============================================================================= Run Date: OCT 27, 2022 Designation: MAG*3*342 Package : MAG - IMAGING Priority: EMERGENCY Version : 3 SEQ #231 Status: Released Compliance Date: NOV 07, 2022 ============================================================================= Subject: VistA Imaging Gateway Webserver Remediation Category: - Informational Description: ============ This document describes Emergency Patch MAG*3.0*342 that delivers an updated Apache Web Service that is used by InterSystems Caché. The Apache Web Service will be updated to version 2.4.54 to address security vulnerabilities using an automated script. This patch addresses the following issue: Adaptive Maintenance: ---------------------- 1. Intersystem Apache Web Server upgrade to version 2.4.54 Patch Components: ----------------- File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- -------------------- Forms Associated: Form Name File Number New/Modified/Deleted --------- ----------- -------------------- N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted --------------- -------------------- N/A Options Associated: Option Name Type New/Modified/Deleted ----------- ---- -------------------- N/A Protocols Associated: Protocol Name New/Modified/Deleted ------------- -------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Templates Associated: --------------------- Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ -------------------- N/A Remote Procedures Associated: Remote Procedure Name New/Modified/Deleted --------------------- -------------------- N/A Parameter Definitions Associated: Parameter Name New/Modified/Deleted -------------- -------------------- N/A Additional Information: ----------------------- N/A Blood Bank Team Coordination: N/A New Service Requests (NSRs): N/A Patient Safety Issues (PSIs): N/A Adaptive Maintenance Tracking System Ticket(s) & Overview: ---------------------------------------------------------- 1. Intersystem Apache Web Server upgrade to version 2.4.54 Description: ------------ Currently, the Apache Web Server installed on Caché servers is version 2.4.2.0 located under C:\CacheSys\httpd folder. With this version, there are 25 security vulnerabilities present, with varying "fixed versions" identified by Nessus. Resolution: ----------- Updates to the C:\CacheSys\httpd\bin and C:\CacheSys\httpd\modules folders to bring the Apache Web Service to the most recent approved version 2.4.54. Test Sites: ----------- Lebanon VAMC (Lebanon, PA) Overton Brooks VAMC (Shreveport, LA) Software and Documentation Retrieval Instructions: -------------------------------------------------- Patch MAG*3.0*342 install is an automated PowerShell script that updates the Apache Web Service located in C:\CacheSys\httpd. All patch files can be obtained from the SOFTWARE library by accessing the URL: https://download.vista.domain.ext/index.html/SOFTWARE. File Title File Name --------------------------------------------------------------------- Gateway Webserver Remediation MAG3_0P342_WEBSERVER_REMEDIATION.ZIP PowerShell Script Documentation Title File Name ------------------- ---------- Patch Description for MAG*3.0*342 MAG3_0P342_PATCH_DESCRIPTION.PDF Deployment, Installation, Back-Out, MAG3_0P342_DIBORG.PDF and Rollback Guide Patch Installation: ------------------- Pre-Installation Instructions: ------------------------------- PowerShell script that updates the Apache Web Service. All DICOM Gateways, including Legacy, Text and Routing, as well as HDIGs. 1. Login to the Gateway server. 2. Open command prompt. a. Run "C:\CacheSys\httpd\bin\httpd -v" command 3. Verify the current Apache version is "Apache/2.4.2" 4. If the current Apache version does not match above, contact the Clinical Diagnostics team by submitting a Service Now ticket to SPM.Health.ClinSvs.Diag Installation Instructions: -------------------------- 1. Create a new folder: C:\Temp 2. Copy the downloaded "MAG3_0P342_WEBSERVER_REMEDIATION.ZIP" to C:\Temp directory. 3. Extract the contents of the "MAG3_0P342_WEBSERVER_REMEDIATION.ZIP" file to the folder C:\TEMP\MAG3_0P342_WEBSERVER_REMEDIATION. 4. Shut down all VistA Imaging processing windows (2-3, 2-5, 3-3, 2-8-2, etc.) as well as all legacy listeners on the Imaging Gateway before executing the Windows PowerShell script. 5. Run Windows PowerShell as an administrator. 6. If prompted with "Do you want to allow the following program from an unknown publisher to make changes to this computer?", click Yes. 7. Once Windows PowerShell launches, type the following command: Set-ExecutionPolicy -ExecutionPolicy Unrestricted Select A for "Yes to All". 8. Type the command: CD C:\temp\MAG3_0P342_WEBSERVER_REMEDIATION Press [ENTER] to change the working directory to this folder. 9. Type the command: .\UpgradeApache.ps1 Press [ENTER] to execute the automated script. 10. When Prompted to Enter Cache root Path. Press Enter to use default value [C:\CacheSys]: Press [ENTER] Note: The script automatically stops and restarts Caché during execution 11. Upon successful completion of the commands, the following message will be displayed: "Server version: Apache/2.4.54 (Win32)" 12. Press [ENTER] to complete installation process and exit. Note: If Caché needs to be reinstalled on any Image Gateway, MAG*3.0*342 must be reapplied to remediate the Apache Web Service security vulnerabilities until MAG*3.0*319 is released. Installation Verification: ------------------------------- 1. If Caché is not automatically started after upgrade, right-click on the Caché icon on bottom right corner of the taskbar and select "Start Caché". 2. Log in to the Caché Management Portal and verify that the previous settings have been retained (Refer to the VistA Imaging DICOM Gateway Installation Guide if needed). 3. Go to C:\CacheSys\httpd folder and verify Apacheversion.txt file exists. 4. Open the file to verify the contents show "Apache 2.4.54". Back-Out/Roll Back Plan: ------------------------ Uninstalling the Application: ----------------------------- If it is necessary to uninstall the MAG*3.0*342, the user should follow these steps: 1. Stop Caché 2014 by selecting the blue Caché cube and select Stop Caché. 2. Make a backup copy of the current Gateway database C:\DICOM\Cache\Cache.dat. 3. Copy the file Cache.Key in the C:\CacheSys\mgr directory to a temporary location. 4. Go to the Control Panel, choose "Uninstall a program", and remove the current version Caché instance. 5. Go to the Control Panel, choose "Uninstall a program", and remove Legacy DICOM Gateway (Patch 305). 6. Delete the directory C:\CacheSys. 7. Restart the server. 8. Re-install Legacy DICOM Gateway patch MAG*3.0*305. Refer to the VistA Imaging DICOM Gateway Installation Guide for instructions. Routine Information: ==================== No routines included. ============================================================================= User Information: Entered By : Date Entered : SEP 22, 2022 Completed By: Date Completed: OCT 27, 2022 Released By : Date Released : OCT 27, 2022 ============================================================================= Packman Mail Message: ===================== No routines included