Español
Français
Deutsch
Italiano
Português
TeamUp Strategies
Runway Architecture
Decisive Intelligence
Clinical Informatics
Patient Measurement
Perspectives
Cardiology
Acute Care
Private Clinic
Emergency department
Intensive care unit
Neonatal intensive care unit
Perioperative care
Keeping caregivers safe
Clinical education
UK Pathfinder SL and Lifescreen Pro user training
eLearning
Technical training
Open a support ticket
Product manuals
Service contract
Cleaning instructions
Supplier change request
Contact us
Regional contacts
Our heritage
Senior management
News and Events
Patents and trademarks
Quality and ISO certificates
Careers
Terms and policiesUpdated: 12 July 2022
Products Covered: Spacelabs Patient Monitoring Products
Security Advisory
VMWare “Spring4Shell” Vulnerability Assessment and Potential Product Impact Statement
1. VULNERABILITY OVERVIEW
Spacelabs Healthcare has been made aware of recently published security vulnerability known as “Spring4Shell” (CVE-2022-22965), which is a Remote Code Execution (RCE) vulnerability, that was discovered in VMware’s Spring Core Java framework – a popular open-source Java framework for developing Java based web applications. This vulnerability affects Spring MVC and Spring WebFlux based applications running on JDK 9+ and above.
Due to a parameter binding bug in the Spring Core framework, an attacker can send a specially crafted HTTPS request to a server running Spring core framework and gain unauthenticated and unauthorized remote access to the system. Successful exploitation of this vulnerability could allow an unauthorized attacker to gain unauthenticated access to the system and use webshell from the browser, access the server resources and write arbitrary code to the server through the webshell.
To exploit this vulnerability, it is required that the application is deployed on a standalone Apache Tomcat servlet container as a WAR (Web Archive) package/file, have spring-webmvc or spring-webflux dependency and uses Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. However, due to the more general nature of this vulnerability, there could be other potential ways to exploit this vulnerability. Therefore, any system using JDK 9 or above and using the Spring framework or other derivative frameworks should be considered vulnerable.
2. RISK ASSESSMENT SUMMARY
Spacelabs has conducted an assessment to identify the potential impact on our products. Our assessment has found that no Spacelabs products are impacted by this vulnerability.
Spacelabs considers the operational risk to its products from a Spring4Shell attack to be low.
Spacelabs Patient Monitoring and Connectivity (PMC) and Diagnostic Cardiology (DC) products do not use JDK, Spring Core Framework or Apache Tomcat Servers for deployment of their products and do not have any dependencies on the said tools/frameworks, hence, are not impacted by this vulnerability. Apache, VMware and other stakeholders have released patches for their affected products which can be installed by customers as necessary.
As Spacelabs continues to gain a deeper understanding of the impact of this vulnerability, we will continue to publish technical information to help customers detect, investigate, and mitigate the vulnerability across all our products where applicable.
3. RECOMMENDATIONS
Spacelabs recommends the following as general cybersecurity actions to an enterprise environment.
- If the customer’s IT infrastructure has Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions running on them, it is advised to upgrade it to Spring Framework 5.3.18+ or 5.2.20+, which contain the fixes.
- Block suspicious external IP addresses at the enterprise firewalls. Monitor traffic internally for unusual behavior.
- Apply applicable patches, hotfixes, and updates to servers and products when available and after they have been validated.
- Implement defense-in-depth within the enterprise environment consisting of tools such as Intrusion Detection System / Intrusion Prevention Systems (IDS/IPS), firewalls, and Network Access Control (NAC).
- Implement and maintain an anti-malware solution (also called “anti-virus”) and an Endpoint Detection and Response (EDR) solution.
- Disable remote access services and protocols such as Remote Desktop Protocol (RDP) unless needed. Monitor and restrict remote access usage on a least-privilege basis.
- Have backup and restore processes and procedures in place for disaster recovery and incident response.
- Monitor and maintain account provisioning and access control based on the principle of least privilege.
4. EXAMINATION OF SPACELABS PRODUCTS
4.1 ASSESSMENT OF SPACELABS PRODUCTS
In response to the publication of these vulnerabilities, Spacelabs has conducted an assessment to identify devices potentially at risk to this set of vulnerabilities. Please note information is subject to change as the situation evolves.
Patient Monitoring and Connectivity (PMC) Products
| Product | Host Operating System | Impact Assessment |
| XprezzNet 96190 | Windows Server 2012 R2 Windows Server 2016 |
Not impacted. |
| Intesys Clinical Suite (ICS) | Windows Server 2012 R2 Windows Server 2016 Windows Server 2019 |
Not impacted. |
| Intesys Clinical Suite (ICS) Clinical Access Workstations | Windows 8.1 Windows 10 |
Not impacted. |
| Xhibit Telemetry Receiver (XTR) 96280 | Windows Embedded Standard 7 SP1 Windows 10 loT Enterprise Version 1809 |
Not impacted. |
| Xhibit 96102/XC4 96501 | Windows Embedded Standard 7 SP1 Windows 10 loT Enterprise Version 1809 |
Not impacted. |
| Bedside Monitors – Xprezzon 91393 – Qube 91390 – Qube Mini 91389 – Ultraview SL 91367, 91369, 91370, and 91387 |
VxWorks 6.6 | Not impacted |
| DM3, DM4 monitors | Windows CE | Not impacted |
Diagnostic Cardiology (DC) Products
| Product | Host Operating System | Impact Assessment |
| Sentinel | Windows 7 Windows 10 Windows Server 2012 R2 Windows Server 2016 Windows Server 2019 |
Not impacted |
| Pathfinder SL | Windows 7 Windows 10 Windows 11 |
Not impacted |
| Lifescreen Pro | Windows 10 | Not impacted |
| Lifecard CF | No OS | Not impacted |
| EVO | No OS | Not impacted |
| Eclipse Pro | No OS | Not impacted |
| CardioExpress SL6A / SL12A | Embedded OS (uC/OS II V2.84) | Not impacted |
| CardioExpress SL18A | Embedded OS (Linux Kernel 2.6.35.3) | Not impacted |
| ABP OnTrak 90217A 90207 |
No OS | Not impacted |
Safe-N-Sound (SNS)
| Product | Host Operating System | Impact Assessment |
| Spacelabs Cloud | Varies | Not impacted |
| SafeNSound | Not applicable | Not impacted |
Terms of Use
Spacelabs is currently monitoring developments and updates related to a recently published CISA and FDA Advisory concerning PTC’s Axeda Agent and Axeda Desktop Server vulnerabilities.
5. Additional Resources
| # | Resource | URL |
| 1 | Spring Framework RCE, Early Announcement | https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted |
| 2 | VMWare: How to hunt for Spring4Shell and Java Spring Vulnerabilities | https://blogs.vmware.com/security/2022/04/how-to-hunt-for-spring4shell-and-java-spring-vulnerabilities.htmlhttps://www.cisa.gov/uscert/ics/advisories/icsa-22-067-01 |
| 3 | CISA: Spring Releases Security Updates Addressing “Spring4Shell” and Spring Cloud Function Vulnerabilities | https://www.cisa.gov/uscert/ncas/current-activity/2022/04/01/spring-releases-security-updates-addressing-spring4shell-and |
| 4 | SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965 | https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/ |
Terms of Use
The information presented above is subject to change without notice. In no event will Spacelabs or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, even if Spacelabs or its suppliers have been advised of the possibility of such damages.