Apache Log4j Notices

Abbott

Abbott is aware of the recently discovered remote code execution vulnerability impacting Apache Log4j, a logging tool commonly used in Java-based software applications.

Our cybersecurity team is actively evaluating our products, systems and applications to determine if there is any potential impact from this vulnerability and taking steps to mitigate any possible exposure.

Based on our analysis to date, none of our products are currently vulnerable. However, we will continue to analyze and monitor all available information and provide updates to our customers if needed.

Accuray

As part of our product security program, Accuray Incorporated has assessed Accuray products for potential risk against the security advisory for the following CVE-2021-44228 “Log4J Vulnerability”. For a detailed description of this vulnerability, please review the information provided by NVD.

Site Link

 For any questions, please contact your Accuray Service representative

 

B. Braun

B. Braun’s first analysis determined that NONE of our software products are affected.

Baxter

Please note that the Apache Log4j vulnerability is not a Baxter-specific vulnerability. As part of the company’s product security policy and protocols, Baxter’steamis evaluating Baxter’s Java based products and solutions for potential impacts from this reported vulnerability and evaluating further possible actions as needed. Baxter will continue to monitor all available information and we will provide an update to this bulletin if necessary.

BD

BD is aware of an additional CVE-2021-45046 which was added to the Apache Log4j vulnerability. This bulletin is inclusive of both CVEs.

BD has assessed the software-enabled products and hosted offerings found at the URL listed and determined they are not impacted by this vulnerability. However, BD products may contain or be used in association with third-party components, and we are still assessing those components across all versions of BD software-enabled products. As needed, BD will publish third-party bulletins and link to them from this page.

 

Beckman Coulter

Beckman Coulter is currently evaluating the security risk of our product portfolio that may potentially be affected by this vulnerability.

 

bioMérieux

bioMérieux is aware of and currently monitoring vulnerabilities in Apache Log4j. These vulnerabilities potentially allow for unauthenticated remote code execution. Log4j is an open source Java logging library developed by the Apache Foundation widely used in many applications and is present, as a dependency, in many services. bioMérieux is currently investigating to determine whether any products including in its BioFire franchise, are affected and will regularly update this advisory as more information becomes available. 

Boston Scientific

We have confirmed the following products do not use Apache Log4j and are not affected by the CVE-2021-4228 Log4j vulnerability:
• LABSYSTEM™ Pro EP Recording System
• RHYTHMIA HDx™ Mapping System
• SMARTFREEZE™ Cryoablation system

Site Link

Boston Scientific has reviewed the CVE-2021-44228 for the LATITUDE™ product group. See link for LATITUDE™ for the outcome of that investigation:

for LATITUDE™: Latitude Link

Canon

The following Canon Medical Systems Corporation products are not using Apache Log4j.

• CT Medical Imaging Products
• MR Medical Imaging Products
• UL Medical Imaging Products
• XR Medical Imaging Products
• NM Medical Imaging Products

Canon Medical Products under investigation:

• Vitrea Advanced 7.x
• Infinix-i (Angio Workstation)
• Alphenix (Angio Workstation)

Canon Medical Systems Corporation is currently investigating whether there is any impact. If any impact is found, it will be informed to customer immediately.

Carestream

No Carestream products are impacted by this vulnerability.

Cepheid

Cepheid’s research and development teams are aware of this identified vulnerability and is assessing the impact to affected products. Cepheid has confirmed that C360 is not impacted. GeneXpert products are currently being assessed for impact. Cepheid has not received any reports of this vulnerabilities affecting the clinical use of our products and is closely monitoring for any further developments.

Cydar Medical

As part of our ongoing security measures, Cydar immediately investigated the vulnerability and initiated a response. We quickly established that the core Cydar EV system was not affected. On a wider review, we identified a small number of internal non-production systems using third party software that are affected. These systems are not publicly accessible, and so not at high risk of exploitation. We have applied the recommended mitigations and restricted the outgoing traffic from the hosts in question as an additional precaution.

This vulnerability is both serious and widespread, and the effects are likely to be felt globally for a long time to come. We are confident that we have addressed any potential issue with respect to our systems, but we will of course continue to monitor developments and take any further action necessary.

 

Edwards LifeSciences

At this time, Edwards’ devices on market are not impacted by the Log4j vulnerability. Edwards will continue to monitor the situation and provide customers with updates, as appropriate.

Elekta

“Elekta has published security advisories on the response to CVE-2021-44228 Log4j vulnerability. Advisories are posted on the Elekta Care Community portal under Technical Documentation/Security Advisory.”

Fisher & Paykel Healthcare

Fisher & Paykel Healthcare is aware of the Log4j (Log4Shell) vulnerability (CVE-2021-44228). We can confirm that none of our devices use Log4j, meaning they are unaffected. Our team continues to monitor this situation.

