None of the 2.33 patches have this vulnerability, as far as we are aware, as they all use an older version of Log4j (which doesn’t contain the exploit). It is fine to add the JVM parameter as a precaution, of course.
We will continue to communicate security issues, in a responsible manner, as we are aware of them. Please feel free to subscribe to the dhis2-security tag on the CoP (see New 'dhis2-security' tag for all important security alerts!) if you wish to recieve notifications for related posts.
Thank you so much for your quick response. I would highly appreciate if you can suggest the if this additional attack vector can cause any risk for v2.33.5 and if it is recommended to upgrade to a newer version (which one?) of DHIS2 where this issue has been addressed.
It looks as if the currently available mitigation is not sufficient. Please double check if the currently available mitigations for DHIS2 also match the requirements of CVE-2021-45046
We don’t believe the additional attack vector affects any of the DHIS2 instances, as the way it works it not applicable to our codebase. We are considering pushing upgrades to close that vulnerability and remove any doubt, but we still don’t believe 2.33 to be affected.