Siemens Healthineers Security Advisory

Remote Code Execution Vulnerability in Apache Log4j

Publication Date: 2021-12-18

Last Update: 2022-02-07

Current Version: V2.0

CVSS v3.1 Base Score: 10.0

Siemens Healthineers is aware of the zero-day remote code execution (RCE) vulnerability in the Apache Java library Log4j, identified as CVE-2021-44228. Our cybersecurity experts continue to analyze and address potential impact to our products We are providing this advisory to customers to alert them to product versions that have been determined to be affected by this Apache vulnerability. Note that this advisory, including the affected products and versions, may be updated based on further analysis.

When appropriate, Siemens Healthineers provides specific countermeasures for products where updates are not, yet available. The details of such countermeasures, along with a detailed analysis of the vulnerability for each product will be made available, as necessary, through the Siemens Healthineers teamplay Fleet customer online portal.

Our cybersecurity experts have evaluated and have not identified any products or services other than those described in this advisory that are affected by this vulnerability. This includes Point of Care Diagnostics and Ultrasound products.

Note: other vulnerabilities for the Log4j component have also been evaluated and can be interrogated through the Siemens Healthineers teamplay Fleet customer online portal.

AFFECTED PRODUCTS AND SERVICES WHICH ARE NOT VULNERABLE OR ARE ALREADY FIXED

These products and services include a vulnerable version of Log4j but either:

1) Don’t use Log4j in a way that exposes the vulnerability, or

2) Have already been fixed, e.g., patched.

Products in this list will typically be updated to an updated version of Log4j as part of an upcoming routine update.

Products / Services and Versions

AI-Rad Companion Engine VA3xx

APTIO BY SIEMENS V.3.0 / V.6.0 / V.8.0.1 / V.9.0 / V.9.1 / V.10 / V.11

ARTIS icono / pheno VE20 / VE21
Artis zee/Q/Q.zen VD12
Artis zeego VD12

ATELLICA CONNECTIVITY MANAGER

Befund24 Befund24/Scale VA10C

Cios Alpha (VA30 PSS) S1
Cios Alpha/Spin (VA30) S1
Cios Flow S1 VA30 PSS
Cios Select FD VA20 / VA21 S3P / (VA30) S3P
Cios Select I.I. VA21 S3P
Cios Spin (VA30 PSS) S1

Luminos Agile Max / dRF Max VF10 / VF11
LUMINOS Impulse / Lotus Max VF11 

MAGNETOM Lumina NUMARIS/X VA11B
MAGNETOM Sola NUMARIS/X VA11A / VA11B
MAGNETOM Terra NUMARIS/4 VE12U
MAGNETOM Vida NUMARIS/X VA11A / VA11B

Mammomat Fusion / Inspiration VB61
MAMMOMAT Revelation VC10 / VC20

Medicalis Consult Portal Medicalis Consult Portal 2.1

Mobilett Elara Max / Mira Max VF10

Multitom Rax VF10 / VF11

Multix Fusion Max VF10
Multix Impact C VA10
Multix Impact VA10 / VA11 / VA20

SENSIS DMCC VD12A
SENSIS DMCM VD12A
SENSIS DS VD12A
SENSIS PPWS VD12A
SENSIS TS VD12A

Smart Remote Services (SRS)
The Smart Remote Services infrastructure of Siemens Healthineers, which is used for the provision of remote connectivity,
is currently protected against the vulnerability CVE-2021-44228.

We advise customers not to disconnect Siemens Healthineers products as it may impact service teams from providing any
required immediate support such as remote patching.

SOMATOM Confidence (all variants) VB10 / VB20
SOMATOM Definition AS (all Variants), Edge, Flash VB10 / VB20
SOMATOM Drive / Force VB10 / VB20
SOMATOM Emotion (All Variants) VC50
SOMATOM Scope (all variants) VC50

syngo LAB CONNECTIVITY MANAGER
syngo LAB DATA MANAGER

syngo X WP VD30

teamplay / Calcium40

Uroskop Omnia Max VF10 / VF11

Ysio Max VF10

Ysio X.pree SYNGO XR VA10

These products and services include a vulnerable version of Log4j. When patching information is provided with a version, this information is the expected version when a patch is available, unless indicated as released. Note that this information could change due to additional testing requirements or other considerations. All products are tested to ensure safe operation is not impacted by the change.


In addition, workarounds and mitigations are identified that may be performed by customers before patches are applied.

Affected Products and Versions

Remediation

Advanced Workflow PET syngo VG80

Addressed by VG80_UD03.

