| Haemonetics |
The SafeTrace Tx® software (4-Series) uses an Oracle® Data Provider for .NET (ODP.NET) Managed Driver to communicate with the Oracle database. This Managed Driver is named “Oracle.ManagedDataAccess” in the SafeTrace Tx application. Recently, we became aware that the Oracle.ManagedDataAccess version 19.11.0 of Oracle ODP.NET used by the SafeTrace Tx application, ties to a vulnerability described in an Oracle Critical Patch Update Advisory (https://www.oracle.com/security-alerts/cpujan2023.html) and reported to the National Institute of Standards and Technology (NIST) as a Common Vulnerabilities and Exposures (CVE) https://nvd.nist.gov/vuln/detail/CVE-2023-21893. In an unlikely scenario, an attacker could gain full control over the SafeTrace Tx database if the attacker is able to access your network and receives assistance from another person. This Oracle ODP.NET vulnerability has not been reported by any customers and, to the best of our knowledge, has not been exploited anywhere. We are proactively alerting customers who use SafeTrace Tx (4-Series) with Oracle database(s) of this situation. Note: SafeTrace Tx installations that use SafeTrace Tx with Microsoft® SQL Server® database(s) are not affected.
If you have any questions regarding this bulletin, or need assistance applying the remediation, please contact Haemonetics Customer Support at (877) 996-7877.
Email: hsscustomersupport@haemonetics.com
contact: jpentecost@haemonetics.com |
June 28, 2023 |
| BD Pyxis Products |
Hardcoded credentials are used in specific BD Pyxis™ products. If exploited, threat actors may be able to gain access to the underlying file system and could potentially exploit application files for information that could be used to decrypt application credentials or gain access to electronic protected health information (ePHI) or other sensitive information. |
March 7, 2022 |
| BD Viper LT system |
BD is working to remediate the hard-coded credentials vulnerability in the BD Viper LT system and is providing this information to increase awareness. The fix is expected in an upcoming BD Viper LT system Version 4.80 software release. |
March 7, 2022 |
| CISA Log4j Guidance Overview |
CISA has created a webpage for Apache Log4j Vulnerability Guidance and will actively maintain a community-sourced GitHub repository of publicly available information and vendor-supplied advisories regarding the Log4j vulnerability. CISA will continually update both the webpage and the GitHub repository. |
Dec. 14, 2021 |
| DICOM File Parsing Vulnerability in syngo fastView |
syngo fastView contains two vulnerabilities that could be triggered while parsing DICOM or BMP ?les. If a user is tricked to open a malicious ?le in syngo fastView, this could lead to a crash of the application or potential arbitrary code execution. |
Dec. 14, 2021 |
| Log4shell (CVE-2021-44228) |
A critical vulnerability in apache log4j could allow remote code execution by a client through a specially crafted string. |
Dec. 10, 2021 |
| Hillrom Welch Allyn Cardio Products |
The impacted products, when configured to use SSO, are affected by an improper authentication vulnerability. This vulnerability allows the application to accept manual entry of any active directory (AD) account provisioned in the application without supplying a password, resulting in access to the application as the supplied AD account, with all associated privileges. |
Dec. 10, 2021 |
| Braktooth PoC Publicly Released |
On November 1, 2021, researchers publicly released the BrakTooth proof-of-concept (PoC) tool to test Bluetooth-enabled devices against potential Bluetooth exploits using the researcher’s software tools. BrakTooth—originally disclosed in August 2021—is a family of security vulnerabilities in commercial Bluetooth stacks. An attacker could exploit BrakTooth vulnerabilities to cause a range of effects from denial-of-service to arbitrary code execution. |
Nov. 5, 2021 |
| Boston Scientific Zoom Latitude |
Successful exploitation of these vulnerabilities may allow an attacker with physical access to the affected device to obtain patient protected health information (PHI), and/or compromise the integrity of the device. The affected device is not network connected and does not contain hardware to be network connected. |
Sept. 30, 2021 |
| QNX "BadAlloc" Vulnerability |
This advisory addresses an integer overflow vulnerability in the calloc() function of the C runtime library in affected versions of the BlackBerry QNX Software Development Platform (SDP) version 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1 earlier that could potentially allow a successful attacker to perform a denial of service or execute arbitrary code. BlackBerry is not aware of any exploitation of this vulnerability. |
