Publication Date: 2021-12-18
Last Update: 2022-02-07
Current Version: V2.0
CVSS v3.1 Base Score: 10.0
Summary
Siemens Healthineers is aware of the zero-day remote code execution (RCE) vulnerability in the Apache Java library Log4j, identified as CVE-2021-44228. Our cybersecurity experts continue to analyze and address potential impact to our products We are providing this advisory to customers to alert them to product versions that have been determined to be affected by this Apache vulnerability. Note that this advisory, including the affected products and versions, may be updated based on further analysis.
When appropriate, Siemens Healthineers provides specific countermeasures for products where updates are not, yet available. The details of such countermeasures, along with a detailed analysis of the vulnerability for each product will be made available, as necessary, through the Siemens Healthineers teamplay Fleet customer online portal.
Our cybersecurity experts have evaluated and have not identified any products or services other than those described in this advisory that are affected by this vulnerability. This includes Point of Care Diagnostics and Ultrasound products.
Note:
other vulnerabilities for the Log4j component have also been evaluated and can
be interrogated through the Siemens Healthineers teamplay Fleet customer online portal.
AFFECTED PRODUCTS AND SERVICES WHICH ARE NOT VULNERABLE OR ARE ALREADY FIXED
These products and services include a vulnerable version of Log4j but either:
1) Don’t use Log4j in a way that exposes the vulnerability, or
2) Have already been fixed, e.g., patched.
Products in this list will typically be updated to an updated version of Log4j as part of an upcoming routine update.
AFFECTED PRODUCTS AND SOLUTION
These products and services include a vulnerable version of Log4j. When patching information is provided with a version, this information is the expected version when a patch is available, unless indicated as released. Note that this information could change due to additional testing requirements or other considerations. All products are tested to ensure safe operation is not impacted by the change.
In addition, workarounds and mitigations are identified that may be performed by customers before patches are applied.
Log4J vulnerabilities update and the impact on Varian Products and Services.
A Varian security advisory has been issued, see here.
WORKAROUNDS AND MITIGATIONS
In some cases, Siemens Healthineers identifies specific workarounds and mitigations for affected products. Customers can access this information through the Siemens Healthineers teamplay Fleet customer online portal. Instructions are reproduced here to maximize access by customers.
1) ATELLICA DATA MANAGER
The log4shell vulnerability may affect some customer configurations of Atellica Data Manager 1.1.1, 1.2.1 and 1.3.1
The vulnerability is applicable to systems that communicate using Java connectivity drivers.
Our analysis has identified a low level of exploitation potential and cybersecurity risk due to the product design.
Connectivity drivers are restricted by default to communicating with authorized IP address only. Note: in Atellica Data Manager, it is the customers responsibly to secure the firewall. Refer to the relevant Atellica Data Manager Security White Paper.
The Log4shell vulnerability is considered controlled.
Atellica Data Manager has multiple security controls which make the possibility of a successful attack remote.
To check if your Atellica Data Manger system is affected, navigate to Start> System Management > Services> Services and check for the presence of services of type “Java communication engine”. This requires System Manager privilege.
Although our analysis has identified this as a low cybersecurity risk to Atellica Data Manager, Siemens will provide a mitigation in a future version.
If you have determined that your Atellica Data Manager has a “Java communication engine” service, and you require an immediate mitigation, then please contact your Siemens Customer Care Center or your local Siemens technical support representative.
2) ATELLICA SOLUTION
A new zero-day remote code execution vulnerability has been found in Log4j java library known as Log4shell (CVE-2021-44228.) The Atellica® Solution is impacted by the Log4shell Vulnerability. We have identified that the Online help component which is “Knowledge Gateway” (KGW) software component is vulnerable to this exploit. Through the analysis by our experts, we have identified a low level of exploitation potential and cybersecurity risk due to the product design. The vulnerability is considered controlled. The product has multiple security controls in place which make the possibility of a successful attack using the Log4shell vulnerabilities remote. KGW is used only for providing user help and does not have connectivity with any other software components. A specific mitigation for this vulnerability is not required at this time. A future update to the software will mitigate this vulnerability.
3) CENTRALINK
The log4shell vulnerability may affect some customer configurations of CentraLink v16.0.2/16.0.3
The vulnerability is applicable to systems that communicate using Java connectivity drivers.
Our analysis has identified a low level of exploitation potential and cybersecurity risk due to the product design.
Connectivity drivers are restricted by default to communicating with authorized IP address only.
The Log4shell vulnerability is considered controlled.
CentraLink has multiple security controls which make the possibility of a successful attack remote.
To check if your CentraLink system is affected, navigate to Start> System Management > Services> Services and check for the presence of services of type “Java communication engine”. This requires System Manager privilege.
If you have determined that your CentraLink has a “Java communication engine” service, and you require a mitigation, then please contact your Siemens Customer Care Center or your local Siemens technical support representative.