See Mitigation 6 (Symbia and Biograph).

ATELLICA DATA MANAGER v1.1.1 / v1.2.1 / v1.3.1

Addressed by update (released December 2021).

See Mitigation 1.

ATELLICA SOLUTION

Addressed by version 2022.01.

See Mitigation 2.

Biograph Horizon PET syngo VJ30

Addressed by VJ30C_UD03.

See Mitigation 6.

Biograph mCT PET syngo VG80

Addressed by VG80_UD03.

See Mitigation 6.

Biograph Quadra PET syngo VR10

Addressed by VR10D_UD02.

See Mitigation 6.

Biograph Vision PET syngo VG80

Addressed by VG80_UD03.

See Mitigation 6.

CENTRALINK v16.0.2 / v16.0.3

Addressed by update.

See Mitigation 3.

DICOM Proxy VB10A

Addressed by VB10B.

See Mitigation 4.

MAGNETOM AERA 1,5T NUMARIS/X VA30A

MAGNETOM Altea NUMARIS/X VA20A / VA31A

MAGNETOM Amira NUMARIS/X VA12M
MAGNETOM Free.Max NUMARIS/X VA40
MAGNETOM LUMINA NUMARIS/X VA20A / VA31A
MAGNETOM PRISMA / PRISMA FIT NUMARIS/X VA30A

MAGNETOM SEMPRA NUMARIS/X VA12M
MAGNETOM SOLA fit NUMARIS/X VA20A
MAGNETOM SOLA NUMARIS/X VA20A / VA31A
MAGNETOM SKYRA 3T NUMARIS/X VA30A
MAGNETOM Vida fit NUMARIS/X VA20A
MAGNETOM Vida NUMARIS/X VA10A / VA20A / VA31A

Addressed by NX-SD01.

See Mitigation 5.

MI Workplace MI Apps VB22

Addressed by VB22A_UD05.

See Mitigation 6 (Symbia and Biograph).

SENSIS VM Server VD12A

Addressed by SVP2201 via firewall. 

Addressed by VD12A Patch 4 to replace the vulnerable Log4j version.>

Please contact your local service representative for mitigation.

SOMATOM go VA20

Upgrade to VA30 required,

See Mitigation 5.

SOMATOM go VA30

Addressed by VA30_SP05 (released January 2022) to close the port. 

Addressed by VA30_SP06 to replace the vulnerable Log4j version.

See Mitigation 5.

SOMATOM go VA40

Addressed by VA40_SP02.

See Mitigation 5.

SOMATOM X.Ceed Somaris 10 V30

Addressed by VA30_SP05 (released January 2022) to close the port. 

Addressed by VA30_SP06 to replace the vulnerable Log4j version.

See Mitigation 5.

SOMATOM X.Ceed Somaris 10 V40

Addressed by VA40_SP02.

See Mitigation 5.

SOMATOM X.Cite Somaris 10 V30

Addressed by VA30_SP05 (released January 2022) to close the port. 

Addressed by VA30_SP06 to replace the vulnerable Log4j version.

See Mitigation 5.

Symbia MI Apps VB22
Symbia.net MI Apps VB22

Addressed by VB22A_UD05.

Syngo Carbon Space VA20A

Addressed by VA21A.

See Mitigation 7.

syngo Plaza VB20A / VB20A_HF01 - HF07 

See Mitigation 8.

syngo Plaza VB30A / VB30A_HF01 / VB30A_HF02 / VB30B /

VB30C / VB30C_HF01 - HF06 / VB30C_HF91

Addressed by VB30D.

See Mitigation 8.

syngo.via VB10A_HF7 and higher / VB20A / VB20A_HF01 - HF08 /

VB20A_HF91 / VB20B / VB30A / VB30A_HF01 - VB30A_HF08 / 

VB30A_HF91VB30B / VB30B_HF01 

See Mitigation 8.
syngo.via VB40A / VB40A_HF01 - HF02 /VB40B / 

VB40B_HF01 - HF05 / VB50A / VB50A_CUT / VB50A_D4VB50B / 

VB50B_HF01 - HF03 / VB60A / VB60A_CUT / VB60A_D4 / 

VB60A_HF01

Addressed by VB40A_HF06.

See Mitigation 8.

syngo.via WebViewer VA13B / VA20A / VA20B

For systems where WebViewer runs on the same server

as syngo.via, see Remediation for syngo.via above. 

