Siemens Healthineers Security Advisory

Remote Code Execution Vulnerability in Apache Log4j – Preliminary Advisory

Publication Date: 2021-12-18

Last Update: 2022-01-12

Current Version: V1.3

Siemens Healthineers is aware of the zero-day remote code execution (RCE) vulnerability in the Apache Java library Log4j, identified as CVE-2021-44228. While our cybersecurity experts continue to analyze and address potential impact to our products, we are providing this preliminary advisory to customers to alert them to product versions that may be affected by this Apache vulnerability. Note that this advisory, including the potentially affected products, may be updated based on further analysis.

When appropriate, Siemens Healthineers provides specific countermeasures for products where updates are not, yet available. The details of such countermeasures, along with a detailed analysis of the vulnerability for each product will be made available, as necessary, through the Siemens Healthineers teamplay Fleet customer online portal.

Our cybersecurity experts have evaluated and have not identified any products or services other than those described in this advisory that are affected by this vulnerability. This includes Point of Care Diagnostics and Ultrasound products.

Note: other vulnerabilities for the Log4j component have also been evaluated and can be interrogated through the Siemens Healthineers teamplay Fleet customer online portal.

AFFECTED PRODUCTS AND SERVICES WHICH ARE NOT VULNERABLE OR ARE ALREADY FIXED

These products and services include a vulnerable version of Log4j but either:

1) Don’t use Log4j in a way that exposes the vulnerability, or

2) Have already been fixed, e.g., patched.

Products / Services and Versions

AI-Rad Companion Engine VA3xx

APTIO BY SIEMENS V.3.0 / V.6.0 / V.8.0.1 / V.9.0 / V.9.1 / V.10 / V.11

ARTIS icono / pheno VE20 / VE21
Artis zee/Q/Q.zen VD12
Artis zeego VD12

ATELLICA CONNECTIVITY MANAGER

Atellica Hema Track

Befund24 Befund24/Scale VA10C

Biograph Horizon PET syngo VJ30
Biograph mCT PET syngo VG80
Biograph Quadra PET syngo VR10
Biograph Vision PET syngo VG80

CENTRALINK CENTRALINK

Cios Alpha (VA20) S1 / (VA30 PSS) S1
Cios Alpha/Spin (VA30) S1
Cios Connect/Fusion S1 VA20
Cios Flow S1 VA30 PSS
Cios Select FD VA20 / VA21 S3P / (VA30) S3P
Cios Select I.I. VA21 S3P
Cios Select S3P VA10
Cios Spin (VA30 PSS) S1

Desktop Connector

Luminos Agile Max / dRF Max VF10 / VF11
LUMINOS Impulse / Lotus Max VF11 

MAGNETOM Lumina NUMARIS/X VA11B
MAGNETOM Sola NUMARIS/X VA11A / VA11B
MAGNETOM Terra NUMARIS/4 VE12U
MAGNETOM Vida NUMARIS/X VA11A / VA11B

MagicLinkA

Mammomat Fusion / Inspiration VB61
MAMMOMAT Revelation VC10 / VC20

Medicalis Consult Portal Medicalis Consult Portal 2.1

Mobilett Elara Max / Mira Max VF10

Multitom Rax VF10 / VF11

Multix Fusion Max VF10
Multix Impact C VA10
Multix Impact VA10 / VA11 / VA20

Resoltion MD

SENSIS DMCC VD12A
SENSIS DMCM VD12A
SENSIS DS VD12A
SENSIS PPWS VD12A
SENSIS TS VD12A

Smart Remote Services (SRS)
The Smart Remote Services infrastructure of Siemens Healthineers, which is used for the provision of remote connectivity,
is currently protected against the vulnerability CVE-2021-44228.

We advise customers not to disconnect Siemens Healthineers products as it may impact service teams from providing any
required immediate support such as remote patching.