Aug. 17, 2021 |
| Kaseya VSA Supply-Chain Ransomware Attack |
CISA is tracking a new critical issue with Kaseya RMM tool. This is of interest since this tool is used widely in the healthcare sector. CISA has an initial post on website, Kaseya VSA Supply-Chain Ransomware Attack | . CISA is taking action to understand and address the supply-chain ransomware attack against Kaseya VSA and the multiple #MSPs that employ VSA software and recommends immediate review of the Kaseya advisory and guidance to shutdown VSA servers. |
July 3, 2021 |
| Philips Interoperability Solution XDS |
Successful exploitation of this vulnerability could allow an attacker to read the LDAP system credentials by gaining access to the network channel used for communication. This risk applies to configurations using LDAP via TLS and where the domain controller returns LDAP referrals. |
June 24, 2021 |
| OpenClinic GA |
OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later |
June 15, 2021 |
| ZOLL Defibrillator Dashboard |
Defibrillator Dashboard: All versions prior to 2.2
Successful exploitation of these vulnerabilities could allow remote code execution, allow an attacker to gain access to credentials, or impact confidentiality, integrity, and availability of the application. |
June 10, 2021 |
| Hillrom Medical Device Management |
Successful exploitation of these vulnerabilities could allow a remote attacker to cause memory corruption and remotely execute arbitrary code. |
June 1, 2021 |
| Mitigate Microsoft Exchange Server Vulnerabilities |
CISA partners have observed active exploitation of vulnerabilities in Microsoft Exchange on-premises products. Neither the vulnerabilities nor the identified exploit activity is currently known to affect Microsoft 365 or Azure Cloud deployments. Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.
CISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of these vulnerabilities in the wild, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems, and the potential impact of a successful compromise.
Currently, the vulnerabilities related to this known exploitation activity include CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065. According to Microsoft and security researchers, the following vulnerabilities are related yet not known to be exploited: CVE-2021-26412, CVE-2021-26854, CVE-2021-27078. |
March 5, 2021 |
| Hardcoded Credentials in GE Healthcare Products |
GE Healthcare is disclosing security vulnerabilities within certain products using specific remote connectivity solutions. These vulnerabilities have been reported to GE Healthcare by CyberMDX. The public disclosure of the vulnerabilities is a coordinated action between GE Healthcare and CyberMDX. |
Dec. 8, 2020 |
| AMNESIA:33 |
33 vulnerabilities that affect multiple embedded open-source TCP/IP stacks. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. See the attached links for more information and contact vendors for patches. |
Dec. 8, 2020 |
| Ransomware Activity Targeting the Healthcare and Public Health Sector |
CISA, FBI, and HHS assess malicious cyber actors are targeting the HPH Sector with TrickBot and BazarLoader malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services. |
Oct. 30, 2020 |
| BIOTRONIK CardioMessenger II |
Successful exploitation of these vulnerabilities could allow an attacker with physical access to the CardioMessenger to obtain sensitive data, obtain transmitted medical data from implanted cardiac devices with the implant’s serial number or impact Cardio Messenger II product functionality. Successful exploitation of these vulnerabilities could allow an attacker with adjacent access to influence communications between the Home Monitoring Unit (HMU) and the Access Point Name (APN) gateway network. |
June 24, 2020 |
| Baxter Phoenix Hemodialysis Delivery System |
The Phoenix Hemodialysis device does not support data-in-transit encryption (e.g. TLS/SSL) when transmitting treatment and prescription data on the network between the Phoenix system and the Exalis dialysis data management tool. |
June 24, 2020 |
| ExactaMix Advisory ICSMA-20-170-0 |
Vulnerabilities in the ExactaMix EM2400 V1.10,V1.11, V1.13, V1.14and ExactaMix EM1200 V1.1, V1.2, V1.4, V1.5systems. There have been no reports of the following vulnerabilities being exploited. |
June 24, 2020 |
| Third-Party Product Security Bulletin for Linux Kernel Vulnerability within Wi-Fi Module in Alaris PCU |
CVE-2019-11479: Linux Kernel Low MSS Value Response Segmentation Resource Consumption Remote DoS |
June 24, 2020 |
| COVID19 Telework Checklist |