For other systems, a workaround will be available.

syngo Workflow MLR VB37A / VB37A_HF01 /
VB37A_HF02 / VB37B / VB37B_HF01 - HF07 /
VB37B_HF93 / VB37B_HF94 / VB37B_HF96 

Addressed by VB37B_HF08.

Please contact your local service representative 

for mitigation.

Log4J vulnerabilities update and the impact on Varian Products and Services.

A Varian security advisory has been issued, see here.


WORKAROUNDS AND MITIGATIONS

In some cases, Siemens Healthineers identifies specific workarounds and mitigations for affected products. Customers can access this information through the Siemens Healthineers teamplay Fleet customer online portal. Instructions are reproduced here to maximize access by customers.


1) ATELLICA DATA MANAGER

The log4shell vulnerability may affect some customer configurations of Atellica Data Manager 1.1.1, 1.2.1 and 1.3.1

The vulnerability is applicable to systems that communicate using Java connectivity drivers.
Our analysis has identified a low level of exploitation potential and cybersecurity risk due to the product design.
Connectivity drivers are restricted by default to communicating with authorized IP address only. Note: in Atellica Data Manager, it is the customers responsibly to secure the firewall. Refer to the relevant Atellica Data Manager Security White Paper.
The Log4shell vulnerability is considered controlled.
Atellica Data Manager has multiple security controls which make the possibility of a successful attack remote.
To check if your Atellica Data Manger system is affected, navigate to Start> System Management > Services> Services and check for the presence of services of type “Java communication engine”. This requires System Manager privilege.
Although our analysis has identified this as a low cybersecurity risk to Atellica Data Manager, Siemens will provide a mitigation in a future version.
If you have determined that your Atellica Data Manager has a “Java communication engine” service, and you require an immediate mitigation, then please contact your Siemens Customer Care Center or your local Siemens technical support representative.

2) ATELLICA SOLUTION

A new zero-day remote code execution vulnerability has been found in Log4j java library known as Log4shell (CVE-2021-44228.) The Atellica® Solution is impacted by the Log4shell Vulnerability. We have identified that the Online help component which is “Knowledge Gateway” (KGW) software component is vulnerable to this exploit. Through the analysis by our experts, we have identified a low level of exploitation potential and cybersecurity risk due to the product design. The vulnerability is considered controlled. The product has multiple security controls in place which make the possibility of a successful attack using the Log4shell vulnerabilities remote. KGW is used only for providing user help and does not have connectivity with any other software components. A specific mitigation for this vulnerability is not required at this time. A future update to the software will mitigate this vulnerability.

3) CENTRALINK

The log4shell vulnerability may affect some customer configurations of CentraLink v16.0.2/16.0.3
The vulnerability is applicable to systems that communicate using Java connectivity drivers.
Our analysis has identified a low level of exploitation potential and cybersecurity risk due to the product design.
Connectivity drivers are restricted by default to communicating with authorized IP address only.
The Log4shell vulnerability is considered controlled.
CentraLink has multiple security controls which make the possibility of a successful attack remote.
To check if your CentraLink system is affected, navigate to Start> System Management > Services> Services and check for the presence of services of type “Java communication engine”. This requires System Manager privilege.
If you have determined that your CentraLink has a “Java communication engine” service, and you require a mitigation, then please contact your Siemens Customer Care Center or your local Siemens technical support representative.

4) DICOM Proxy

Note: the information about the mitigation of the CVE-2021-44228 may be changed. The DicomProxy version VB10A is vulnerable to the Log4j vulnerability CVE-2021-44228. This VB10A version uses the Log4j version < 2.16 where we recommend following mitigation:
Linux:
1. Logon to the shell of the DicomProxy (Linux Server)
2. Find the needed program by executing the following command JARTOOL=$(sudo find / -name "jar" -executable | head -n 1)
3. Find the affected Jar files by executing the following command sudo find / -name "log4j-core-2.*.jar"
4. For all files found by the command in step 1 do the following procedure (Exklusions: /tmp folder and log4j versions above or equals 2.16)
Please repeat the following steps for all found files, one by one
JAR=[Filename of one found jar file in step 2]
rm -r /tmp/jar
mkdir /tmp/jar
cd /tmp/jar
$JARTOOL xf $JAR
if the file org/apache/logging/log4j/core/lookup/JndiLookup.class is not found in the subdirectory, this jar is already patched and no further steps need
rm org/apache/logging/log4j/core/lookup/JndiLookup.class
$JARTOOL cfm /tmp/log4j.jar META-INF/MANIFEST.MF *
sudo chown --reference="$JAR" /tmp/log4j.jar
sudo chmod --reference="$JAR" /tmp/log4j.jar
sudo mv /tmp/log4j.jar "$JAR"
5. As soon as possible reboot the computer for the changes to take effect
sudo reboot