SOMATOM Confidence (all variants) VB10 / VB20
SOMATOM Definition AS (all Variants), Edge, Flash VB10 / VB20
SOMATOM Drive / Force VB10 / VB20
SOMATOM Emotion (All Variants) VC50
SOMATOM Scope (all variants) VC50

syngo Dynamics

Syngo Imaging

syngo LAB CONNECTIVITY MANAGER
syngo LAB DATA MANAGER

syngo Multimodality Workplace

syngo Share VA30A

syngo.via View&GO

syngo Virtual Cockpit

syngo Workflow SLR

syngo X WP VD30

teamplay / Calcium40

Uroskop Omnia Max VF10 / VF11

Ysio Max VF10

Ysio X.pree SYNGO XR VA10
These products and services include a vulnerable version of Log4j or the analysis is not yet concluded. In the case where the product is vulnerable, specific remediation is identified.

Potentially Affected Products and Versions

Remediation

Advanced Workflow PET syngo VG80

Please see below (Symbia and Biograph).

Advia Centaur XP

Advia Centaur XPT

Still under investigation.

ATELLICA DATA MANAGER v1.1.1 / v1.2.1 / v1.3.1

Please see below.

ATELLICA SOLUTION

Please see below.

CENTRALINK v16.0.2 / v16.0.3

Please see below.

DICOM Proxy VB10A

Please see below.

MAGNETOM AERA 1,5T NUMARIS/X VA30A

MAGNETOM Altea NUMARIS/X VA20A / VA31A

MAGNETOM Amira NUMARIS/X VA12M
MAGNETOM Free.Max NUMARIS/X VA40
MAGNETOM LUMINA NUMARIS/X VA20A / VA31A
MAGNETOM PRISMA / PRISMA FIT NUMARIS/X VA30A

MAGNETOM SEMPRA NUMARIS/X VA12M
MAGNETOM SOLA fit NUMARIS/X VA20A
MAGNETOM SOLA NUMARIS/X VA20A / VA31A
MAGNETOM SKYRA 3T NUMARIS/X VA30A
MAGNETOM Vida fit NUMARIS/X VA20A
MAGNETOM Vida NUMARIS/X VA10A / VA20A / VA31A

Please see below.

MI Workplace MI Apps VB22

Please see below. (Symbia)

SENSIS VM Server VD12A

Please contact your local service representative.

SOMATOM go.All, Som10 VA20 / VA30 / VA40
SOMATOM go.Fit, Som10 VA30
SOMATOM go.Now, Som10 VA10 / VA20 / VA30 / VA40
SOMATOM go.Open Pro, Som10 VA30 / VA40
SOMATOM go.Sim, Som10 VA30 / VA40
SOMATOM go.Top, Som10 VA20 / VA20A_SP5 / VA30 / VA40
SOMATOM go.Up, Som10 VA10 / VA20 / VA30 / VA40

SOMATOM X.Ceed Somaris 10 VA40
SOMATOM X.Cite Somaris 10 VA30 / VA40

Please see below.

A fix for VA30 will be available with the next Service Pack
early next year (planned for January).
To fix the vulnerability in older systems, they must first be upgraded to VA 30.

Symbia MI Apps VB22
Symbia.net MI Apps VB22

Please see below.

Syngo Carbon Space VA10A / VA10A-CUT2 / VA20A

Please see below.

syngo Plaza VB20A / VB20A_HF01 - HF07 / VB30A / VB30A_HF01 /
VB30A_HF02 / VB30B / VB30C / VB30C_HF01 - HF06 / VB30C_HF91

Please see below.

syngo.via VB10A_HF7 and higher / VB20A / VB20A_HF01 - HF08 / VB20A_HF91 / VB20B /
VB30A / VB30A_HF01 - VB30A_HF08 / VB30A_HF91VB30B /
VB30B_HF01 / VB40A / VB40A_HF01 - HF02 /VB40B /
VB40B_HF01 - HF05 / VB50A / VB50A_CUT / VB50A_D4VB50B /
VB50B_HF01 - HF03 / VB60A / VB60A_CUT / VB60A_D4 / VB60A_HF01

Please see below.

syngo.via WebViewer VA13B / VA20A / VA20B

Please see below.

syngo Workflow MLR VB37A / VB37A_HF01 / VB37A_HF02 / VB37B /
VB37B_HF01 - HF07 / VB37B_HF93 / VB37B_HF94 / VB37B_HF96 

The vulnerability will be patched in an upcoming hotfix. Before the hotfix is available,
the vulnerability can be mitigated by a configuration on the affected servers.
Please contact your Customer Service to get support on it.

