Latest Updates on Support and Advisory
Vulnerability in Apache Log4j Library Affecting Dedalus Products: December 2021
AdvisoryID : Dedalus-apac-log4j-cve2021-44228
First Published : 16th December 2021 14:00 GMT+10
Last Update : 22nd December 2021 15:15 GMT+10
Dear Valued Customer,
Dedalus previously advised that the Australian Cyber Security Centre has published a CRITICAL alert on their website regarding a critical vulnerability in the Apache Log4j library:
Log4j is a popular open source Java package used to enable logging in many popular applications, including some Dedalus products and services.
For a description of this vulnerability, see the Fixed in Log4j 2.15.0 section of the Apache Log4j Security Vulnerabilities page.
Products Under Investigation
The following products are under active investigation by Dedalus to determine whether they are affected by the vulnerability described in this advisory. This section will be updated as information becomes available.
- PAS Connect
Dedalus is investigating its product line to determine which products may be affected by this vulnerability. This section will be updated as information is available.
The following table lists Dedalus products that are affected by the vulnerability described in this advisory. If a future release date is indicated for software, the date provided represents an estimate based on all information known to Dedalus as of the Last Updated date at the top of the advisory. Availability dates are subject to change based on a number of factors, including satisfactory testing results and delivery of other priority features and fixes. If no version or date is listed for an affected component (indicated by a blank field and/or an advisory designation of Interim), Dedalus is continuing to evaluate the fix and will update the advisory as additional information becomes available.
|i.PM on Oracle Database**||All Versions||No new release required, see note ** below|
|WebPAS on Oracle Database**||All Versions||No new release required, see note ** below|
|Viaduct (only if sending trace logs to ElasticSearch)||5.12 and above||Release expected prior to 25/12/2021
Please see Notes ++ below.
|Open Health Connect (OHC) (only if sending trace logs to ElasticSearch)||All Versions||Release expected prior to 25/12/2021
Please see Notes ++ below.
|EDIS on Oracle Database**||All Versions||No new release required, see note ** below|
|ORMIS on Oracle Database**||All Versions||No new release required, see note ** below|
** Dedalus’ product (The Application) in question does not use Java log4j specifically. However, for those sites running The Application on Oracle, it has been confirmed that Oracle uses the Java log4j for logging. Dedalus is aware that Oracle have released a patch(s) and these are available from Oracle directly. The Application has been reviewed by the development team and Dedalus does not expect there to be any issues for The Application associated with the Oracle patch(s). Dedalus will continue to provide support for The Application for sites who install the Oracle patch(s).
++ Dedalus has recommended mitigations that can be implemented whilst awaiting a Fixed Release, please log a task in the iAssist Customer Portal and our team will share the relevant information with you.
If you are using a Dedalus product listed in the table above, or there is any other related queries please log a task in the iAssist Customer Portal and our team will share the relevant, current remediation recommendations with you.
Products Confirmed Not Vulnerable
Any product not listed in the Products Under Investigation or Vulnerable Products section of this advisory is to be considered not vulnerable. Because this is an ongoing investigation, be aware that products that are currently considered not vulnerable may subsequently be considered vulnerable as additional information becomes available.
At the time of publishing Dedalus has confirmed that this vulnerability does not affect the following Dedalus products:
|Product – PAS||Version|
|i.PM on SQL||All Versions|
|webPAS running on Informix||All Versions|
|webPAS running on SQL||All Versions|
|HBCIS / HOMER||All Versions|
|i.PM Claim Manager||All Versions|
|Eclipse Server Adapter||All Versions|
|Product – Clinicals||Version|
|EDIS – SQL / Datafile||All Versions|
|ED iIE||All Versions|
|EDIS Gateway||All Versions|
|ORMIS – SQL / Datafile||All Versions|
|ORMIS Gateway||All Versions|
|i.Pharmacy SMA||All Versions|
|i.Pharmacy PBS Online||All Versions|
|HealthPoint Viaduct (ICSga)||All Versions|
|HealthPoint Claim Host environment||All Versions|
|HealthPoint Claim Server||All Versions|
|Viaduct (when not sending trace logs to Elastic Search)||5.12+|
|OHC (when not sending trace logs to Elastic Search)||All Versions|
|HIE Suite||All Versions|
Dedalus Hosted and Delivered Systems:
For any customer who uses a Dedalus hosted service or capability our Managed Services Team will provide you with a direct communication regarding your services.
As the investigation progresses, Dedalus will update this advisory with information about affected products and steps to remedy.
If there are any questions or queries, please do not hesitate to log a task in the iAssist Customer Portal and our team will respond accordingly.
– Dedalus Team
|1.0||16 Dec 2021, 14:00 GMT+10||Initial Release|
|1.1||16 Dec 2021, 18:00 GMT+10||URL for iAssist provided, Addition of HealthPoint Product family.|
|1.2||17 December, 16:30 GMT+10||Updates to ‘Products Confirmed not Vulnerable’ and ‘Vulnerable Products’ including notes ** and ++|
|1.3||This release, see above||HIE Suite moved to Not Vulnerable.|