Bulletins
CRITICAL
BD is aware of and currently monitoring VMware vulnerabilities affecting VMware vCenter Server and ESXi. These third-party vulnerabilities are not specific to BD or our products. BD is providing this update to let customers know which BD products could be affected by these third-party vulnerabilities. Please note that not all BD products listed in this bulletin are in scope for each CVE.
CVE-2021-21972 - The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
CVE-2021-21974 - OpenSLP as used in ESXi has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.
CVE-2021-21985 - The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
Additionally, BD has not received any reports of these vulnerabilities being exploited on BD products.
The product lists below identify existing BD products that utilize in-scope VMware products. The lists may be updated as more products are identified. In addition, these lists do not indicate the patch or device status. Please check back periodically for updates.
Note: The BD Alaris™ Systems Manager is run in a VMware ESXi environment, which the customer provides. Customers are responsible for updating and maintaining security patches for VMWare ESXi as resides within the customer's network infrastructure.
The BD products listed below are in scope for CVE-2021-21972, CVE-2021-21974, and CVE-2021-21985:
- BD HealthSight™ Clinical Advisor
- BD HealthSight™ Data Manager
- BD HealthSight™ Diversion Management
- BD HealthSight™ Infection Advisor
- BD HealthSight™ Inventory Optimization Analytics
- BD Knowledge Portal for Infusion Technologies
- BD Knowledge Portal for Medication Technologies
- BD Knowledge Portal for BD Pyxis™ Supply
The BD products listed below are in scope for CVE-2021-21974:
- BD Pyxis™ Enterprise Server*
- BD Pyxis™ Logistics Server*
- BD Pyxis™ MedStation™ 3500*
- BD Pyxis™ MedStation™ 4000*
- BD Pyxis™ SupplyStation*
*CVE-2021-21974 ESXi OpenSLP remote code execution vulnerability: Port 427 is not recommended to be opened during implementation for the BD Pyxis™ suite of products.
The BD products listed below are in scope for CVE-2021-21972 and CVE-2021-21985:
- BD Kiestra™ ReadA Standalone
- BD Kiestra™ TLA with an SCU
- BD Kiestra™ WCA with an SCU
Customers that maintain patches independent of BD automated delivery are responsible for maintaining the correct security posture of their system(s) and should ensure related VMware patches have been applied:
BD is currently working to test and validate the VMware patch(es) for BD products that use the affected third-party components. Some patches may already be available. Please refer to the Bulletins and Patches page for all approved product security patching notifications. Additionally, we recommend the following compensating controls for customers using BD products that utilize VMware vCenter Server or ESXi:
- Do not allow unauthorized access to the network. Only allow authorized users to have access to the system.
- Execute updates to your malware protection, where available.
- Ensure data has been backed up and stored according to your individual processes and disaster recovery procedures.
- Disable any unnecessary accounts, protocols, and services.
For product or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by this third-party vulnerability, disconnect the device from the network and contact your BD service representative immediately.
US CERT Advisories: