Español
Français
Deutsch
Italiano
Português
TeamUp Strategies
Runway Architecture
Decisive Intelligence
Clinical Informatics
Patient Measurement
Perspectives
Cardiology
Acute Care
Private Clinic
Emergency department
Intensive care unit
Neonatal intensive care unit
Perioperative care
Keeping caregivers safe
Clinical education
UK Pathfinder SL and Lifescreen Pro user training
eLearning
Technical training
Open a support ticket
Product manuals
Service contract
Cleaning instructions
Supplier change request
Contact us
Regional contacts
Our heritage
Senior management
News and Events
Patents and trademarks
Quality and ISO certificates
Careers
Terms and policiesUpdated: 12 January 2022
Products Covered: Spacelabs Patient Monitoring and Diagnostic Cardiology Products
Security Advisory
“Log4Shell” Vulnerability Assessment and Potential Product Impact Statement
- Vulnerability Overview
Spacelabs Healthcare has been made aware of a recently published security vulnerability known as “Log4Shell” (CVE-2021-44228) that was discovered in a Java-based tool utility called Log4j used in many software applications.
The Apache Log4j utility is a commonly used component for logging requests. On December 9, 2021, a vulnerability was reported that could allow a system running Apache Log4j version 2.14.1 or below to be compromised and allow an attacker to execute arbitrary code.
On December 10, 2021, NIST published a critical Common Vulnerabilities and Exposure alert, CVE-2021-44228. More specifically, Java Naming Directory Interface (JNDI) features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from remote servers when message lookup substitution is enabled.
- Risk Assessment Summary
The Log4j utility performs network lookups using the Java Naming and Directory Interface (JNDI) via an integration with Lightweight Directory Access Protocol (LDAP). The vulnerability takes advantage of the way Log4j interprets a log message, and by design the tool will look up the string as a URL via JNDI and search whatever text is passed. If malicious text is passed using the ${ } syntax, execution on the passed text can occur with elevated privileges.
Spacelabs Healthcare Patient Monitoring and Connectivity (PMC) and Diagnostic (DC) products do not use the Apache Log4j utility.
Spacelabs Healthcare’s SafeNSound 4.3.1 cloud application was discovered to be impacted and was remediated December 13, 2021. Customers who are on SafeNSound 4.3.1 do not require further follow-up. Customers using other versions of SafeNSound are not impacted.
- Recommendations
Spacelabs recommends the following as general cybersecurity actions to an enterprise environment.
- Implement defense-in-depth within the enterprise environment consisting of tools such as Intrusion Detection/Prevention Systems (IDS/IPS), firewalls, and network access control (NAC).
- Configure Intrusion Prevention System (IPS) and update the IPS rulesets to detect traffic by this vulnerability.
- Reach out to your IPS vendor directly to ensure that the software in use by your IPS/IDS system is not affected by this same vulnerability.
IPS can show attempts of testing this vulnerability, but the IPS is not able to stop the attack from reaching your applications.
- Examination of Spacelabs products
4.1 Assessment of Spacelabs Products
In response to the publication of these vulnerabilities, Spacelabs has conducted an assessment to identify devices potentially at risk to this set of vulnerabilities. Please note information is subject to change as the situation evolves.
Patient Monitoring and Connectivity (PMC) Products
| Product | Host Operating System | Impact Assessment |
| XprezzNet 96190 | Windows Server 2008 Windows Server 2012 R2 Windows Server 2016 |
Not impacted |
| Intesys Clinical Suite (ICS) | Windows Server 2008 Windows Server 2012 R2 Windows Server 2016 Windows Server 2019 |
Not impacted |
| Intesys Clinical Suite (ICS) Clinical Access Workstations | Windows 7 Windows 8.1 Windows 10 |
Not impacted |
| Xhibit Telemetry Receiver (XTR) 96280 | Windows Embedded Standard 7 SP1
Windows 10 IoT Enterprise Version 1809 |
Not impacted |
| Xhibit 96102 / XC4 96501 | Windows Embedded Standard 7 SP1
Windows 10 IoT Enterprise Version 1809 |
Not impacted |
| Bedside Monitors – Xprezzon 91393 – Qube 91390 – Qube Mini 91389 – Ultraview SL 91367, 91369, 91370, and 91387 |
VxWorks 6.6 | Not impacted |
| DM3, DM4 monitors | Windows CE | Not impacted |
Diagnostic Cardiology (DC) Products
| Product | Host Operating System | Impact Assessment |
| Sentinel | Windows 7 Windows 10 Windows Server 2012 R2 Windows Server 2016 Windows Server 2019 |
Not impacted |
| Pathfinder SL | Windows 7
Windows 10 |
Not impacted |
| Lifescreen Pro | Windows 10 | Not impacted |
| Lifecard CF | No OS | Not impacted |
| EVO | No OS | Not impacted |
| Eclipse Pro | No OS | Not impacted |
| CardioExpress SL6A / SL12A | Embedded OS (uC/OS II V2.84) | Not impacted |
| CardioExpress SL18A | Embedded OS (Linux Kernel 2.6.35.3) | Not impacted |
| ABP OnTrak 90217A 90207 |
No OS | Not impacted |
Safe-N-Sound (SNS)
| Product | Host Operating System | Impact Assessment |
| Spacelabs Cloud | Varies | Not impacted |
| SafeNSound | Not applicable | Version >4.3.1 – Not impacted
Version 4.3.1 – Impacted and remediated for all customers by December 13, 2021 |
- Additional Resources
| # | Resource | URL |
| 1 | Apache Log4j Webpage | https://logging.apache.org/log4j/2.x/security.html |
| 2 | Statement from CISA Director Easterly on “Log4j” Vulnerability | https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability |
| 3 | CISA Known Exploited Vulnerabilities Catalog (expanded to include CVE-2021-44228) | https://www.cisa.gov/known-exploited-vulnerabilities-catalog |
| 4 | CISA Multinational Joint Cybersecurity Advisory on Mitigating Log4Shell and Other Log4j-Related Vulnerabilities | https://www.cisa.gov/uscert/ncas/alerts/aa21-356a |
Terms of Use
The information presented above is subject to change without notice. In no event will Spacelabs or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, even if Spacelabs or its suppliers have been advised of the possibility of such damages.
Related Resources:
- Apache Logging Services Log4j advisory
- Statement from CISA Director Easterly on “Log4j” Vulnerability
- CISA Known Exploited Vulnerabilities Catalog (expanded to include CVE-2021-44228)