BIOTRONIK Statement on Log4 Shell Vulnerability

The discovery of a high-severity vulnerability known as Log4Shell Log4Shell (CVE-2021-44228, CVSSv3 10.0) was disclosed publicly on December 9, 2021, while a related lower-severity vulnerability (CVE-2021-45046, CVSSv3 9.0), (CVE-2021-45105, CVSSv3 7.5) was disclosed on December 14, 2021. These vulnerabilities are present in a software library used by many servers worldwide (see Background for details). In light of this recent discovery, BIOTRONIK has carefully analyzed all of its provided services. The analysis concluded that the conditions for exploiting the Log4Shell vulnerability and the related lower-severity (CVE-2021-45046 and CVE-2021-45105) vulnerabilities do not exist in any of BIOTRONIK’s medical devices (see Technical Information for details of the systems analyzed).

A minimal condition for the Log4Shell vulnerability exists for the BIOTRONIK EHR DataSync Adapter if a non-default configuration for logging is set as described in the technical information below. This condition is further limited because data input required could only be conducted by authorized users of the Home Monitoring Service Center who have the right to change patient data. To eliminate this very low risk of exploitation for those customers currently using the BIOTRONIK Adapter Software, BIOTRONIK’s Remote Services Team has already taken immediate action by contacting your IT department with technical solutions to remove this minimal vulnerability.

Background

A high-severity vulnerability known as Log4Shell (CVE-2021-44228, CVSSv3 10.0) present in a software library used by many servers worldwide was disclosed publicly on December 9, 2021. The affected library is “Apache Log4j2” in versions 2.0 to 2.14.1 from the Apache Foundation. It is an open-source Java logging framework that allows software developers to write log entries (i.e., text describing an action that the application has just performed) to files or dedicated log servers. The vulnerability allows for unauthenticated remote code execution and is therefore highly critical if conditions for its exploitation are present.

A related vulnerability (CVE-2021-45046, CVSSv3 9.0), affecting Log4j in versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 was disclosed on December 14, 2021. This vulnerability allows for a denial of service attack.

Another related vulnerability (CVE-2021-45105, CVSSv3 7.5), official CVSS score pending) affecting Log4j in versions from versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) has been disclosed on December 18, 2021. This vulnerability allows for a denial of service attack. 

Technical Information

The following systems comprise the services provided by BIOTRONIK and have been thoroughly analyzed:

Home Monitoring Service Center
It is not affected by either vulnerability. Log4j2 is not used.

Implantable Device Programmer Renamic & Renamic Neo
It is not affected by either vulnerability. Log4j2 is not used.

BIOTRONIK Cloud Service infrastructure
It is not affected by either vulnerability. Log4j2 is not used.

Patient App Interface
It is not affected by either vulnerability. Log4j2 is not used.

ProMRI System Check Web Site
It is not affected by either vulnerability. Log4j2 is not used.

BIOTRONIK EHR DataSync Adapter
It is not affected by CVE-2021-45046 or CVE-2021-45105 as the Adapter does not use a non-default pattern layout. It is affected by CVE-2021-44228. The EHR DataSync Adapter uses Log4j2 in a version affected by the Log4Shell vulnerability. Technical solutions to remove this minimal vulnerability have been provided to current Adapter customers.

At BIOTRONIK, we take cybersecurity very seriously, and we are strongly committed to providing safe and reliable cardiovascular devices and systems that improve the lives of millions of patients. Our cybersecurity management process is carefully designed according to the recommendations of the US FDA’s guidance to identify and control risks in all relevant devices and systems.

We continue to monitor, test and analyze the safety of our devices and systems regularly.

Your local BIOTRONIK representative is always available to support you. If you have any EHR questions, please email remoteservices@biotronik.com. Otherwise, contact info@biotronik.com for any other inquiries.