The Healthcare and Public Health Sector Coordinating Councils have released a checklist for companies that are moving rapidly to telework in light of COVID19 |
March 19, 2020 |
| SweynTooth |
SweynTooth is a family of vulnerabilities in the BLE stack of SOC vendor's software. Impact ranges from disrupting BLE communication, to device crashed, to full remote code execution. Impact depends highly on software architecture of your device. |
Feb. 21, 2020 |
| Microsoft Releases February 2020 Security Updates |
Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. |
Feb. 12, 2020 |
| GE CARESCAPE, ApexPro, and Clinical Information Center systems |
These vulnerabilities, if exploited, may allow an attacker to obtain PHI data, make changes at the operating system level of the device, with effects such as rendering the device unusable, otherwise interfering with the function of the device and/or making certain changes to alarm settings on connected patient monitors, and/or utilizing services used for remote viewing and control of devices on the network to access the clinical user interface and make changes to device settings and alarm limits, which could result in missed or unnecessary alarms or silencing of some alarms |
Jan. 24, 2020 |
| Philips Tasy EMR |
Successful exploitation of these vulnerabilities could impact or compromise patient confidentiality and system integrity. Philips’ analysis has shown these issues, if fully exploited, may allow an attacker of low skill to provide unexpected input into the application, execute arbitrary code, alter the intended control flow of the system, and access sensitive information. |
Nov. 7, 2019 |
| Philips IntelliSpace Perinatal [Update A] |
A vulnerability within the IntelliSpace Perinatal application environment could enable an unauthorized attacker with physical access to a locked application screen, or an authorized remote desktop session host application user to break-out from the containment of the application and access unauthorized resources from the Windows operating system as the limited-access Windows user. |
Nov. 7, 2019 |
| BD Bulletin on DejaBlue |
BD has provided the list below in order to better help our customers identify any BD products with workstations running with Remote Desktop Services on Windows 7 SP1, Windows 10, Windows Server 2008 R2 SP1, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. This list provided below is not comprehensive and may be updated as more products are identified. It does not indicate the patch or device status.
BD EpiCenter™
BD BACTEC™ BOW
BD MAX™
BD Assurity Linc™ |
Nov. 6, 2019 |
| FDA Safety Communication on URGENT/11 |
Vulnerabilities affecting TCP/IP stack in:
VxWorks (by Wind River), Operating System Embedded (OSE) (by ENEA), INTEGRITY (by Green Hills), ThreadX (by Microsoft), ITRON (by TRON Forum), ZebOS (by IP Infusion) |
Oct. 1, 2019 |
| Interpeak IPNET TCP IP stack vulnerability |
https://www.bd.com/en-us/support/product-security-and-privacy/product-security-bulletins/interpeak-ipnet-tcp-ip-stack-vulnerability |
Oct. 1, 2019 |
| Philips IntelliVue Wireless Local Area Network (WLAN) module |
Successful exploitation of these vulnerabilities may cause corruption of the IntelliVue WLAN firmware and impact to the data flow over the WLAN Version A and WLAN Version B wireless modules. This would lead to an inoperative condition alert at the device and Central Station. |
Sept. 12, 2019 |
| Wind River VxWorks (IP Net) |
Wind River and security researchers have been collaborating on a responsible security disclosure of critical
vulnerabilities in the TCP/IP stack used by VxWorks (IPnet). In that time, Wind River has developed and
thoroughly tested patches to resolve all of the discovered vulnerabilities. At this time, we have no indication
that the discovered vulnerabilities are being exploited in the wild. Nevertheless, if your product uses the IPnet
TCP/IP stack, we strongly advise you to apply the patches and release updates to affected devices. |
Sept. 6, 2019 |
| BD Pyxis™ ES system Expired Credentials |
BD has confirmed a vulnerability that may allow a user with expired credentials to retain previously provided permissions and be able to perform the same action(s) as when this user was still active in certain BD Pyxis™ ES system products whose products are connected directly to a hospital domain and utilize Active Directory. |
Sept. 5, 2019 |
| Philips HDI 4000 Ultrasound |
Successful exploitation of this vulnerability could lead to exposure of ultrasound images (breaches of confidentiality) and compromised image integrity. |
Aug. 30, 2019 |
| Philips Holter 2010 Plus |
A vulnerability has been identified that may allow system options that were not purchased to be enabled on the Holter 2010 Plus, all versions |
July 12, 2019 |
