Product security Advisories
FUJIFILM Corporation
Response to Apache Log4j Vulnerability (Log4Shell) (2021)
- Apache Log4j Vulnerability (Log4Shell)
Log4j is a widely used logging tool in Java applications and is provided by the Apache Software Foundation. A vulnerability in Log4j versions 2.0-beta9 through 2.14.1 allows an attacker to remotely execute arbitrary code. For details, please refer to the following external reference website.
https://logging.apache.org/log4j/2.x/security.html - Impacts on our products
SYNAPSE VNA software versions 6.3 and later may be affected by this vulnerability.
Fujifilm has released a mitigation script that must be applied to each SYNAPSE VNA software.
All other products are unaffected.
For this security inquiries, contact the sales office where you purchased the product or you are considering purchasing the product.
Response to multiple vulnerabilities (Ripple 20) in Treck TCP/IP stack(2020)
- Treck TCP/IP stack vulnerabilities
19 vulnerabilities were found in Treck TCP/IP stack named Ripple20. Exploitation of these vulnerabilities could result in remote code execution, denial of service, or information disclosure. For details, refer to the website below.
https://www.jsof-tech.com/ripple20
https://us-cert.cisa.gov/ics/advisories/icsa-20-168-01 - Impacts on our products
Our products do not use Treck TCP/IP which has these vulnerabilities. Therefore, we have determined that they are not affected by these vulnerabilities.
Response to Bluetooth Low Energy Vulnerabilities (SweynTooth)(2020)
- Bluetooth Low Energy Vulnerability (SweynTooth)
FDA issued the following FDA Safety Communication on March 3, 2020.
SweynTooth Cybersecurity Vulnerabilities May Affect Certain Medical Devices(FDA Safety Communication)
It describes information regarding vulnerabilities, named “Sweyn Tooth”, associated with a wireless
communication technology known as Bluetooth Low Energy (BLE). - Summary
Successful exploitation of this vulnerability could allow an attacker within wireless range to cause a
deadlock, crash, buffer overflow, or to completely bypass security function. For details, refer to the
website below.
https://www.us-cert.gov/ics/alerts/ics-alert-20-063-01 - Impacts on our products
Our products do not have a Bluetooth function that uses this vulnerable Bluetooth Low Energy (BLE).
Therefore, we have determined that they are not affected by these vulnerabilities.
Response to Vulnerabilities of Remote Desktop Service for Windows (2019)
- Vulnerabilities of Remote Desktop Service for Windows
Microsoft Corp. has disclosed vulnerabilities (CVE-2019-0708, CVE-2019-1181 and CVE-1182) of remote desktop service (software for remote control from other computers) installed in the Windows OS. An attacker who successfully exploited these vulnerabilities could install programs, display, modify, or delete data. - Impacts on our products
Our products are not affected by these vulnerabilities, but since Microsoft has released patches for them, we have also completed the patch application evaluation for the products using the subject Windows. If you would like to apply the patch, contact the sales office where you purchased the product. In addition, in order to maintain the security of our products, refer to the following (3) for ensuring the security of your network. - Reference
The following countermeasures are effective for vulnerabilities of the remote desktop service in the network environment of customers.
(a) Disallowance for the use of Remote Desktop Services
If it is possible to allow or disallow the use of remote desktop services in the Windows settings, disallow it.
(b) Communication route control
In the network to which our products are connected, set the network device so as to prohibit communication from computers other than those that allow access to them.
(c) Control of communication protocol and communication port
Since the attack on the remote desktop service uses the following communication protocols and communication ports, the network device is set so as not to allow the communication.
- Services used
Protocol type and port number used
- Remote desktop service
TCP port 3389
Response to VxWorks Vulnerabilities (2019)
- VxWorks Vulnerabilities
Serious vulnerabilities of VxWorks named “URGENT/11” have been notified on the HP of Wind River and it is recommended to take urgent measures. - Summary
URGENT/11 is 11 vulnerabilities found in VxWorks TCP/IP stack (IPnet), 6 of which are classified as critical vulnerabilities that allow remote code execution. Other vulnerabilities could also be exploited for denial of service or information disclosure. For details, refer to the website below.
TCP/IP Network Stack (IPnet, Urgent/11) (Wd River)
URGENT/11 (Armis) - Impacts on our products
Our products do not have VxWorks that uses IPnet with these vulnerabilities and we have determined that they are not affected by these vulnerabilities.
