Brazil

Medical System Security Information - Security Advisories

Product security  Advisories FUJIFILM Corporation
  1. Apache Log4j Vulnerability (Log4Shell)
    Log4j is a widely used logging tool in Java applications and is provided by the Apache Software Foundation. A vulnerability in Log4j versions 2.0-beta9 through 2.14.1 allows an attacker to remotely execute arbitrary code. For details, please refer to the following external reference website.
    https://logging.apache.org/log4j/2.x/security.html
  2. Impacts on our products
    SYNAPSE VNA software versions 6.3 and later may be affected by this vulnerability.  
    Fujifilm has released a mitigation script that must be applied to each SYNAPSE VNA software. 
    All other products are unaffected. 
    For this security inquiries, contact the sales office where you purchased the product or you are considering purchasing the product. 
  1. Treck TCP/IP stack vulnerabilities
    19 vulnerabilities were found in Treck TCP/IP stack named Ripple20. Exploitation of these vulnerabilities could result in remote code execution, denial of service, or information disclosure. For details, refer to the website below.
    https://www.jsof-tech.com/ripple20
    https://us-cert.cisa.gov/ics/advisories/icsa-20-168-01
  2. Impacts on our products
    Our products do not use Treck TCP/IP which has these vulnerabilities. Therefore, we have determined that they are not affected by these vulnerabilities.
  1. Bluetooth Low Energy Vulnerability (SweynTooth)
    FDA issued the following FDA Safety Communication on March 3, 2020.
    SweynTooth Cybersecurity Vulnerabilities May Affect Certain Medical Devices(FDA Safety Communication)
    It describes information regarding vulnerabilities, named “Sweyn Tooth”, associated with a wireless
    communication technology known as Bluetooth Low Energy (BLE).
  2. Summary
    Successful exploitation of this vulnerability could allow an attacker within wireless range to cause a
    deadlock, crash, buffer overflow, or to completely bypass security function. For details, refer to the
    website below.
    https://www.us-cert.gov/ics/alerts/ics-alert-20-063-01
  3. Impacts on our products
    Our products do not have a Bluetooth function that uses this vulnerable Bluetooth Low Energy (BLE).
    Therefore, we have determined that they are not affected by these vulnerabilities.
  1. Vulnerabilities of Remote Desktop Service for Windows
    Microsoft Corp. has disclosed vulnerabilities (CVE-2019-0708, CVE-2019-1181 and CVE-1182) of remote desktop service (software for remote control from other computers) installed in the Windows OS. An attacker who successfully exploited these vulnerabilities could install programs, display, modify, or delete data.
  2. Impacts on our products
    Our products are not affected by these vulnerabilities, but since Microsoft has released patches for them, we have also completed the patch application evaluation for the products using the subject Windows. If you would like to apply the patch, contact the sales office where you purchased the product. In addition, in order to maintain the security of our products, refer to the following (3) for ensuring the security of your network.
  3. Reference
    The following countermeasures are effective for vulnerabilities of the remote desktop service in the network environment of customers.

     (a) Disallowance for the use of Remote Desktop Services
    If it is possible to allow or disallow the use of remote desktop services in the Windows settings, disallow it.

    (b) Communication route control
    In the network to which our products are connected, set the network device so as to prohibit communication from computers other than those that allow access to them.

     (c) Control of communication protocol and communication port
    Since the attack on the remote desktop service uses the following communication protocols and communication ports, the network device is set so as not to allow the communication.
Services used

Protocol type and port number used

Remote desktop service

TCP port 3389

  1. VxWorks Vulnerabilities
    Serious vulnerabilities of VxWorks named “URGENT/11” have been notified on the HP of Wind River and it is recommended to take urgent measures.
  2. Summary
    URGENT/11 is 11 vulnerabilities found in VxWorks TCP/IP stack (IPnet), 6 of which are classified as critical vulnerabilities that allow remote code execution. Other vulnerabilities could also be exploited for denial of service or information disclosure. For details, refer to the website below.
    TCP/IP Network Stack (IPnet, Urgent/11)  (Wd River)
    URGENT/11  (Armis)
  3. Impacts on our products
    Our products do not have VxWorks that uses IPnet with these vulnerabilities and we have determined that they are not affected by these vulnerabilities.
FUJIFILM Healthcare Corporation
  1. Apache Log4j Vulnerability (Log4Shell)
    Log4j is a widely used logging tool in Java applications and is provided by the Apache Software Foundation. A vulnerability in Log4j versions 2.0-beta9 through 2.14.1 allows an attacker to remotely execute arbitrary code. For details, please refer to the following external reference website.
    https://logging.apache.org/log4j/2.x/security.html
  2. Impacts on our products
    We have determined that our products are not affected by this vulnerability because they do not use the associated versions of Apache Log4j.