Windows:
1. Open the command line with shortcut "Windows + R" and type "cmd" enter
2. Find 7zip with 7z.exe
where /r C:\ 7z.exe
3. Find affected log4j in the DicomProxy RootPath e.g. C:\Siemens\DicomProxy
where /r [DicomProxyRootPath] "log4j-core-2.*.jar"
4. For all files found by the command in step 3 do the following commands (Exklusions: log4j versions above or equals 2.16)
Please repeat the following steps for all found files, one by one
"[Location of 7zip]7z.exe" d [Filename of one found jar file in step 3] org/apache/logging/log4j/core/lookup/JndiLookup.class
If you get an error for step 4. try to identify and stop the application using the jar and repeat this step 4.
5. As soon as possible reboot the computer for the changes to take effect

5) SOMATOM / MAGNETOM

The vulnerability is present on the device.

Log4j is used to give a second workplace access to the online help system of the scanner.
Network traffic from the product should not be routed to the internet.

As an immediate measure prevent inbound network traffic on port 8090 for standalone systems or set up IP whitelisting for "need to access" systems, e.g., a second workplaces, to network port 8090 in case a second console is connected. Preventing access to port 8090 for scanner systems with a second console makes the online help on that workplace unavailable.

6) Symbia and Biograph

The vulnerability is present on the device; However, there is a firewall that is preventing javaw.exe from accessing the network. Therefore, the device is not exploitable over a network and is limited locally to the device.
Siemens recommends the following:
1. Ensure that the device is installed in a secure location
2. Ensure that only those persons who require access to the device is granted access.
Siemens will provide a fix for this in a future security update.

7) syngo Carbon Space

The vulnerable service: Knowledge Gateway (running on port 8090). This service is used to provide online help for the syngo carbon space users. The syngo carbon space VA10A and VA20A uses Knowledge Gateway which deploys the Log4j version 2.13.3 where we recommend following mitigation:
1. Click on “syngo Carbon Space - Stop Server” present on the desktop to stop the server
2. Copy following Jar files to a temporary folder on a Windows PC having 7-Zip installed, e.g. “C:\temp\JarFiles”
a. %KGW_APPLICATION%\bin\kgw-application.jar
b. %KGW_APPLICATION%\bin\kgw-admin-application.jar
3. Open 7 zip manager with administrator privileges
4. Go to the folder “C:\temp\JarFiles\kgw-application.jar\org\apache\logging\log4j\core\lookup\” and delete file “JndiLookup.class”
5. Go to the folder “C:\temp\JarFiles\kgw-admin-application.jar\org\apache\logging\log4j\core\lookup\” and delete file “JndiLookup.class”
7. Close the 7z manager and confirm archive update if prompted.
8. Copy the modified JAR files back to original locations on the syngo Carbon Space server
9. Click on “syngo Carbon Space - Start Server” on the desktop to start the server.

Additionally:
- in case of the VMware usage, please refer to the advisory: https://www.vmware.com/security/advisories/VMSA-2021-0028.html

8) syngo Plaza and syngo.via

The syngo.via and syngo Plaza are vulnerable to the Log4j vulnerability CVE-2021-44228.

The vulnerable process: Knowledge Gateway (process name javaw.exe and listening on port 8090). The service is used to provide online help for the syngo.via users.

This syngo.via version uses Knowledge Gateway which deploys the Log4j version 2.x for which we recommend the following mitigation (available as automated script for syngo.via, please see the instructions below):
1. Click on “syngo.via - Stop Server” present on the APS desktop to stop the server
2. Copy following Jar files to a temporary folder on a Windows PC having 7-Zip installed, e.g. “C:\temp\JarFiles”
a. %KGW_APPLICATION%\bin\kgw-application.jar
b. %KGW_APPLICATION%\bin\kgw-admin-application.jar
c. %KGW_APPLICATION%\work\webapp\webapp\WEB-INF\lib\log4j-core-2.x.2.jar
3. Open 7 zip manager with administrator privileges
4. Go to the folder “C:\temp\JarFiles\kgw-application.jar\org\apache\logging\log4j\core\lookup\” and delete file “JndiLookup.class”
5. Go to the folder “C:\temp\JarFiles\kgw-admin-application.jar\org\apache\logging\log4j\core\lookup\” and delete file “JndiLookup.class”
6. Go to the folder “C:\temp\JarFiles\kgw-application.jar\webapp\WEB-INF\lib\log4j-core-2.x.2.jar”
7. Then double click on “log4j-core-2.x.2.jar”
8. Navigate to “\org\apache\logging\log4j\core\lookup\” then delete file “JndiLookup.class”
9. Go to the folder “C:\temp\JarFiles\log4j-core-2.x.2.jar\org\apache\logging\log4j\core\lookup\” and delete file “JndiLookup.class”
10. Close the 7z manager and confirm archive update if prompted.
11. Copy the modified JAR files back to original locations on the syngo.via server
12. Open command prompt as administrator and run command “%KGW_APPLICATION%\stop.cmd”
13. Click on “syngo.via - Start Server” on the desktop to start the server.

