
=============================================================================
Run Date: JUL 29, 2020                     Designation: XOBV*1.6*5
Package : XOBV - VISTALINK                    Priority: Mandatory
Version : 1.6         SEQ #4                    Status: Released
                  Compliance Date: AUG 29, 2020
=============================================================================


Subject: JAVA TRM AND FORTIFY CHANGES

Category: 
  - Informational

Description:
============

 This is an informational only patch and is bundled with the Veterans 
 Personal Finance System (VPFS) patch, PRPF*4*4, Kernel Authentication & 
 Authorization for Java 2 Enterprise Edition (KAAJEE) patches XU*8.0*694 
 and XU*8.0*696.
  
 This VistALink patch, XOBV*1.6*5, addresses Java codebase in the Technical
 Reference Model (TRM) and Fortify remediation. There is no functionality
 or workflow changes.
  
  
 Patch Components:
 =================
  
 Files & Fields Associated:
  
 File Name (Number)      Field Name (Number)     New/Modified/Deleted
 ==================      ===================     ====================
 N/A
  
 Forms Associated:
  
 Form Name       File #   New/Modified/Deleted
 =========       ======   ====================
 N/A
  
 Mail Groups Associated:
  
 Mail Group Name          New/Modified/Deleted
 ===============          ===================== 
 N/A
  
 Options Associated:
  
 Option Name     Type    New/Modified/Deleted
 ===========     =====   ====================  
 N/A
  
 Protocols Associated:
  
 Protocol Name   New/Modified/Deleted
 ==============  ===================== 
 N/A
  
 Security Keys Associated:
  
 Security Key Name
 =================
 N/A
  
 Templates Associated:
  
 Template Name   Type    File Name (Number)  New/Modified/Deleted 
 ==============  =====   ==================  ====================
 N/A
  
 Additional Information:
 N/A
  
 New Service Requests (NSRs):
 =============================
 N/A
  
 Patient Safety Issues (PSIs):
 =============================
 N/A
   
 Defect Tracking System Ticket(s) & Overview:
 ============================================
  
 1. Rational defect 762867 - TRM Code Changes
  
 Problem:
 ========
 After a review of the technologies used in VistALink 1.6, the following 
 TRM components were upgraded:
  
        - Log4j libraries and API calls were upgraded to the 2.10 version
        - WebLogic Server JCA 1.5 supported specification
        - Java 1.7 upgrade
  
 Resolution:
 ===========
 The new libraries, Log4j, will be used in replace of the old library. In 
 addition, code changes have been made to support the new libraries.
  
  
 2. Rational defect 762845 - Fortify Remediation
  
 Problem:
 ========
 After scanning the VistALink code base through Fortify Security and Code 
 Quality, there were several hundred problems listed as Critical and High 
 priority.
  
 These issues include the following:
  
 Heap Inspection
 Privacy Violation
 Authentication
 Insecure Randomness
 Log Forging
 Key Management
 Null Dereference
 Often Misused Boolean
 Java Naming and Directory Interface (JNDI) Reference Injection
 Resource Injection
 Byte Array to String conversion
 System Information Leak
 Unreleased Resource
 Java 2 platforms Enterprise Edition (J2EE) Bad Practices: Sockets
  
  
 Resolution:
 ===========
 Updated and corrected all code that was flagged during the Fortify code
 scan; all issues have been resolved.
  
  
 Test Sites:
 ===========
 Edith Nourse Rogers Memorial Hospital (Bedford) 
 Northport VA Medical Center
 Salem VA Medical Center
  
  
 Documentation Retrieval Instructions:
 =====================================
 Documentation describing the new functionality is included in this 
 release. Documentation can be found on the VA Software Documentation 
 Library at: https://www.domain.ext/vdl/. Documentation can also be 
 obtained at https://download.vista.domain.ext/index.html/SOFTWARE 
  
  
 Title                                   File Name                   
 ==========================================================================
 VistALink Release Notes                 VISTALINK_1_6_5_RN.PDF
 VistALink System Management Guide       VISTALINK_1_6_5_SM.PDF  
 VistALink Developer Guide               VISTALINK_1_6_5_DG.PDF
 VistALink Installation Guide            VISTALINK_1_6_5_IG.PDF
  
  
 Patch Installation:
 ===================
 No installation is required at local sites. 
 Martinsburg performs the patch installation on a centralized web server.
  
  
 Pre/Post Installation Overview:
 ===============================
 N/A
  
 Pre-Installation Instructions:
 ==============================
 N/A
  
 Installation Instructions:
 ==========================
 ******************************************************************
 **  PLEASE NOTE: THERE IS NO INSTALLATION FOR THIS PATCH.       **
 ******************************************************************
  
 This informational patch, XOBV*1.6*5, is for VISTALINK Java component
 only. Installation is done by Martinsburg on a centralized server. 
  
 Please refer to the VistALink v1.6 System Management Guide for more 
 details.
  
 Back-Out Plan:
 ==============
 A back-out plan will be sent to Martinsburg and attached to the 
 installation Change Order (CO) found in the, VistALink Install Guide. 

Routine Information:
====================
No routines included.

=============================================================================
User Information:
Entered By  :                               Date Entered  : JUN 20, 2018
Completed By:                               Date Completed: JUL 28, 2020
Released By :                               Date Released : JUL 29, 2020
=============================================================================


Packman Mail Message:
=====================

No routines included