Question
Are there any dependencies of IBA Dosimetry products on log4j (Log4Shell vulnerability)?
Answer
A serious vulnerability related to the log4j exploit was identified as a potential threat to many software applications on the market. Following a detailed risk assessment of all our product lines/versions, we have determined that the only product affected is myQA iON v1.2 (software application for proton therapy). For this product, a patch is already available, and all subsequent versions will no longer present a risk with respect to the aforementioned vulnerability.
To reiterate, all other products, software applications and versions developed by IBA Dosimetry have no dependency nor present any of log4j-related vulnerabilities of any kind.
Current situation for myQA iON 1.2 and recommendations
myQA iON 1.2 contains the vulnerable version 2.13.3 of the log4j2 software and hence classifies as affected and potentially vulnerable. As of now, there is no known exploit of myQA iON 1.2 using the log4j2 vulnerability.
As a first and immediate precaution to mitigate any attack vectors from outside the clinic network, we recommend to not expose myQA iON to any network outside the internal secure clinic network and restrict the access to the web services as much as reasonably possible to dedicated endpoints inside the clinic network only.
We have already implemented a fix eliminating this vulnerability which we will release and distribute with the next version of myQA iON (2.0) and all subsequent versions.
We can also offer to eliminate this vulnerability in the currently installed version of myQA iON 1.2 by exchanging the affected logging library (from version 2.13.3 to 2.17.1). If you consider this fix, please contact your IBA Dosimetry service representative to arrange a support call.
How can I contact the IBA Dosimetry Service and Support team?
What is Log4Shell?
Log4Shell is the common name of a software vulnerability (CVE-2021-44228, published Dec. 10th, 2021, https://nvd.nist.gov/vuln/detail/CVE-2021-44228) affecting the widely used Apache Log4j2 software component. An attacker exploiting this vulnerability can potentially execute arbitrary code on the machine running the affected software, e.g. leak sensitive data or execute malicious software.
What is Log4j?
Log4j is a logging library for Java applications. Log4j provides additional logging capabilities, mechanisms to write to different log files, log rolling patterns, and more.