[SECURITY] Zero-day Spring (Java library) vulnerability

Maintainers of any Java applications which utilize the common Spring framework should carefully monitor the critical zero-day vulnerability dubbed Spring4Shell in that framework which has been publicly discussed by security researchers in recent days. This vulnerability could allow an attacker to perform Remote Code Execution on a server running the vulnerable application, which is one of the most critical types of security issues. There has been no official response or fix from the Spring team, though one will certainly be published soon.

At DHIS2 our security team is monitoring this issue and working to understand whether and to what extent DHIS2 servers might be vulnerable. @bobj has posted a set of recommendations for implementation system administrators which can help to limit the potential scope of such vulnerabilities for any vulnerable implementation, not just those running DHIS2.

I don’t know for certain if any other OpenHIE components are vulnerable but many including OpenMRS, OpenSRP, and others appear to have some components which utilize the Spring framework and so might be affected.

cc @jennifer.e.shivers @jthompson @kaalcumm @gracepotma

Spring has officially acknowledged the vulnerability and released a patch Spring Framework RCE, Early Announcement

Thanks for sharing this @austin!

I’m copying some key community members for notification: @arch_review_board @subcommunity_leads @smgani