| GE Aestiva and Aespire Anesthesia |
A vulnerability exists where serial devices are connected via an added unsecured terminal server to a TCP/IP network configuration, which could allow an attacker to remotely modify device configuration and silence alarms. |
July 10, 2019 |
| Medtronic MiniMed 508 and Paradigm Series Insulin Pumps |
Successful exploitation of this vulnerability may allow an attacker with adjacent access to one of the affected products to intercept, modify, or interfere with the wireless RF (radio frequency) communications to or from the product. This may allow attackers to read sensitive data, change pump settings, or control insulin delivery. |
June 27, 2019 |
| Networking DOS vulnerability in Linux and FreeBSD kernels |
Multiple TCP Selective Acknowledgement (SACK) and Maximum Segment Size (MSS) networking vulnerabilities may cause denial-of-service conditions in Linux and FreeBSD kernels. |
June 21, 2019 |
| Alaris™ Gateway Workstation Web Browser User Interface Lack of Authentication |
BD has been made aware of a potential vulnerability that can impact Web Browser User Interface on the Alaris™ Gateway Workstation, standalone configuration only. If exploited, this vulnerability may allow an attacker with knowledge of the IP address of the Alaris Gateway Workstation terminal to gain access to the following information on the Web Browser User Interface |
June 13, 2019 |
| Alaris™ Gateway Workstation Unauthorized Firmware |
BD has been made aware of a potential vulnerability that can impact the Alariss™ Gateway Workstation (Workstation). If exploited, this vulnerability may allow an attacker with malicious intention to remotely install unauthorized firmware. In order to access this vulnerability, an attacker would need to gain access to a hospital network, have intimate knowledge of the product, be able to update and manipulate a CAB file, which stores files in an archived library and utilizes a proper format for Windows CE. If an attacker is able to complete those steps, they may also utilize this vulnerability to change the scope to adjust commands on the infusion pump, including adjust the infusion rate on specific mounted infusion pumps, listed above. |
June 13, 2019 |
| BlueKeep (Remote Desktop) |
Microsoft has warned that this flaw is potentially “wormable,”meaning it could spread without user interaction across the internet. We have seen devastating computer worms inflict damage on unpatched systems with wide-ranging impact, and are seeking to motivate increased protections against this flaw. |
June 5, 2019 |
| Philips Tasy EMR |
Successful exploitation of this vulnerability could impact or compromise patient confidentiality and system integrity. Philips’ analysis has shown these issues, if fully exploited, may allow attackers of low skill in the customer site or on a VPN to provide unexpected input into the application, execute arbitrary code, alter the intended control flow of the system, and access sensitive information. |
April 30, 2019 |
| Fujifilm FCR Capsula X/Carbon X |
Successful exploitation of these vulnerabilities could result in a denial-of-service condition in affected cassette reader units, causing potential image loss or device unavailability. Attackers could gain unauthorized access to the underlying operating system, allowing arbitrary code execution. |
April 23, 2019 |
| Medtronic Conexus Radio Frequency Telemetry Protocol |
The result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and therefore impact the intended function of the device. |
March 29, 2019 |
| BD FACSLyric™ Cell Analyzer Systems with Windows 10 |
BD internally identified and confirmed the default administrator account used on the BD FACSLyric™ systems running Windows 10 Operating System was not disabled by BD before distribution. This could allow users to obtain full access to the critical configuration of the Windows Operating System by utilizing this privileged account on the workstation associated with the BD FACSLyric™ flow cytometer. |
Feb. 2, 2019 |
| Stryker Medical Beds |
Successful exploitation of this vulnerability could allow data traffic manipulation, resulting in partial disclosure of encrypted communication or injection of data.
The following Stryker medical products are affected:
Secure II MedSurg Bed (enabled with iBed Wireless), Model: 3002,
S3 MedSurg Bed (enabled with iBed Wireless), Models: 3002 S3, and 3005 S3, and
InTouch ICU Bed (enabled with Bed Wireless), Models 2131, and 2141. |
Jan. 29, 2019 |
| Roche Point of Care Handheld Medical Devices |
Insecure permissions in a service interface may allow authenticated attackers in the adjacent network to execute arbitrary commands on the operating systems.