    However, our server for remote services, which is used to maintain our products, has the version of Apache Log4j, but we confirmed the function that contains the vulnerability has been disabled.
  1. BlackBerry Real-Time Operating System (RTOS) "QNX" Vulnerability
    BlackBerry has announced a vulnerability (CVE-2021-22156) in the QNX Real Time Operating System (RTOS).
    Exploitation of this vulnerability could lead to a denial of service or execute arbitrary code on the affected device. For details, please refer to the following external reference website below.
    https://support.blackberry.com/kb/articleDetail?articleNumber=000082334
    https://us-cert.cisa.gov/ncas/alerts/aa21-229a
  2. Impacts on our products
    We have determined that our products are not affected by this vulnerability because they do not use BlackBerry real-time operating system (RTOS) "QNX".
  1. Treck TCP/IP stack vulnerabilities
    19 vulnerabilities were found in Treck TCP/IP stack named Ripple20. Exploitation of these vulnerabilities could result in remote code execution, denial of service, or information disclosure. For details, refer to the following external reference website.
    https://www.jsof-tech.com/ripple20
    https://us-cert.cisa.gov/ics/advisories/icsa-20-168-01
  2. Impacts on our products
    We have determined that our products are not affected by this vulnerability because they do not use Treck TCP/IP stack.
  1. Bluetooth Low Energy Vulnerability (SweynTooth)
    FDA issued the following FDA Safety Communication on March 3, 2020.
    For details, refer to the following external reference website.
    https://www.fda.gov/medical-devices/safety-communications/sweyntooth-cybersecurity-vulnerabilities-may-affect-certain-medical-devices-fda-safety-communication
    It describes information regarding vulnerabilities, named “Sweyn Tooth”, associated with a wireless communication technology known as Bluetooth Low Energy (BLE).
  2. Summary
    Successful exploitation of this vulnerability could allow an attacker within wireless range to cause a deadlock, crash, buffer overflow, or to completely bypass security function. For details, refer to the following external reference website.
    https://www.us-cert.gov/ics/alerts/ics-alert-20-063-01
  3. Impacts on our products
    We have determined that our products are not affected by these vulnerabilities because they do not use Bluetooth Low Energy (BLE).
  1. Vulnerabilities of Remote Desktop Service for Windows
    Microsoft Corp. has disclosed vulnerabilities (CVE-2019-0708, CVE-2019-1181 and CVE-1182) of remote desktop service (software for remote control from other computers) installed in the Windows OS. An attacker who successfully exploited these vulnerabilities could install programs, display, modify, or delete data.
  2. Impacts on our products
    Remote Desktop Services is enabled on some of our products. We judge that the impact of this vulnerability is small in the assumed network environment. At the request of the customer, it is possible to take measures such as disabling the remote desktop service. Please contact the sales office where you purchased the product.

    All other products are not affected by these vulnerabilities because the OS that contains these  vulnerabilities is uninstalled, or Remote Desktop Services is disabled.
  1. VxWorks Vulnerabilities
    Serious vulnerabilities of VxWorks named “URGENT/11” have been notified on the HP of Wind River and it is recommended to take urgent measures.
  2. Summary
    URGENT/11 is 11 vulnerabilities found in VxWorks TCP/IP stack (IPnet), 6 of which are classified as critical vulnerabilities that allow remote code execution. Other vulnerabilities could also be exploited for denial of service or information disclosure. For details, refer to the following external reference website.
    https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/
    https://www.armis.com/research/urgent11/
  3. Impacts on our products
    In our MRI system, VxWorks is used as an image processor, but due to the equipment configuration, it is highly unlikely that this vulnerability can be attacked, and we have determined that it is not affected by these vulnerabilities.

    All other products are not affected by these vulnerabilities because they do not use VxWorks.
Notice

We currently do not have any urgent announcements.

Inquiries regarding product security

For product security inquiries, contact the sales office where you purchased the product or you are considering purchasing the product.