Log4J vulnerabilities update and the impact on Varian Products and Services.

A Varian preliminary security advisory has been issued, see here.

WORKAROUNDS AND MITIGATIONS

1) ATELLICA DATA MANAGER

The log4shell vulnerability may affect some customer configurations of Atellica Data Manager 1.1.1, 1.2.1 and 1.3.1

The vulnerability is applicable to systems that communicate using Java connectivity drivers.
Our analysis has identified a low level of exploitation potential and cybersecurity risk due to the product design.
Connectivity drivers are restricted by default to communicating with authorized IP address only. Note: in Atellica Data Manager, it is the customers responsibly to secure the firewall. Refer to the relevant Atellica Data Manager Security White Paper.
The Log4shell vulnerability is considered controlled.
Atellica Data Manager has multiple security controls which make the possibility of a successful attack remote.
To check if your Atellica Data Manger system is affected, navigate to Start> System Management > Services> Services and check for the presence of services of type “Java communication engine”. This requires System Manager privilege.
Although our analysis has identified this as a low cybersecurity risk to Atellica Data Manager, Siemens will provide a mitigation in a future version.
If you have determined that your Atellica Data Manager has a “Java communication engine” service, and you require an immediate mitigation, then please contact your Siemens Customer Care Center or your local Siemens technical support representative.

2) ATELLICA SOLUTION

A new zero-day remote code execution vulnerability has been found in Log4j java library known as Log4shell (CVE-2021-44228.) The Atellica® Solution is impacted by the Log4shell Vulnerability. We have identified that the Online help component which is “Knowledge Gateway” (KGW) software component is vulnerable to this exploit. Through the analysis by our experts, we have identified a low level of exploitation potential and cybersecurity risk due to the product design. The vulnerability is considered controlled. The product has multiple security controls in place which make the possibility of a successful attack using the Log4shell vulnerabilities remote. KGW is used only for providing user help and does not have connectivity with any other software components. A specific mitigation for this vulnerability is not required at this time. A future update to the software will mitigate this vulnerability.

3) CENTRALINK

The log4shell vulnerability may affect some customer configurations of CentraLink v16.0.2/16.0.3
The vulnerability is applicable to systems that communicate using Java connectivity drivers.
Our analysis has identified a low level of exploitation potential and cybersecurity risk due to the product design.
Connectivity drivers are restricted by default to communicating with authorized IP address only.
The Log4shell vulnerability is considered controlled.
CentraLink has multiple security controls which make the possibility of a successful attack remote.
To check if your CentraLink system is affected, navigate to Start> System Management > Services> Services and check for the presence of services of type “Java communication engine”. This requires System Manager privilege.
If you have determined that your CentraLink has a “Java communication engine” service, and you require a mitigation, then please contact your Siemens Customer Care Center or your local Siemens technical support representative.

4) DICOM Proxy

Note: the information about the mitigation of the CVE-2021-44228 may be changed. The DicomProxy version VB10A is vulnerable to the Log4j vulnerability CVE-2021-44228. This VB10A version uses the Log4j version < 2.16 where we recommend following mitigation:
Linux:
1. Logon to the shell of the DicomProxy (Linux Server)
2. Find the needed program by executing the following command JARTOOL=$(sudo find / -name "jar" -executable | head -n 1)
3. Find the affected Jar files by executing the following command sudo find / -name "log4j-core-2.*.jar"
4. For all files found by the command in step 1 do the following procedure (Exklusions: /tmp folder and log4j versions above or equals 2.16)
Please repeat the following steps for all found files, one by one
JAR=[Filename of one found jar file in step 2]
rm -r /tmp/jar
mkdir /tmp/jar
cd /tmp/jar
$JARTOOL xf $JAR
if the file org/apache/logging/log4j/core/lookup/JndiLookup.class is not found in the subdirectory, this jar is already patched and no further steps need
rm org/apache/logging/log4j/core/lookup/JndiLookup.class
$JARTOOL cfm /tmp/log4j.jar META-INF/MANIFEST.MF *
sudo chown --reference="$JAR" /tmp/log4j.jar
sudo chmod --reference="$JAR" /tmp/log4j.jar
sudo mv /tmp/log4j.jar "$JAR"
5. As soon as possible reboot the computer for the changes to take effect
sudo reboot