CVE-2018-18562 has been assigned to this vulnerability. A CVSS v3 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H). |
Nov. 6, 2018 |
| Medtronic N'Vision Clinician Programmer |
The 8840 Clinician Programmer executes the application program from the 8870 Application Card. An attacker with physical access to an 8870 Application Card and sufficient technical capability can modify the contents of this card, including the binary executables. If modified to bypass protection mechanisms, this malicious code will be run when the card is inserted into an 8840 Clinician Programmer. |
July 12, 2018 |
| BeaconMedaes TotalAlert Scroll Medical Air Systems |
By accessing a specific uniform resource locator (URL) on the webserver, a malicious user may be able to access information in the application without authenticating. |
May 24, 2018 |
| BD Kiestra and InoquIA Systems |
A vulnerability in DB Manager and PerformA allows an authorized user with access to a privileged account on a BD Kiestra system to issue SQL commands, which may result in data corruption. |
May 22, 2018 |
| BD Pyxis |
Successful exploitation of this vulnerability could allow data traffic manipulation, resulting in partial disclosure of encrypted communication or injection of data. |
April 25, 2018 |
| Abbott Laboratories Defibrillator |
Successful exploitation of these vulnerabilities may allow a nearby attacker to gain unauthorized access to an ICD to issue commands, change settings, or otherwise interfere with the intended function of the ICD. |
April 18, 2018 |
| GE Medical Devices |
Independent researcher Scott Erven submitted information regarding the potential use of default or hard-coded credentials in multiple GE Healthcare products. Following the researcher’s report, GE performed a self-assessment and validated that multiple GE Healthcare products use default or hard-coded credentials. GE has reviewed capability to change passwords identified by the researcher within the product documentation, and users are advised to contact GE Service for assistance in changing passwords. |
March 15, 2018 |
| Philips Intellispace Portal ISP |
Philips reported vulnerabilities in the Philips’ IntelliSpace Portal (ISP), an advanced visualization and image analysis system. Philips is creating a software update to mitigate these vulnerabilities in the affected products. Additionally, they are issuing mitigating controls for some vulnerabilities. |
Feb. 28, 2018 |
| Medtronic 2090 Carelink |
Researchers Billy Rios and Jonathan Butts of Whitescope LLC have identified vulnerabilities in Medtronic’s 2090 CareLink Programmer and its accompanying software deployment network. The CareLink programmer is a portable computer system used by trained personnel to program and manage cardiac devices in the clinic and procedure room. Medtronic has not developed a product update to address these vulnerabilities, but has identified compensating controls within this advisory to help reduce the risk associated with these vulnerabilities. |
Feb. 28, 2018 |
| Ethicon Endo-Surgery Generator G11 |
Johnson & Johnson, the parent company of Ethicon Endo-Surgery, LLC, reported an improper authentication vulnerability in the Ethicon Endo-Surgery Generator Gen11. EthiconEndo-Surgery, LLC has produced updates that mitigate this vulnerability in the affected product. |
Nov. 28, 2017 |
| i-SENS Inc. SmartLog Diabetes Management Software |
Independent researcher Mark Cross has identified an uncontrolled search path element vulnerability in i-SENS Inc. SmartLog Diabetes Management Software. i-SENS has produced an update that mitigates this vulnerability. Mark Cross has tested the update to validate that it resolves the vulnerability. |
Sept. 8, 2017 |
| Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump Vulnerabilities |
Independent researcher Scott Gayou has identified eight vulnerabilities in Smiths Medical’s Medfusion 4000 Wireless Syringe Infusion Pump. Smiths Medical is planning to release a new product version to address these vulnerabilities in January, 2018. In the interim, NCCIC/ICS-CERT is recommending that users apply the identified compensating controls until the new version can be applied.
