Bulletins
CRITICAL
Last Updated: June 21, 2022
BD is aware of and currently monitoring Apache Log4J vulnerabilities which impact third-party product(s) that are utilized with certain BD software-enabled products. These third-party vulnerabilities are not specific to BD or our products. A malicious actor with network access to an impacted product may exploit this issue to gain full control of the target system and/or perform denial-of-service attacks.
BD has not received any reports regarding these vulnerabilities being exploited on BD products.
- CVE-2021-44228 (Critical) - Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
- CVE-2021-45046 (Critical) - It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments.
BD is currently working to test and validate the patch(es) or other mitigations for BD products that use the affected third-party components. Some patches may already be available. Please refer to the Bulletins and Patches page for all approved product security patching notifications. Additionally, we recommend the following compensating controls for customers using BD products that utilize impacted third-party components.
- Execute updates to malware protection, where available.
- Ensure data has been backed up and stored according to your individual processes and disaster recovery procedures.
- Do not allow unauthorized access to the network. Only allow authorized users to have access to the network/system.
- Ensure your firewall and antivirus protection are updated with the latest updates.
- Minimize network exposure to devices and ensure devices are not directly accessible from the internet unless essential.
Customers that maintain patches independent of BD automated delivery should ensure that available security patches and recommendations are applied as the acting responsible entity in order to maintain the correct security posture of the system(s).
The product list below identifies existing BD products that utilize third-party components that are in scope for the Apache Log4j vulnerabilities listed above. The list may be updated as more products are identified. In addition, the list below does not indicate the patch or device status. Please check back periodically for updates.
VMware vCenter is a centralized management utility for VMware and is used to manage virtual machines, multiple hosts, and all dependent VMware components from a single centralized location. The BD products listed below utilize VMware vCenter, which is in scope for the Apache Log4j vulnerabilities listed above.
- BD Kiestra™ Total Lab Automation (TLA) with a Systems Control Unit (SCU)
- BD Kiestra™ Work Cell Automation (WCA) with a Systems Control Unit (SCU)
- BD Kiestra™ ReadA with a Systems Controls Unit (SCU)
BD has tested the workarounds that are currently available for VMware vCenter which will be released and applied in the upcoming impacted BD products’ patch cycles.
BEGIN UPDATE A: June 21, 2022
Third-Party Component: Tableau Software
Tableau software is a data visualization platform used to analyze and report data in the form of dashboards. The BD hosted offerings listed below utilize Tableau Software, which is in scope for the Apache Log4j2 vulnerabilities, CVE-2021-44228 and CVE-2021-45046.
- BD HealthSightTM Infection Advisor
- BD HealthSightTM Clinical Advisor
- BD Insights Research Analytics Dashboards
- BD Insights Research Analytics Pathogen Incidence Dashboard
- BD Insights Research Analytics Patient Characteristics Dashboard
- BD Insights Research Analytics COVID-19 Outcomes Dashboard
- BD Insights Research Analytics COVID-19 Inpatient Antimicrobial Utilization Dashboard
- BD Insights Research Analytics Commercial Medication Utilization Dashboard
- BD Insights Research Analytics Viral Pathogen Incidence Dashboard
- BD Insights Research Analytics CDC Threat Report Dashboard
- BD Insights Research Analytics CDC Flu/COVID-19 Dashboard
BD proactively monitors and manages patching for BD hosted offerings according to BD patch management policies. BD deploys comprehensive security controls that reduce and detect threats to the BD hosted offerings environment and data.
BD is currently working to test and validate the vendor provided patch(es), and remediation is expected to be completed in June 2022 for the BD hosted offerings listed above that utilize the affected third-party component: Tableau Software. There is no action needed for BD customers who utilize these BD hosted offerings.
END UPDATE A: June 21, 2022
For product- or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by this third-party vulnerability, disconnect the device from the network and contact your BD service representative immediately.
- VMWare Advisory: https://www.vmware.com/security/advisories/VMSA-2021-0028.html
BEGIN UPDATE A: June 21, 2022
- Tableau Knowledge Base: Apache Log4j2 vulnerability (Log4shell) | Tableau Software
END UPDATE A: June 21, 2022