FUJIFILM Healthcare Corporation
Response to Apache Log4j Vulnerability (Log4Shell) (2021)
- Apache Log4j Vulnerability (Log4Shell)
Log4j is a widely used logging tool in Java applications and is provided by the Apache Software Foundation. A vulnerability in Log4j versions 2.0-beta9 through 2.14.1 allows an attacker to remotely execute arbitrary code. For details, please refer to the following external reference website.
https://logging.apache.org/log4j/2.x/security.html - Impacts on our products
We have determined that our products are not affected by this vulnerability because they do not use the associated versions of Apache Log4j.
However, our server for remote services, which is used to maintain our products, has the version of Apache Log4j, but we confirmed the function that contains the vulnerability has been disabled.
BlackBerry Real-Time Operating System (RTOS) "QNX" Vulnerability(2021)
- BlackBerry Real-Time Operating System (RTOS) "QNX" Vulnerability
BlackBerry has announced a vulnerability (CVE-2021-22156) in the QNX Real Time Operating System (RTOS).
Exploitation of this vulnerability could lead to a denial of service or execute arbitrary code on the affected device. For details, please refer to the following external reference website below.
https://support.blackberry.com/kb/articleDetail?articleNumber=000082334
https://us-cert.cisa.gov/ncas/alerts/aa21-229a - Impacts on our products
We have determined that our products are not affected by this vulnerability because they do not use BlackBerry real-time operating system (RTOS) "QNX".
Response to multiple vulnerabilities (Ripple 20) in Treck TCP/IP stack(2020)
- Treck TCP/IP stack vulnerabilities
19 vulnerabilities were found in Treck TCP/IP stack named Ripple20. Exploitation of these vulnerabilities could result in remote code execution, denial of service, or information disclosure. For details, refer to the following external reference website.
https://www.jsof-tech.com/ripple20
https://us-cert.cisa.gov/ics/advisories/icsa-20-168-01 - Impacts on our products
We have determined that our products are not affected by this vulnerability because they do not use Treck TCP/IP stack.
Response to Bluetooth Low Energy Vulnerabilities (SweynTooth)(2020)
- Bluetooth Low Energy Vulnerability (SweynTooth)
FDA issued the following FDA Safety Communication on March 3, 2020.
For details, refer to the following external reference website.
https://www.fda.gov/medical-devices/safety-communications/sweyntooth-cybersecurity-vulnerabilities-may-affect-certain-medical-devices-fda-safety-communication
It describes information regarding vulnerabilities, named “Sweyn Tooth”, associated with a wireless communication technology known as Bluetooth Low Energy (BLE). - Summary
Successful exploitation of this vulnerability could allow an attacker within wireless range to cause a deadlock, crash, buffer overflow, or to completely bypass security function. For details, refer to the following external reference website.
https://www.us-cert.gov/ics/alerts/ics-alert-20-063-01 - Impacts on our products
We have determined that our products are not affected by these vulnerabilities because they do not use Bluetooth Low Energy (BLE).
Response to Vulnerabilities of Remote Desktop Service for Windows (2019)
- Vulnerabilities of Remote Desktop Service for Windows
Microsoft Corp. has disclosed vulnerabilities (CVE-2019-0708, CVE-2019-1181 and CVE-1182) of remote desktop service (software for remote control from other computers) installed in the Windows OS. An attacker who successfully exploited these vulnerabilities could install programs, display, modify, or delete data. - Impacts on our products
Remote Desktop Services is enabled on some of our products. We judge that the impact of this vulnerability is small in the assumed network environment. At the request of the customer, it is possible to take measures such as disabling the remote desktop service. Please contact the sales office where you purchased the product.
All other products are not affected by these vulnerabilities because the OS that contains these vulnerabilities is uninstalled, or Remote Desktop Services is disabled.
Response to VxWorks Vulnerabilities (2019)
- VxWorks Vulnerabilities
Serious vulnerabilities of VxWorks named “URGENT/11” have been notified on the HP of Wind River and it is recommended to take urgent measures. - Summary
URGENT/11 is 11 vulnerabilities found in VxWorks TCP/IP stack (IPnet), 6 of which are classified as critical vulnerabilities that allow remote code execution. Other vulnerabilities could also be exploited for denial of service or information disclosure. For details, refer to the following external reference website.
https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/
https://www.armis.com/research/urgent11/ - Impacts on our products
In our MRI system, VxWorks is used as an image processor, but due to the equipment configuration, it is highly unlikely that this vulnerability can be attacked, and we have determined that it is not affected by these vulnerabilities.
All other products are not affected by these vulnerabilities because they do not use VxWorks.
Notice
We currently do not have any urgent announcements.