These vulnerabilities could be exploited remotely. |
Sept. 8, 2017 |
| Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott's (formerly St. Jude Medical's) Implantable Cardiac Pacemakers: FDA Safety Communication |
On August 23, 2017, the FDA approved a firmware update that is now available and is intended as a recall, specifically a corrective action, to reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities for certain Abbott (formerly St. Jude Medical) pacemakers. |
Aug. 30, 2017 |
| Abbott Laboratories’ Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI Pacemaker Vulnerabilities |
MedSec Holdings Ltd has identified vulnerabilities in Abbott Laboratories’ (formerly St. Jude Medical) pacemakers. Abbott has produced a firmware patch to help mitigate the identified vulnerabilities in their pacemakers that utilize radio frequency (RF) communications. A third-party security research firm has verified that the new firmware version mitigates the identified vulnerabilities.
The Food and Drug Administration (FDA) released a safety communication on August 29, 2017, Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott’s (formerly St. Jude Medical’s) Implantable Cardiac Pacemakers: FDA Safety Communication, regarding the identified vulnerabilities and corresponding mitigation. In response, ICS-CERT is releasing this advisory to provide additional detail to patients and healthcare providers. |
Aug. 30, 2017 |
| Philips' DoseWise Portal |
Philips has identified Hard-coded Credentials and Cleartext Storage of Sensitive Information vulnerabilities in Philips’ DoseWise Portal (DWP) web application. Philips has updated product documentation and produced a new version that mitigates these vulnerabilities.
These vulnerabilities could be exploited remotely. |
Aug. 17, 2017 |
| BMC Medical and 3B Medical Luna CPAP Machine |
MedSec has identified an improper input validation vulnerability in BMC Medical’s and 3B Medical’s Luna continuous positive airway pressure (CPAP) therapy machine. For devices released after July 1, 2017, this vulnerability has been addressed. For devices released prior to July 1, 2017, BMC Medical and 3B Medical offer no mitigations. |
Aug. 15, 2017 |
| Siemens Molecular Imaging Vulnerabilities |
Siemens has identified two vulnerabilities in Siemens’ Molecular Imaging products running on Windows XP. These vulnerabilities could be exploited remotely. |
Aug. 4, 2017 |
| B. Braun Medical SpaceCom Open Redirect Vulnerability |
Marc Ruef and Rocco Gagliardi of scip AG have identified an open redirect vulnerability in B. Braun Medical’s SpaceCom module, which is integrated into the SpaceStation docking station. B. Braun has produced a software update for the SpaceCom module to mitigate this vulnerability. |
May 23, 2017 |
| Miele Professional PG 8528 |
Public report of a path traversal vulnerability with proof-of-concept (PoC) exploit code affecting the embedded webserver (“PST10 WebServer”) in Miele Professional PG 8528, a large capacity cleaner and disinfector used in hospitals and laboratory settings to disinfect medical and laboratory equipment. According to this report, the vulnerability is remotely exploitable. |
March 31, 2017 |
| BD Kiestra PerformA Hard-Coded Passwords |
Becton, Dickinson and Company (BD) has identified a hard-coded password vulnerability in BD’s Kiestra PerformA and KLA Journal Service applications that access the BD Kiestra Database. BD has produced compensating controls to reduce the risk of exploitation of the identified vulnerability by issuing product updates and defensive measures to be applied by end users. |
March 24, 2017 |
| St. Jude Merlin@home Transmitter Vulnerability (Update A) |
The St. Jude Merlin@home Transmitter vulnerability advisory has been updated with more specifics about affected versions and risk. |
Feb. 8, 2017 |
| St. Jude Merlin@home Transmitter Vulnerability |
MedSec Holdings has identified a channel accessible by non-endpoint (“man-in-the-middle”) vulnerability in St. Jude Medical’s Merlin@home transmitter. St. Jude Medical has validated the vulnerability and produced a new software version that mitigates this vulnerability. A third-party security research firm has verified that the new software version mitigates the identified vulnerability. |
Jan. 10, 2017 |
| Smiths-Medical CADD-Solis Medication Safety Software Vulnerabilities |
Smiths-Medical has reported two vulnerabilities in Smiths-Medical’s CADD-Solis Medication Safety Software that were identified by Andrew Gothard of Newcastle Upon Tyne Hospitals NHS Foundations Trust. Smiths-Medical has produced new versions to mitigate these vulnerabilities. Smiths-Medical reports that an independent security expert has tested the new versions to validate that they resolve the identified vulnerabilities. |
Jan. 10, 2017 |
