This page is to inform customers of ZEISS FORUM data management solution about:
Java Deserialization Vulnerability Cybersecurity Update (CWE-502)
Java deserialization is a cybersecurity vulnerability that occurs when a malicious user tries to insert a modified serialized object into the system that eventually compromises the system or its data. What this means is malicious code could be executed on the ZEISS FORUM Server, allowing a potential attacker to take over control.
This issue is solely related to cybersecurity and does not compromise the health and safety of the patient. It also has no impact on safety and performance of ZEISS FORUM.
Deserialization is only possible if:
- an attacker gains access to the organization’s network and
- an attacker knows the username and password of a FORUM user, is aware of the vulnerability and is capable of exploiting it.
The vulnerability affects the following FORUM versions:
- FORUM 4.2.1
- FORUM 4.2.3
- FORUM 4.2.4
1. Close the vulnerability
ZEISS recommends updating your FORUM to the version 4.2.5 to ensure continued cybersecurity.
A software patch labeled FORUM 4.2.5 is available for installation. This patch closes the described vulnerability.
Please reach out to your local ZEISS Service team for additional information on upgrading your ZEISS FORUM software.
2. Mitigate the risk
Although installing the patch is highly recommended, we have also identified some mitigation steps.
Where possible, implement or continue to use LDAP or SSO for the FORUM user accounts, as these support more complex authentication schemes e.g.: complex passwords, password expiration, etc.
When LDAP or SSO are not possible, it is recommended that you implement best practices for your user account information:
- Change default passwords
- Use strong passwords
- Do not share passwords
- All users have individual accounts
- Deactivate user accounts when no longer needed, e.g. after an employee leaves the organization
- Change passwords at regular intervals
- Use combinations of capital and lowercase letters, numbers, special characters, etc. in passwords
Please contact your local service team if you need support updating your ZEISS FORUM.