Apache Log4j (CVE-2021-44228)
ZEISS implements extensive IT security measures
Update from December 15th, 2021
Last weekend, the German Federal Office for Information Security (BSI) declared the highest IT and software warning level for Apache Log4j (CVE-2021-44228). This is a security vulnerability in the open-source Java logging library used by many web applications and services worldwide, including ZEISS and many customers and suppliers.
ZEISS immediately set up an international task force with members from all corporate segments identifying potential vulnerabilities, collecting and analyzing data and, if necessary, initiating appropriate immediate actions to be implemented by on-site developer teams.
In case of any updates, the respective information can be found here.
Update from December 22nd, 2021
This page summarizes the results of our investigation and recommended next steps for FORUM customers.
As of today, the version 1.0.2 of the Log4J patch for FORUM Family products is available. This version fixes the following problems in the version 1.0:
- Minor logging configuration change which may cause performance degradation for installations with substantial number of DICOM instruments.
- Patch installer shows the wrong CVE ID.
- If version 1.0 has already been applied, apply version 1.0.2 on the FORUM server only. Other products such as FORUM Viewer, Glaucoma, Retina, EQ workplace are not affected.
- It is not required to re-apply the new patch on the clients.
- If version 1.0 has not been applied yet, it will perform the same changes as version 1.0 with a minor logging configuration change of FORUM server in addition.
The patch also fixes the vulnerability CVE-2021-45046.
The vulnerability affects the following ZEISS FORUM family products and versions:
- ZEISS FORUM 4.2.x
- ZEISS Retina Workplace: 2.5.x and 2.6.x
- ZEISS Glaucoma Workplace: 3.5.x
- ZEISS EQ Workplace: 1.6 – 1.8
- ZEISS Cataract Suite 1.3.1
- ZEISS CALLISTO eye 3.6 and 3.7
- Advanced Data Export 1.x
- Laser Treatment Workplace 1.x
This issue is solely related to cybersecurity and does not compromise the health and safety of the patient. It also has no impact on safety and performance of ZEISS FORUM Family products.
Current status: ZEISS CALLISTO eye
We have just finished our risk assessment for the publicly known cybersecurity vulnerability Log4J with regard to CALLISTO eye Software versions 3.6.x and 3.7.x.
In contrast, to CALLISTO eye Software version 3.5.x, these newer software versions turn out to be in principle vulnerable by Log4J CVE-2021-44228.
Though, we assess the probability for a dedicated attack via CALLISTO eye as very improbable, because it requires:
- insider knowledge including internal device specifics and
- an execution of several consecutive defined actions and
- physical access and manipulation of the device in an operating room by the attacker or internal subnetwork access plus proprietary knowledge about ZEISS communication protocols & file standards.
Even if all these multiple requirements were to be jointly met, the attacker still needs to overcome the cybersecurity measures of the device itself plus the customer IT infrastructure security measures to subsequently download malicious code from the internet.
Hence, in total we see the likelihood of a successful exploitation of the respective Log4J vulnerability in CALLISTO eye Software 3.6.x or 3.7.x as extremely low. Importantly, the vulnerability is not patient safety & performance relevant.
In a worst case scenario, the device (which is optional for the workflow) may stop working. There is no impact on the surgical microscope itself. CALLISTO eye has a special software architecture, which makes attacks in general difficult without insider knowledge. In addition, the device is not remotely accessible for software changes.
Despite the extremely low likelihood of a successful vulnerability exploitation, we are already working on a solution to close the vulnerability.
We see it as our responsibility to make you aware that CALLISTO eye Software 3.6.x and 3.7.x does not fully mitigate the risk with regard to the Log4J vulnerability CVE-2021-44228.
You may be able to further mitigate risk, e.g., by not allowing unauthorized persons access the device in the operating room for manipulation, and by implementing additional security measures in your hospital infrastructure.
Not affected products
So far we have been able to identify the following devices and systems as NOT being affected by vulnerability CVE-2021-44228:
- KINEVO 900
- TIVATO 700
- CONVIVO Surgical Workplace
- CONVIVO Pathology Workplace
- CALLISTO 3.5.1
- FORUM Cloud Viewer
- Cloud Migration Tool
- EQ Mobile
- CIRRUS 400/4000/500/5000/6000 all versions
- PLEX ELITE 9000 all versions
- CLARUS 500/700 all versions
- HFA3 all versions
- ATLAS 9000 all versions
- CIRRUS Photo 600/800 all versions
- MATRIX all versions
- ARI Network
- LUMERA 3.2 and lower versions
- LUMERA 700 /i
- LUMERA 300
- PENTERO 800/900
- VARIO 700
- QUATERA 700
- FORUM ASSIST match 1.5
- FORUM LINK net
- IOL Master 700
- VISUMAX 600
- VISUMAX 800
- INTRABEAM 600
- INTRABEAM Core System with PRS 500
- ZEISS Surgery Optimizer Web App 3.0
- ZEISS Surgery Optimizer IOS Mobile App 1.0
- ZEISS SMART SERVICES
- RFID Smart Drapes
- PRIMUS 200 all versions
- ZEISS Connect App 5.2 for IOS
- ZEISS Activate App
- ZEISS Observe App
- ZEISS Transfer App
- ZEISS KINEVO App
- VISALIS 100
- VISALIS 500
- i.Profiler plus
- VISUREF 100
- VISULENS 500
- VISUPLAN 500
- VISUPHOR 500
- VISUSCOUT 100
- VISUSCREEN 500
- VISUCONNECT 500
- LS COMFORT 80
- VISUCAM 200
- MEL 80
- MEL 90
- VISUMAX 500
- CRS Master II
- LSC80 Combi
- LIO 532s
- LIO - TRION
- VISULAS 532
- VISULAS GREEN
- VISULAS TRION
- VISULAS YAG
- VISUCAM PRO NM
- LSL YAG
- LSL TRION
- SL all versions
- SL Workstation
- VISUCAM 500
- VISULENS 550
- VISUREF 150
- ZEISS EXTARO 300 ENT
- ZEISS EXTARO 300 Dental
We will inform you immediately as soon as we have additional robust findings and/or solutions for other devices and systems.