For syngo.via the steps are automated with the following script. To apply the mitigation using the script:
1. Download the Log4j-fix.zip (SHA512 checksum: abecf8c2345b08a47911f949279ba7d8a56b4495b98d3a1ef0fa202aa64f16d09f6049e8275436515b8f4c37ae3bda083aa7273464f3cd6360b71046cd4fdc9d)
2. Unzip Log4j-fix.zip to get the Log4j.bat and copy it to the syngo.via server
3. Run CMD.exe as administrator and start the Log4j.bat
In case of errors, please contact your Customer Service.

Additionally:
- in case of the VMware usage, please refer to the advisory: https://www.vmware.com/security/advisories/VMSA-2021-0028.html

GENERAL SECURITY RECOMMENDATIONS

In addition, Siemens Healthineers generally recommends the following:

Ensure you have appropriate backups and system restoration procedures.

Securely delete any backup files that are no longer needed.

For specific patch and remediation guidance information contact your local Siemens Healthineers

Customer Service Engineer, portal or our Regional Support Center. To find your local contact, please refer to https://www.siemens-healthineers.com/how-can-we-help-you

PRODUCT DESCRIPTION

Additional product information is available through the Siemens Healthineers teamplay Fleet customer online portal.

ADDITIONAL INFORMATION

For further inquiries on security vulnerabilities in Siemens Healthineers products and solutions, please contact Siemens Healthineers using the following link: https://www.siemens-healthineers.com/cybersecurity

HISTORY DATA

V1.0 (2021-12-18): Publication Date

V1.1 (2021-12-22): Not vulnerable list added. Update Remediations

V1.2 (2021-12-23): Corrections to product lists

V1.3 (2022-01-12):

· Added clarification to help the interpretation of the two lists of products (above each list)

· New SUMMARY paragraph indicating that products not listed are evaluated as not affected

· New SUMMARY paragraph referencing other Log4j vulnerabilities

· Moved PET products from NOT VULNERABLE to POTENTIALLY AFFECTED

· Listed Advia Centaur and VERSANT kPCR products as still under investigation

· All supported versions of CENTRALINK are now listed as POTENTIALLY AFFECTED

· Removed ARTIS icono / pheno VE10 (not affected)

· Removed Artis one VA11 (in development, not released yet)

· Removed SENSIS TS all versions except VD12A (not affected)

· Removed SENSIS VM Server all versions except VD12A (not affected)

V1.4 (2022-01-18):

· Removed last remaining products that were still under investigation

· Removed Centralink from NOT VULNERABLE

· Removed these products since they were not affected: Desktop Connector, MagicLinkA, Resoltion MD, syngo Dynamics, Syngo Imaging, syngo Multimodality Workplace, syngo Share VA30A, syngo.via View&GO, syngo Virtual Cockpit, syngo Workflow SLR, Cios Alpha (VA20) S1, Cios Connect/Fusion (VA20) S1, Cios Select (VA10) S3P, Cios Fit (VA10 / VA11 / VA12)

· Removed unneeded WORKAROUND notes about HPE hardware

· Moved Biograph products from NOT VULNERABLE to POTENTIALLY AFFECTED

V2.0 (2022-02-07):

Removed Atellica Hema Track from NOT VULNERABLE

· Removed references to “Preliminary” advisory

· Changed POTENTIALLY AFFECTED to AFFECTED

· Added patch/update information to AFFECTED list

· Clarified Mitigation references


TERMS OF USE

Siemens Healthineers’ Security Advisories are subject to the terms and conditions contained in Siemens Healthineers’ underlying license terms or other applicable agreements previously agreed to with Siemens Healthineers (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Healthineers Security Advisory, the Terms of Use of Siemens’ Healthineers Global Website (https://www.siemens-healthineers.com/terms-of-use hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.