Vulnerability in Apache Log4j Library Affecting Dedalus Products: December 2021

 

AdvisoryID : Dedalus-apac-log4j-cve2021-44228

First Published : 16th December 2021 14:00 GMT+10

Last Update : 22nd December 2021 15:15 GMT+10

Version 1.3

 

Dear Valued Customer,

Dedalus previously advised that the Australian Cyber Security Centre has published a CRITICAL alert on their website regarding a critical vulnerability in the Apache Log4j library:

https://www.cyber.gov.au/acsc/view-all-content/alerts/critical-remote-code-execution-vulnerability-found-apache-log4j2-library

Log4j is a popular open source Java package used to enable logging in many popular applications, including some Dedalus products and services.

For a description of this vulnerability, see the Fixed in Log4j 2.15.0 section of the Apache Log4j Security Vulnerabilities page.

 

Products Under Investigation

The following products are under active investigation by Dedalus to determine whether they are affected by the vulnerability described in this advisory. This section will be updated as information becomes available.

• PAS Connect

Vulnerable Products

Dedalus is investigating its product line to determine which products may be affected by this vulnerability. This section will be updated as information is available.

The following table lists Dedalus products that are affected by the vulnerability described in this advisory. If a future release date is indicated for software, the date provided represents an estimate based on all information known to Dedalus as of the Last Updated date at the top of the advisory. Availability dates are subject to change based on a number of factors, including satisfactory testing results and delivery of other priority features and fixes. If no version or date is listed for an affected component (indicated by a blank field and/or an advisory designation of Interim), Dedalus is continuing to evaluate the fix and will update the advisory as additional information becomes available.

 

Product	Version	Fixed Release
i.PM on Oracle Database**	All Versions	No new release required, see note ** below
WebPAS on Oracle Database**	All Versions	No new release required, see note ** below
Viaduct (only if sending trace logs to ElasticSearch)	5.12 and above	Release expected prior to 25/12/2021 Please see Notes ++ below.
Open Health Connect (OHC) (only if sending trace logs to ElasticSearch)	All Versions	Release expected prior to 25/12/2021 Please see Notes ++ below.
EDIS on Oracle Database**	All Versions	No new release required, see note ** below
ORMIS on Oracle Database**	All Versions	No new release required, see note ** below

** Dedalus’ product (The Application) in question does not use Java log4j specifically. However, for those sites running The Application on Oracle, it has been confirmed that Oracle uses the Java log4j for logging. Dedalus is aware that Oracle have released a patch(s) and these are available from Oracle directly. The Application has been reviewed by the development team and Dedalus does not expect there to be any issues for The Application associated with the Oracle patch(s).  Dedalus will continue to provide support for The Application for sites who install the Oracle patch(s).

++ Dedalus has recommended mitigations that can be implemented whilst awaiting a Fixed Release, please log a task in the iAssist Customer Portal and our team will share the relevant information with you.

 

If you are using a Dedalus product listed in the table above, or there is any other related queries please log a task in the iAssist Customer Portal and our team will share the relevant, current remediation recommendations with you.

 

Products Confirmed Not Vulnerable

Any product not listed in the Products Under Investigation or Vulnerable Products section of this advisory is to be considered not vulnerable. Because this is an ongoing investigation, be aware that products that are currently considered not vulnerable may subsequently be considered vulnerable as additional information becomes available.

At the time of publishing Dedalus has confirmed that this vulnerability does not affect the following Dedalus products:

 

Product – PAS	Version
i.PM on SQL	All Versions
iIE	All Versions
webPAS running on Informix	All Versions
webPAS running on SQL	All Versions
HBCIS / HOMER	All Versions
i.PM Claim Manager	All Versions
Eclipse Server Adapter	All Versions
UltraGenda	All Versions
NHL7	All Versions

 

Product – Clinicals	Version
EDIS – SQL / Datafile	All Versions
ED iIE	All Versions
EDIS Gateway	All Versions
ORMIS – SQL / Datafile	All Versions
ORMIS Gateway	All Versions
i.Pharmacy	All Versions
i.Pharmacy SMA	All Versions
i.Pharmacy PBS Online	All Versions
ePharmacy	All Versions
MedChart	All Versions
LabCentre	All Versions
i.CM	All Versions

 

Product Integration	Version
HealthPoint Viaduct (ICSga)	All Versions
HealthPoint Claim Host environment	All Versions
HealthPoint Claim Server	All Versions
Viaduct	<5.12
Viaduct (when not sending trace logs to Elastic Search)	5.12+
OHC (when not sending trace logs to Elastic Search)	All Versions
HIE Suite	All Versions

 

Dedalus Hosted and Delivered Systems:

For any customer who uses a Dedalus hosted service or capability our Managed Services Team will provide you with a direct communication regarding your services.

Ongoing Advisory:

As the investigation progresses, Dedalus will update this advisory with information about affected products and steps to remedy.

If there are any questions or queries, please do not hesitate to log a task in the iAssist Customer Portal and our team will respond accordingly.

Kind regards

– Dedalus Team

——————————————————————————————————————————————————————————

Version Control

Version	Released	Description
1.0	16 Dec 2021, 14:00 GMT+10	Initial Release
1.1	16 Dec 2021, 18:00 GMT+10	URL for iAssist provided, Addition of HealthPoint Product family.
1.2	17 December, 16:30 GMT+10	Updates to ‘Products Confirmed not Vulnerable’ and ‘Vulnerable Products’ including notes ** and ++
1.3	This release, see above	HIE Suite moved to Not Vulnerable.