4) DICOM Proxy
Note: the information about the mitigation of the CVE-2021-44228 may be changed. The DicomProxy version VB10A is vulnerable to the Log4j vulnerability CVE-2021-44228. This VB10A version uses the Log4j version < 2.16 where we recommend following mitigation:
Linux:
1. Logon to the shell of the DicomProxy (Linux Server)
2. Find the needed program by executing the following command JARTOOL=$(sudo find / -name "jar" -executable | head -n 1)
3. Find the affected Jar files by executing the following command sudo find / -name "log4j-core-2.*.jar"
4. For all files found by the command in step 1 do the following procedure (Exklusions: /tmp folder and log4j versions above or equals 2.16)
Please repeat the following steps for all found files, one by one
JAR=[Filename of one found jar file in step 2]
rm -r /tmp/jar
mkdir /tmp/jar
cd /tmp/jar
$JARTOOL xf $JAR
if the file org/apache/logging/log4j/core/lookup/JndiLookup.class is not found in the subdirectory, this jar is already patched and no further steps need
rm org/apache/logging/log4j/core/lookup/JndiLookup.class
$JARTOOL cfm /tmp/log4j.jar META-INF/MANIFEST.MF *
sudo chown --reference="$JAR" /tmp/log4j.jar
sudo chmod --reference="$JAR" /tmp/log4j.jar
sudo mv /tmp/log4j.jar "$JAR"
5. As soon as possible reboot the computer for the changes to take effect
sudo reboot
Windows:
1. Open the command line with shortcut "Windows + R" and type "cmd" enter
2. Find 7zip with 7z.exe
where /r C:\ 7z.exe
3. Find affected log4j in the DicomProxy RootPath e.g. C:\Siemens\DicomProxy
where /r [DicomProxyRootPath] "log4j-core-2.*.jar"
4. For all files found by the command in step 3 do the following commands (Exklusions: log4j versions above or equals 2.16)
Please repeat the following steps for all found files, one by one
"[Location of 7zip]7z.exe" d [Filename of one found jar file in step 3] org/apache/logging/log4j/core/lookup/JndiLookup.class
If you get an error for step 4. try to identify and stop the application using the jar and repeat this step 4.
5. As soon as possible reboot the computer for the changes to take effect
5) SOMATOM / MAGNETOM
The vulnerability is present on the device.
Log4j is used to give a second workplace access to the online help system of the scanner.
Network traffic from the product should not be routed to the internet.
As an immediate measure prevent inbound network traffic on port 8090 for standalone systems or set up IP whitelisting for "need to access" systems, e.g., a second workplaces, to network port 8090 in case a second console is connected. Preventing access to port 8090 for scanner systems with a second console makes the online help on that workplace unavailable.
6) Symbia and Biograph
The vulnerability is present on the device; However, there is a firewall that is preventing javaw.exe from accessing the network. Therefore, the device is not exploitable over a network and is limited locally to the device.
Siemens recommends the following:
1. Ensure that the device is installed in a secure location
2. Ensure that only those persons who require access to the device is granted access.
Siemens will provide a fix for this in a future security update.
7) syngo Carbon Space
The vulnerable service: Knowledge Gateway (running on port 8090). This service is used to provide online help for the syngo carbon space users. The syngo carbon space VA10A and VA20A uses Knowledge Gateway which deploys the Log4j version 2.13.3 where we recommend following mitigation:
1. Click on “syngo Carbon Space - Stop Server” present on the desktop to stop the server
2. Copy following Jar files to a temporary folder on a Windows PC having 7-Zip installed, e.g. “C:\temp\JarFiles”
a. %KGW_APPLICATION%\bin\kgw-application.jar
b. %KGW_APPLICATION%\bin\kgw-admin-application.jar
3. Open 7 zip manager with administrator privileges
4. Go to the folder “C:\temp\JarFiles\kgw-application.jar\org\apache\logging\log4j\core\lookup\” and delete file “JndiLookup.class”
5. Go to the folder “C:\temp\JarFiles\kgw-admin-application.jar\org\apache\logging\log4j\core\lookup\” and delete file “JndiLookup.class”
7. Close the 7z manager and confirm archive update if prompted.
8. Copy the modified JAR files back to original locations on the syngo Carbon Space server
9. Click on “syngo Carbon Space - Start Server” on the desktop to start the server.
Additionally:
- in case of the VMware usage, please refer to the advisory: https://www.vmware.com/security/advisories/VMSA-2021-0028.html
8) syngo Plaza and syngo.via
The syngo.via and syngo Plaza are vulnerable to the Log4j vulnerability CVE-2021-44228.
The vulnerable process: Knowledge Gateway (process name javaw.exe and listening on port 8090). The service is used to provide online help for the syngo.via users.
