Aller au contenu principal
Statement

BIOTRONIK Statement on the Log4Shell Vulnerability Updated December 21, 2021

The discovery of a high-severity vulnerability known as Log4Shell was disclosed publicly on December 9, 2021, while a related lower-severity vulnerability was disclosed on December 14, 2021. These vulnerabilities are present in a software library used by many servers worldwide (see Background for details). In light of this recent discovery, BIOTRONIK has carefully analyzed all of its provided services. The analysis concluded that the conditions for exploitation of the Log4Shell vulnerability and the related CVE-2021-45046 and CVE-2021-45105 vulnerabilities do not exist in any of BIOTRONIK’s medical devices (see Technical Information for details of the systems analyzed).

A very limited condition for exploitation of the Log4Shell vulnerability exists for the BIOTRONIK EHR DataSync Adapter, if a non-default configuration for logging is set as described in the technical information below. This condition is further limited by the fact that data input required for exploitation could only be conducted by authorized users of the Home Monitoring Service Center who have the rights to change patient data. To eliminate this very low risk of exploitation, BIOTRONIK has taken immediate action and will provide an update for the EHR DataSync Adapter by December 22, 2021. Until then, clinic IT administrators should ensure that the log level settings of their EHR DataSync Adapter system are set to default as described in the technical information below.

Background

A high-severity vulnerability known as Log4Shell (CVE-2021-44228, CVSSv3 10.0) present in a software library used by many servers worldwide was disclosed publicly on December 9, 2021. The affected library is “Apache Log4j2” in versions 2.0 to 2.14.1 from the Apache Foundation. It is an open source Java logging framework that allows software developers to write log entries (i.e. text describing an action that the application has just performed) to files or dedicated log servers. The vulnerability allows for unauthenticated remote code execution and is therefore highly critical if conditions for its exploitation are present.

A related vulnerability (CVE-2021-45046CVSSv3 9.0) affecting Log4j in versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 has been disclosed on December 14, 2021. This vulnerability allows for exfiltration of information and unauthenticated remote code execution in some environments and unauthenticated local code execution in all environments.

- Update 20 December, 2021 - 

Another related vulnerability (CVE-2021-45105CVSSv3 7.5) affecting Log4j in versions from versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) has been disclosed on December 18, 2021. This vulnerability allows for a denial of service attack. 

- Update 21 December, 2021 -

Updated the information on CVE-2021-45046 and CVE-2021-45105 as published by NIST.

Technical Information

The following systems comprise the services provided by BIOTRONIK and have been thoroughly analyzed:

Home Monitoring Service Center
Not affected by either vulnerability. Log4j2 is not used

Implantable Device Programmer Renamic & Renamic Neo
Not affected by either vulnerability. Log4j2 is not used

BIOTRONIK Cloud Service infrastructure
Not affected by either vulnerability. Log4j2 is not used

Patient App Interface
Not affected by either vulnerability. Log4j2 is not used

ProMRI System Check Web Site
Not affected by either vulnerability. Log4j2 is not used

BIOTRONIK EHR DataSync Adapter
Not affected by CVE-2021-45046  or CVE-2021-45105. Adapter does not use a non-default pattern layout.
Affected by Log4Shell. The EHR DataSync Adapter uses Log4j2 in a version that is affected by the Log4Shell vulnerability. To exploit the vulnerability the following conditions must exist:

Mitigation Measures:

At BIOTRONIK, we take cybersecurity very seriously and we are strongly committed to providing safe and reliable cardiovascular devices and systems that improve the lives of millions of patients. Our cybersecurity management process is carefully designed according to the recommendations of the US FDA’s guidance to identify and control risks in all relevant devices and systems.

We continue to monitor, test and analyze the safety of our devices and systems regularly.

For any questions, please do not hesitate to contact your local BIOTRONIK representative or email us at info@biotronik.com.

About BIOTRONIK:

At BIOTRONIK, patient well-being is our top priority and has been for 60 years. BIOTRONIK is a leading global medical technology company with products and services that save and improve the lives of millions suffering from heart and blood vessel diseases as well as chronic pain. Driven by a purpose to perfectly match technology with the human body, we are dedicated innovators who develop trusted cardiovascular, endovascular and neuromodulation solutions. BIOTRONIK is headquartered in Berlin, Germany, and is represented in over 100 countries.