Windows:
1. Open the command line with shortcut "Windows + R" and type "cmd" enter
2. Find 7zip with 7z.exe
where /r C:\ 7z.exe
3. Find affected log4j in the DicomProxy RootPath e.g. C:\Siemens\DicomProxy
where /r [DicomProxyRootPath] "log4j-core-2.*.jar"
4. For all files found by the command in step 3 do the following commands (Exklusions: log4j versions above or equals 2.16)
Please repeat the following steps for all found files, one by one
"[Location of 7zip]7z.exe" d [Filename of one found jar file in step 3] org/apache/logging/log4j/core/lookup/JndiLookup.class
If you get an error for step 4. try to identify and stop the application using the jar and repeat this step 4.
5. As soon as possible reboot the computer for the changes to take effect

5) SOMATOM / MAGNETOM

The vulnerability is present on the device.

Log4j is used to give a second workplace access to the online help system of the scanner.
Network traffic from the product should not be routed to the internet.

As an immediate measure prevent inbound network traffic on port 8090 for standalone systems or set up IP whitelisting for "need to access" systems, e.g., a second workplaces, to network port 8090 in case a second console is connected. Preventing access to port 8090 for scanner systems with a second console makes the online help on that workplace unavailable.

6) Symbia and Biograph

The vulnerability is present on the device; However, there is a firewall that is preventing javaw.exe from accessing the network. Therefore, the device is not exploitable over a network and is limited locally to the device.
Siemens recommends the following:
1. Ensure that the device is installed in a secure location
2. Ensure that only those persons who require access to the device is granted access.
Siemens will provide a fix for this in a future security update.

7) syngo Carbon Space

The vulnerable service: Knowledge Gateway (running on port 8090). This service is used to provide online help for the syngo carbon space users. The syngo carbon space VA10A and VA20A uses Knowledge Gateway which deploys the Log4j version 2.13.3 where we recommend following mitigation:
1. Click on “syngo Carbon Space - Stop Server” present on the desktop to stop the server
2. Copy following Jar files to a temporary folder on a Windows PC having 7-Zip installed, e.g. “C:\temp\JarFiles”
a. %KGW_APPLICATION%\bin\kgw-application.jar
b. %KGW_APPLICATION%\bin\kgw-admin-application.jar
3. Open 7 zip manager with administrator privileges
4. Go to the folder “C:\temp\JarFiles\kgw-application.jar\org\apache\logging\log4j\core\lookup\” and delete file “JndiLookup.class”
5. Go to the folder “C:\temp\JarFiles\kgw-admin-application.jar\org\apache\logging\log4j\core\lookup\” and delete file “JndiLookup.class”
7. Close the 7z manager and confirm archive update if prompted.
8. Copy the modified JAR files back to original locations on the syngo Carbon Space server
9. Click on “syngo Carbon Space - Start Server” on the desktop to start the server.

Additionally:
- please check whether your hardware is affected. If the syngo Carbon Space running on an HPE hardware, please refer to the security bulletin:
https://support.hpe.com/hpesc/public/docDisplay? docLocale=en_US&docId=hpesbgn04215en_us
- in case of the VMware usage, please refer to the advisory: https://www.vmware.com/security/advisories/VMSA-2021-0028.html

8) syngo Plaza and syngo.via

The syngo.via and syngo Plaza are vulnerable to the Log4j vulnerability CVE-2021-44228.

The vulnerable process: Knowledge Gateway (process name javaw.exe and listening on port 8090). The service is used to provide online help for the syngo.via users.

