if there are no conversion issues. So, I will use this java environment variable.

We are using OpenJDK version 9 and might try with Open JDK 11 during this upgrade.

Regards

Hannan

1 Like

Please also be aware that DHIS 2.33 is not supported anymore from our side, and any other seucurity updates won’t be applied to that version.

In regard to this issue, I would suggest just setting the env variable anyways, in no way can it hurt.

Regards,
Morten

3 Likes

Is the vulnerability exploitable without authentication on DHIS2?

1 Like

Hi @SferaDev ,

Yes. Unfortunately it is.

1 Like

Hi Gassim

It sounds like you are running on a windoze 10 workstation, ie not exposing a service on the global internet. In which case you wouldn’t need to be concerned.

If you are exposing this dockerised tomcat to the internet then yes, you would need to run your docker with revised tomcat JAVA_OPTS until a new patched image is released.

Regards
Bob

1 Like

Dear all,

Please note: I am adding the links for the patch releases (fixing this vulnerability) to the initial post at the top of the page, as they become available.

5 Likes

Wonderful , thanks to the whole team

2 Likes

Good day @phil

Thanks for sharing this important info.

However, please note we are still using 2.29. So, should we update the "setenv’ too?

Warm regards,

MSP

Hi @MSP ,

2.29 is not affected by the vulnerability so there is no need for the mitigation.

Of course, for various reasons, including the ability to patch other security issues, it is advisable to have an upgrade plan in place to move to a maintained version (and latest patch).

You could also apply the mitigation as a precaution against the possibility that someone upgrades in the future to a vulnerable patch (for example 2.36.4, instead of 2.36.5).

Kind regards,
Phil

1 Like

Thank you @phil for your quick response.

We do have the upgrade plan but could not execute it on time. Hopefully, we will upgrade in Jan 2022.

Thank you and have a good day ahead!

Warm regards,

MSP

Yes, thanks! :pray:

1 Like

We are using 2.33.5 in all of our MSF OCB projects (total 57 instances). We have adapted the JVM parameters as suggested. Please share if there are any additional issues / vulnerabilities with v2.33.5

We do not have any plan to upgrade to newer version soon but will do if necessary. Please suggest.

Many thanks in advance.

Regards,
Mohammad
Médecins Sans Frontières

2 Likes

Hi @Mohammad_Ullah ,

None of the 2.33 patches have this vulnerability, as far as we are aware, as they all use an older version of Log4j (which doesn’t contain the exploit). It is fine to add the JVM parameter as a precaution, of course.

We will continue to communicate security issues, in a responsible manner, as we are aware of them. Please feel free to subscribe to the dhis2-security tag on the CoP (see New 'dhis2-security' tag for all important security alerts!) if you wish to recieve notifications for related posts.

Kind regards,
Phil

3 Likes

Please note this update from our Security team, added to the original post:

4 Likes

Please note this update from our Security team regarding an additional vulnerability present in log4j version 2.15.0, added to the original post:

3 Likes

Hi @phil

Thank you so much for your quick response. I would highly appreciate if you can suggest the if this additional attack vector can cause any risk for v2.33.5 and if it is recommended to upgrade to a newer version (which one?) of DHIS2 where this issue has been addressed.

Many thanks again.

Hi, this just came in: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

It looks as if the currently available mitigation is not sufficient. Please double check if the currently available mitigations for DHIS2 also match the requirements of CVE-2021-45046

Best,
Frank

1 Like

@fhauptmann thank you for bringing this up - we addressed this in the update yesterday evening, and more details are available in this post dedicated to CVE-2021-45046

Hi @Mohammad_Ullah ,

We don’t believe the additional attack vector affects any of the DHIS2 instances, as the way it works it not applicable to our codebase. We are considering pushing upgrades to close that vulnerability and remove any doubt, but we still don’t believe 2.33 to be affected.

Kind regards,
Phil

2 Likes