15
December
2021
|
18:11
Europe/Amsterdam

BIOTRONIK Statement on the Log4Shell Vulnerability

Updated December 21, 2021

The discovery of a high-severity vulnerability known as Log4Shell was disclosed publicly on December 9, 2021, while a related lower-severity vulnerability was disclosed on December 14, 2021. These vulnerabilities are present in a software library used by many servers worldwide (see Background for details). In light of this recent discovery, BIOTRONIK has carefully analyzed all of its provided services. The analysis concluded that the conditions for exploitation of the Log4Shell vulnerability and the related CVE-2021-45046 and CVE-2021-45105 vulnerabilities do not exist in any of BIOTRONIK’s medical devices (see Technical Information for details of the systems analyzed).

A very limited condition for exploitation of the Log4Shell vulnerability exists for the BIOTRONIK EHR DataSync Adapter, if a non-default configuration for logging is set as described in the technical information below. This condition is further limited by the fact that data input required for exploitation could only be conducted by authorized users of the Home Monitoring Service Center who have the rights to change patient data. To eliminate this very low risk of exploitation, BIOTRONIK has taken immediate action and will provide an update for the EHR DataSync Adapter by December 22, 2021. Until then, clinic IT administrators should ensure that the log level settings of their EHR DataSync Adapter system are set to default as described in the technical information below.

Background

A high-severity vulnerability known as Log4Shell (CVE-2021-44228, CVSSv3 10.0) present in a software library used by many servers worldwide was disclosed publicly on December 9, 2021. The affected library is “Apache Log4j2” in versions 2.0 to 2.14.1 from the Apache Foundation. It is an open source Java logging framework that allows software developers to write log entries (i.e. text describing an action that the application has just performed) to files or dedicated log servers. The vulnerability allows for unauthenticated remote code execution and is therefore highly critical if conditions for its exploitation are present.

A related vulnerability (CVE-2021-45046CVSSv3 9.0) affecting Log4j in versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 has been disclosed on December 14, 2021. This vulnerability allows for exfiltration of information and unauthenticated remote code execution in some environments and unauthenticated local code execution in all environments.

- Update 20 December, 2021 - 

Another related vulnerability (CVE-2021-45105CVSSv3 7.5) affecting Log4j in versions from versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) has been disclosed on December 18, 2021. This vulnerability allows for a denial of service attack. 

- Update 21 December, 2021 -

Updated the information on CVE-2021-45046 and CVE-2021-45105 as published by NIST.

Technical Information

The following systems comprise the services provided by BIOTRONIK and have been thoroughly analyzed:

Home Monitoring Service Center
Not affected by either vulnerability. Log4j2 is not used

Implantable Device Programmer Renamic & Renamic Neo
Not affected by either vulnerability. Log4j2 is not used

BIOTRONIK Cloud Service infrastructure
Not affected by either vulnerability. Log4j2 is not used

Patient App Interface
Not affected by either vulnerability. Log4j2 is not used

ProMRI System Check Web Site
Not affected by either vulnerability. Log4j2 is not used

BIOTRONIK EHR DataSync Adapter
Not affected by CVE-2021-45046  or CVE-2021-45105. Adapter does not use a non-default pattern layout.
Affected by Log4Shell. The EHR DataSync Adapter uses Log4j2 in a version that is affected by the Log4Shell vulnerability. To exploit the vulnerability the following conditions must exist:

  • The logging level of the EHR DataSync Adapter needs to be set to TRACE, DEBUG or ALL. This is not the default configuration and would have to be explicitly set by the clinic’s IT administration responsible for the EHR DataSync Adapter. 
  • An attacker would need to have credentials of an HMSC user with write access to patient data. Note that the clinic’s user administrators have control over user access to patient data.
  • The server running the EHR DataSync Adapter must be able to establish a connection to a destination controlled by the attacker.

Mitigation Measures:

  1. In clinics where the EHR DataSync Adapter is in use, IT administrators are urged to ensure that the logging level of the EHR DataSync Adapter is set to the default of INFO to eliminate all risk of exploitation.
  2. To eliminate all risk of exploitation of the vulnerability, BIOTRONIK will provide an updated version of the EHR DataSync Adapter by December 22, 2021, and reach out to affected clinics proactively.

 

At BIOTRONIK, we take cybersecurity very seriously and we are strongly committed to providing safe and reliable cardiovascular devices and systems that improve the lives of millions of patients. Our cybersecurity management process is carefully designed according to the recommendations of the US FDA’s guidance to identify and control risks in all relevant devices and systems.

We continue to monitor, test and analyze the safety of our devices and systems regularly.

For any questions, please do not hesitate to contact your local BIOTRONIK representative or email us at info@biotronik.com.

About BIOTRONIK:

BIOTRONIK is a leading medical device company that has been developing trusted and innovative cardiovascular and endovascular solutions for more than 50 years. Driven by a purpose to perfectly match technology with the human body, BIOTRONIK innovations deliver care that saves and improves the lives of millions diagnosed with heart and blood vessel diseases every year. BIOTRONIK is headquartered in Berlin, Germany, and represented in over 100 countries.