Notice: Serious Exploit Affecting Java-based applications

As a notice to all, we have been made aware of a serious exploit affecting Java-based applications using something called “log4j”.

This article explains this issue in more detail: Log4j flaw: Attackers are making thousands of attempts to exploit this severe vulnerability | ZDNet

Nothing within the OpenHIE infrastructure (wiki, discourse, etc.) has been affected by this issue but we are sharing to help spread the word to our community.

Community members should check any software that they have posted in the OHIE GitHub.

cc: @carl @daniel.futerman @rstanley @cleitner1 @ryan

1 Like

Thank you for raising this issue @kaalcumm, it is important that any Java applications are hardened against this vulnerability. It is often trivial for attackers to exploit, and because the vulnerability has been made public there are many potential attackers scanning the public internet for vulnerable services.

DHIS2 is a Java application which is affected by this vulnerability. We shared a mitigation with our community on Friday, within 24 hours of the original log4j announcement, and shortly released new patches for all affected versions of DHIS2.

The JAVA_OPTS mitigation should also be applicable to other Java services, even if they have not yet patched the vulnerability themselves. However, this mitigation is not sufficient if that service uses a non-standard log4j configuration involving user-controlled input in the Thread Context Map (see this second log4j vulnerability announced today).

Anyone interested can visit this DHIS2 community of practice post to learn more about our response, stay updated as we monitor developments, and ensure your DHIS2 implementations are secure. Please also don’t hesitate to reach out to me if I or our team can help other Java component developers respond to this issue.

1 Like