On December 9 2021, a new critical vulnerability has been identified in Apache Log4j. On December 10, NIST published a critical CVE in the National Vulnerability Databased identifying this as CVE-2021-44228. The official CVSS based severity score has been determined as a severity of 10.0 and is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. A remote attacker can leverage this vulnerability to take full control of a vulnerable machine. Apache Log4j versions 2.0 through 2.14.1 are affected.
We strongly encourage customers who manage environments containing Log4j to update or apply the appropriate mitigations. Guidance on the vulnerability and mitigations measures can be found here
AGFA HealthCare is currently assessing all HealthCare products, all the third-party products we use/integrate and all the Service/Support tools in use.
At this time we can confirm the following AGFA HealthCare products are NOT affected:
- AGFA HealthCare Scheduling
- AMF/GRIP Monitoring
- Connectivity Manager
- DeepUnity Xchange (formerly known as EI Transport)
- Enterprise Imaging (DataBase, Core Server, Web Server)
- Enterprise Imaging Business Intelligence
- Enterprise Imaging Critical Findings
- Enterprise Imaging Teaching Files
- IMPAX/EI GTI
- IMPAX ES
- IMPAX RIS
- XERO Universal Viewer
- XERO Portal & predecessor Patient Portal Lite
- XERO XTEND
We continue to work 24/7 with our third-party partners to establish their potential exposure, and corrective action planning should any of their solutions are found to be impacted by this vulnerability.
More information can be found at any time via our AGFA HealthCare Customer Portal, where we have published a Knowledge Article (KA0025709), which will continually receive updates as third-party platforms and software solutions have been validated.
For further inquiries please access the Customer Portal or contact your local AGFA HealthCare representatives.