Updated: 12 July 2022
Products Covered: Spacelabs Patient Monitoring Products

Security Advisory

VMWare “Spring4Shell” Vulnerability Assessment and Potential Product Impact Statement

1. VULNERABILITY OVERVIEW
Spacelabs Healthcare has been made aware of recently published security vulnerability known as “Spring4Shell” (CVE-2022-22965), which is a Remote Code Execution (RCE) vulnerability, that was discovered in VMware’s Spring Core Java framework – a popular open-source Java framework for developing Java based web applications. This vulnerability affects Spring MVC and Spring WebFlux based applications running on JDK 9+ and above.

Due to a parameter binding bug in the Spring Core framework, an attacker can send a specially crafted HTTPS request to a server running Spring core framework and gain unauthenticated and unauthorized remote access to the system. Successful exploitation of this vulnerability could allow an unauthorized attacker to gain unauthenticated access to the system and use webshell from the browser, access the server resources and write arbitrary code to the server through the webshell.

To exploit this vulnerability, it is required that the application is deployed on a standalone Apache Tomcat servlet container as a WAR (Web Archive) package/file, have spring-webmvc or spring-webflux dependency and uses Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. However, due to the more general nature of this vulnerability, there could be other potential ways to exploit this vulnerability. Therefore, any system using JDK 9 or above and using the Spring framework or other derivative frameworks should be considered vulnerable.

2. RISK ASSESSMENT SUMMARY
Spacelabs has conducted an assessment to identify the potential impact on our products. Our assessment has found that no Spacelabs products are impacted by this vulnerability.

Spacelabs considers the operational risk to its products from a Spring4Shell attack to be low.

Spacelabs Patient Monitoring and Connectivity (PMC) and Diagnostic Cardiology (DC) products do not use JDK, Spring Core Framework or Apache Tomcat Servers for deployment of their products and do not have any dependencies on the said tools/frameworks, hence, are not impacted by this vulnerability. Apache, VMware and other stakeholders have released patches for their affected products which can be installed by customers as necessary.

As Spacelabs continues to gain a deeper understanding of the impact of this vulnerability, we will continue to publish technical information to help customers detect, investigate, and mitigate the vulnerability across all our products where applicable.

3. RECOMMENDATIONS
Spacelabs recommends the following as general cybersecurity actions to an enterprise environment.

  • If the customer’s IT infrastructure has Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions running on them, it is advised to upgrade it to Spring Framework 5.3.18+ or 5.2.20+, which contain the fixes.
  • Block suspicious external IP addresses at the enterprise firewalls. Monitor traffic internally for unusual behavior.
  • Apply applicable patches, hotfixes, and updates to servers and products when available and after they have been validated.
  • Implement defense-in-depth within the enterprise environment consisting of tools such as Intrusion Detection System / Intrusion Prevention Systems (IDS/IPS), firewalls, and Network Access Control (NAC).
  • Implement and maintain an anti-malware solution (also called “anti-virus”) and an Endpoint Detection and Response (EDR) solution.
  • Disable remote access services and protocols such as Remote Desktop Protocol (RDP) unless needed. Monitor and restrict remote access usage on a least-privilege basis.
  • Have backup and restore processes and procedures in place for disaster recovery and incident response.
  • Monitor and maintain account provisioning and access control based on the principle of least privilege.

4. EXAMINATION OF SPACELABS PRODUCTS

4.1 ASSESSMENT OF SPACELABS PRODUCTS

In response to the publication of these vulnerabilities, Spacelabs has conducted an assessment to identify devices potentially at risk to this set of vulnerabilities. Please note information is subject to change as the situation evolves.

Patient Monitoring and Connectivity (PMC) Products

Product Host Operating System Impact Assessment
XprezzNet 96190 Windows Server 2012 R2
Windows Server 2016
Not impacted.
Intesys Clinical Suite (ICS) Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Not impacted.
Intesys Clinical Suite (ICS) Clinical Access Workstations Windows 8.1
Windows 10
Not impacted.
Xhibit Telemetry Receiver (XTR) 96280 Windows Embedded Standard 7 SP1
Windows 10 loT Enterprise Version 1809
Not impacted.
Xhibit 96102/XC4 96501 Windows Embedded Standard 7 SP1
Windows 10 loT Enterprise Version 1809
Not impacted.
Bedside Monitors
– Xprezzon 91393
– Qube 91390
– Qube Mini 91389
– Ultraview SL  91367, 91369, 91370, and 91387
VxWorks 6.6 Not impacted
DM3, DM4 monitors Windows CE Not impacted

Diagnostic Cardiology (DC) Products

Product Host Operating System Impact Assessment
Sentinel Windows 7
Windows 10
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Not impacted
Pathfinder SL Windows 7
Windows 10
Windows 11
Not impacted
Lifescreen Pro Windows 10 Not impacted
Lifecard CF No OS Not impacted
EVO No OS Not impacted
Eclipse Pro No OS Not impacted
CardioExpress SL6A  / SL12A Embedded OS (uC/OS II V2.84) Not impacted
CardioExpress SL18A Embedded OS (Linux Kernel 2.6.35.3) Not impacted
ABP
OnTrak
90217A
90207
No OS Not impacted

Safe-N-Sound (SNS)

Product Host Operating System Impact Assessment
Spacelabs Cloud Varies Not impacted
SafeNSound Not applicable Not impacted

Terms of Use

Spacelabs is currently monitoring developments and updates related to a recently published CISA and FDA Advisory concerning PTC’s Axeda Agent and Axeda Desktop Server vulnerabilities.

5. Additional Resources

# Resource URL
1 Spring Framework RCE, Early Announcement https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted
2 VMWare: How to hunt for Spring4Shell and Java Spring Vulnerabilities https://blogs.vmware.com/security/2022/04/how-to-hunt-for-spring4shell-and-java-spring-vulnerabilities.htmlhttps://www.cisa.gov/uscert/ics/advisories/icsa-22-067-01
3 CISA: Spring Releases Security Updates Addressing “Spring4Shell” and Spring Cloud Function Vulnerabilities https://www.cisa.gov/uscert/ncas/current-activity/2022/04/01/spring-releases-security-updates-addressing-spring4shell-and
4 SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965 https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/

Terms of Use

The information presented above is subject to change without notice. In no event will Spacelabs or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, even if Spacelabs or its suppliers have been advised of the possibility of such damages.