This syngo.via version uses Knowledge Gateway which deploys the Log4j version 2.x for which we recommend the following mitigation (available as automated script for syngo.via, please see the instructions below):
1. Click on “syngo.via - Stop Server” present on the APS desktop to stop the server
2. Copy following Jar files to a temporary folder on a Windows PC having 7-Zip installed, e.g. “C:\temp\JarFiles”
a. %KGW_APPLICATION%\bin\kgw-application.jar
b. %KGW_APPLICATION%\bin\kgw-admin-application.jar
c. %KGW_APPLICATION%\work\webapp\webapp\WEB-INF\lib\log4j-core-2.x.2.jar
3. Open 7 zip manager with administrator privileges
4. Go to the folder “C:\temp\JarFiles\kgw-application.jar\org\apache\logging\log4j\core\lookup\” and delete file “JndiLookup.class”
5. Go to the folder “C:\temp\JarFiles\kgw-admin-application.jar\org\apache\logging\log4j\core\lookup\” and delete file “JndiLookup.class”
6. Go to the folder “C:\temp\JarFiles\kgw-application.jar\webapp\WEB-INF\lib\log4j-core-2.x.2.jar”
7. Then double click on “log4j-core-2.x.2.jar”
8. Navigate to “\org\apache\logging\log4j\core\lookup\” then delete file “JndiLookup.class”
9. Go to the folder “C:\temp\JarFiles\log4j-core-2.x.2.jar\org\apache\logging\log4j\core\lookup\” and delete file “JndiLookup.class”
10. Close the 7z manager and confirm archive update if prompted.
11. Copy the modified JAR files back to original locations on the syngo.via server
12. Open command prompt as administrator and run command “%KGW_APPLICATION%\stop.cmd”
13. Click on “syngo.via - Start Server” on the desktop to start the server.
For syngo.via the steps are automated with the following script. To apply the mitigation using the script:
1. Download the Log4j-fix.zip (SHA512 checksum: abecf8c2345b08a47911f949279ba7d8a56b4495b98d3a1ef0fa202aa64f16d09f6049e8275436515b8f4c37ae3bda083aa7273464f3cd6360b71046cd4fdc9d)
2. Unzip Log4j-fix.zip to get the Log4j.bat and copy it to the syngo.via server
3. Run CMD.exe as administrator and start the Log4j.bat
In case of errors, please contact your Customer Service.
Additionally:
- in case of the VMware usage, please refer to the advisory: https://www.vmware.com/security/advisories/VMSA-2021-0028.html
GENERAL SECURITY RECOMMENDATIONS
In addition, Siemens Healthineers generally recommends the following:
Ensure you have appropriate backups and system restoration procedures.
Securely delete any backup files that are no longer needed.
For specific patch and remediation guidance information contact your local Siemens Healthineers
Customer Service Engineer, portal or our Regional Support Center. To find your local contact, please refer to https://www.siemens-healthineers.com/how-can-we-help-you
PRODUCT DESCRIPTION
Additional product information is available through the Siemens Healthineers teamplay Fleet customer online portal.
ADDITIONAL INFORMATION
For further inquiries on security vulnerabilities in Siemens Healthineers products and solutions, please contact Siemens Healthineers using the following link: https://www.siemens-healthineers.com/cybersecurity
HISTORY DATA
V1.0 (2021-12-18): Publication Date
V1.1 (2021-12-22): Not vulnerable list added. Update Remediations
V1.2 (2021-12-23): Corrections to product lists
V1.3 (2022-01-12):
· Added clarification to help the interpretation of the two lists of products (above each list)
· New SUMMARY paragraph indicating that products not listed are evaluated as not affected
· New SUMMARY paragraph referencing other Log4j vulnerabilities
· Moved PET products from NOT VULNERABLE to POTENTIALLY AFFECTED
· Listed Advia Centaur and VERSANT kPCR products as still under investigation
· All supported versions of CENTRALINK are now listed as POTENTIALLY AFFECTED
· Removed ARTIS icono / pheno VE10 (not affected)
· Removed Artis one VA11 (in development, not released yet)
· Removed SENSIS TS all versions except VD12A (not affected)
· Removed SENSIS VM Server all versions except VD12A (not affected)
V1.4 (2022-01-18):
· Removed last remaining products that were still under investigation
· Removed Centralink from NOT VULNERABLE
· Removed these products since they were not affected: Desktop Connector, MagicLinkA, Resoltion MD, syngo Dynamics, Syngo Imaging, syngo Multimodality Workplace, syngo Share VA30A, syngo.via View&GO, syngo Virtual Cockpit, syngo Workflow SLR, Cios Alpha (VA20) S1, Cios Connect/Fusion (VA20) S1, Cios Select (VA10) S3P, Cios Fit (VA10 / VA11 / VA12)
· Removed unneeded WORKAROUND notes about HPE hardware
· Moved Biograph products from NOT VULNERABLE to POTENTIALLY AFFECTED
V2.0 (2022-02-07):
Removed Atellica Hema Track from NOT VULNERABLE
· Removed references to “Preliminary” advisory
· Changed POTENTIALLY AFFECTED to AFFECTED
· Added patch/update information to AFFECTED list
· Clarified Mitigation references
TERMS OF USE
Siemens Healthineers’ Security Advisories are subject to the terms and conditions contained in Siemens Healthineers’ underlying license terms or other applicable agreements previously agreed to with Siemens Healthineers (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Healthineers Security Advisory, the Terms of Use of Siemens’ Healthineers Global Website (https://www.siemens-healthineers.com/terms-of-use hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.