This syngo.via version uses Knowledge Gateway which deploys the Log4j version 2.x for which we recommend the following mitigation (available as automated script for syngo.via, please see the instructions below):
1. Click on “syngo.via - Stop Server” present on the APS desktop to stop the server
2. Copy following Jar files to a temporary folder on a Windows PC having 7-Zip installed, e.g. “C:\temp\JarFiles”
a. %KGW_APPLICATION%\bin\kgw-application.jar
b. %KGW_APPLICATION%\bin\kgw-admin-application.jar
c. %KGW_APPLICATION%\work\webapp\webapp\WEB-INF\lib\log4j-core-2.x.2.jar
3. Open 7 zip manager with administrator privileges
4. Go to the folder “C:\temp\JarFiles\kgw-application.jar\org\apache\logging\log4j\core\lookup\” and delete file “JndiLookup.class”
5. Go to the folder “C:\temp\JarFiles\kgw-admin-application.jar\org\apache\logging\log4j\core\lookup\” and delete file “JndiLookup.class”
6. Go to the folder “C:\temp\JarFiles\kgw-application.jar\webapp\WEB-INF\lib\log4j-core-2.x.2.jar”
7. Then double click on “log4j-core-2.x.2.jar”
8. Navigate to “\org\apache\logging\log4j\core\lookup\” then delete file “JndiLookup.class”
9. Go to the folder “C:\temp\JarFiles\log4j-core-2.x.2.jar\org\apache\logging\log4j\core\lookup\” and delete file “JndiLookup.class”
10. Close the 7z manager and confirm archive update if prompted.
11. Copy the modified JAR files back to original locations on the syngo.via server
12. Open command prompt as administrator and run command “%KGW_APPLICATION%\stop.cmd”
13. Click on “syngo.via - Start Server” on the desktop to start the server.

For syngo.via the steps are automated with the following script. To apply the mitigation using the script:
1. Download the Log4j-fix.zip (SHA512 checksum: abecf8c2345b08a47911f949279ba7d8a56b4495b98d3a1ef0fa202aa64f16d09f6049e8275436515b8f4c37ae3bda083aa7273464f3cd6360b71046cd4fdc9d)
2. Unzip Log4j-fix.zip to get the Log4j.bat and copy it to the syngo.via server
3. Run CMD.exe as administrator and start the Log4j.bat
In case of errors, please contact your Customer Service.

Additionally:
- please check whether your hardware is affected. If syngo.via is running on an HPE hardware, please refer to the security bulletin: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04215en_us
- in case of the VMware usage, please refer to the advisory: https://www.vmware.com/security/advisories/VMSA-2021-0028.html

GENERAL SECURITY RECOMMENDATIONS

In addition, Siemens Healthineers generally recommends the following:

Ensure you have appropriate backups and system restoration procedures.

Securely delete any backup files that are no longer needed.

For specific patch and remediation guidance information contact your local Siemens Healthineers

Customer Service Engineer, portal or our Regional Support Center. To find your local contact, please refer to https://www.siemens-healthineers.com/how-can-we-help-you

PRODUCT DESCRIPTION

Additional product information is available through the Siemens Healthineers teamplay Fleet customer online portal.

ADDITIONAL INFORMATION

For further inquiries on security vulnerabilities in Siemens Healthineers products and solutions, please contact Siemens Healthineers using the following link: https://www.siemens-healthineers.com/cybersecurity

HISTORY DATA

V1.0 (2021-12-18): Publication Date

V1.1 (2021-12-22): Not vulnerable list added. Update Remediations

V1.2 (2021-12-23): Corrections to product lists

V1.3 (2022-01-12):

· Added clarification to help the interpretation of the two lists of products (above each list)

· New SUMMARY paragraph indicating that products not listed are evaluated as not affected

· New SUMMARY paragraph referencing other Log4j vulnerabilities

· Moved PET products from NOT VULNERABLE to POTENTIALLY AFFECTED

· Listed Advia Centaur and VERSANT kPCR products as still under investigation

· All supported versions of CENTRALINK are now listed as POTENTIALLY AFFECTED

· Removed ARTIS icono / pheno VE10 (not affected)

· Removed Artis one VA11 (in development, not released yet)

· Removed SENSIS TS all versions except VD12A (not affected)

· Removed SENSIS VM Server all versions except VD12A (not affected)


TERMS OF USE

Siemens Healthineers’ Security Advisories are subject to the terms and conditions contained in Siemens Healthineers’ underlying license terms or other applicable agreements previously agreed to with Siemens Healthineers (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Healthineers Security Advisory, the Terms of Use of Siemens’ Healthineers Global Website (https://www.siemens-healthineers.com/terms-of-use hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.