GE Healthcare

At this time, GE Healthcare is actively assessing products based on the available information to determine any possible impact. We will notify customers through our Product Security Portal https://securityupdate.gehealthcare.com/

Hologic

Impacted Products and recommendation:

Advanced Workflow Manager (AWM)

While the Hologic software itself does not utilize Java/Log4J, the installed APC PowerChute UPS with Business Edition v9.5 software installed may. APC is still assessing its PowerChute software to determine if it is vulnerable.
Out of an abundance of caution, Hologic recommends uninstalling the APC PowerChute software until APC provides further guidance, which Hologic is monitoring at https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp

Unifi Workspace

While the Hologic software itself does not utilize Java/Log4J, the optionally installed APC PowerChute UPS with Business Edition v9.5 software installed may. APC is still assessing its PowerChute software to determine if it is vulnerable.
Out of an abundance of caution, Hologic recommends uninstalling the APC PowerChute software until APC provides further guidance, which Hologic is monitoring at https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp

Faxitron CT Specimen Radiography System

While the Hologic software itself does not utilize Java/Log4J, there is a utility program installed that may utilize Java and Log4J. This utility program does not run on startup and is not required for system operation. Please contact Hologic Service for assistance in removing this program.

Products with no detected impact:

  • – Dimensions / 3Dimensions Mammography System
  • – Affirm Prone Biopsy System
  • – Brevera Breast Biopsy System
  • – Trident HD Specimen Radiography System
  • – SecurView DX Workstation
  • – Cenova Image Analytics Server
  • – SecurXChange Router
  • – Rosetta DC Tomosynthesis Data Converter
  • – Faxitron Specimen Radiography Systems
  • – Horizon DXA Bone Densitometer
  • – Discovery Bone Densitometer
  • – Fluoroscan Insight Mini C-Arm
  • – SuperSonic Imagine Ultrasound Products (Aixplorer & Aixplorer Mach)
  • – Windows Selenia Mammography System
  •  

Leica Biosystems

Leica Biosystems is evaluating our products to determine whether they are impacted by this vulnerability. See product security link for updates.

Medtronic

To date, Medtronic has not seen any exploit of this vulnerability in our corporate IT infrastructure or in any of our products. We are continuing to work with partners and suppliers to mitigate any risks, which will take time.
We will follow our established coordinated disclosure processes if we discover Log4j vulnerabilities that change the risk profile of our products or any substantial risk to customers through these vulnerabilities in our IT infrastructure.

Philips

As part of the company’s product security policy and protocols, Philips teams are evaluating Philips’s products and solutions utilizing Apache’s Log4j utility for potential impacts from this reported vulnerability and validating actions.

See product security link for updates.

Radiometer

Radiometer Medical has evaluated whether these vulnerabilities have an impact on our products: • ABL80 • ABL800 • ABL9 • ABL90 • AQT90 • TCM4 • TCM5 • AQURE*

It is our assessment that these vulnerabilities have no impact on all versions of the above devices. For this reason, we will not issue separate patches to the software used by Radiometer equipment.

ResMed

ResMed’s analysis continues for the ‘Log4Shell’ remote code execution vulnerability related to Apache Log4j disclosed on December 9th, 2021 (CVE-2021-44228). ResMed has confirmed that its core applications, myAir and AirView, have not been impacted, and currently we are not aware of any other products or services threatened by this vulnerability.

As part of our continued vigilance, we are monitoring our systems and our security teams are taking steps to mitigate any increased risk from this threat. There are no indicators of compromise currently detected on ResMed systems, and if this situation changes we will notify the affected party.

Siemens Healthineers

Siemens Healthineers is aware of the zero-day remote code execution (RCE) vulnerability in the Apache Java library Log4j, identified as CVE-2021-44228. While our cybersecurity experts continue to analyze and address potential impact to our products, we are providing this preliminary advisory to customers to alert them to product versions that may be affected by this Apache vulnerability. Note that this advisory, including the potentially affected products, may be updated based on further analysis.  

When appropriate, Siemens Healthineers provides specific countermeasures for products where updates are not, yet available. The details of such countermeasures, along with a detailed analysis of the vulnerability for each product will be made available, as necessary, through the Siemens Healthineers teamplay Fleet customer online portal.

Steris

Our development teams are actively assessing our products and solutions for potential presence of this vulnerability and associated impact so that we can take the appropriate action. To date, STERIS has assessed the list of STERIS products. We have determined that these products do not contain the vulnerable component and are, therefore, not impacted by the critical vulnerability reported in CVE-2021- 44228.

Additionally, as of the writing of this advisory, there are no known reported incidents involving STERIS products or solutions.

Thermo Fisher Scientific

Thermo Fisher is aware of the recently discovered remote code execution vulnerability impacting Log4j, a logging tool commonly used in Java-based software applications.

We are actively evaluating our products, systems and applications to determine if there is any potential impact from this vulnerability and taking steps to mitigate any possible exposure. We will continue to monitor all available information and we will provide an update to this bulletin if necessary.

Varian

Varian is aware of the vulnerabilities in the Apache Java library Log4j. While our cybersecurity experts continue to analyze and address potential impact to our products, we are providing this advisory to customers to alert them to products and services that may be affected. The vulnerability details are available at Mitre.org (CVE-2021-44228, CVE-2021-45046) and Apache.org (Apache Log4j 2).

When appropriate, Varian provides specific countermeasures for products where fixes are not yet available. The details of such countermeasures, along with a detailed analysis of the vulnerability for each product will be made available, as appropriate, through Knowledge Articles posted on the MyVarian customer portal.

Please note that this advisory, including the potentially affected products, may be updated based on further analysis.

Vyaire’s

Vyaire’s products do not make use of the Log4j library versions that is vulnerable to the Log4Shell vulnerability and are therefore not vulnerable to any exploits.

Translate »