============================================================================= Run Date: FEB 22, 2023 Designation: WEBP*1*27 Package : WEBP - PATIENT CENTERED MANAGEMENT Priority: Mandatory Version : 1 SEQ #26 Status: Released Compliance Date: MAR 24, 2023 ============================================================================= Subject: PCMM WEB DEFECT REMEDIATION Category: - Informational Description: ============ Patient Centered Management Module (PCMM) Web informational patch, WEBP*1.0*27, will address several defects within PCMM web application and and remediate security and compliance issues within the PCMM Application that were identified through Fortify security scans. This patch will resolve the following 8 issues: 1. INC23859115:Multiple Oracle Java Vulnerabilities 2. INC25113528:There is a critical security issue (data leakage in the logs) from the Fortify scan. 3. INC25026923:LDAP Bulletin No. 2: VA LDAP services that may impact PCMM 4. INC21878853:STA 614 | PLS GIVE TO PLM.HEALTH.HealthCareAdmin (PCMM) | Territories and Commonwealths missing from Non-VA Provider/Practice options 5. INC24855980:Update the white list to include the new AITC report server 6. INC24912734:PCMM MIN Sta. 618! Inactive Position is displaying in CPRS as an unassigned position. 7. INC25068020:436 - Give to SPM.Health.ClinSvs.PrimCare.CPRS_SUP (PCMM) - Team Start Date Needs Editing/Correction 8. INC22328200:STA 614 | PLS GIVE TO PLM.HEALTH.HealthCareAdmin (PCMM) | 20220427 - Attention window for FTE has spelling error Patch Components: ----------------- Added Component ======================================================= jackson-datatype-jsr310-2.13.4.jar library File Name Description ========================================================= PCMMR.EAR Installation file PCMMR_UNATTENDED_EAR-1.0-27-02.EAR Installation file Files & Fields Associated: File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- -------------------- N/A Forms Associated: Form Name File # New/Modified/Deleted --------- ------ -------------------- N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted --------------- -------------------- N/A Option Name Type New/Modified/Deleted ----------- ---- -------------------- N/A Protocols Associated: Protocol Name New/Modified/Deleted ------------- -------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Templates Associated: Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ -------------------- N/A Additional Information: N/A New Service Requests (NSRs): ---------------------------- N/A Patient Safety Issues (PSIs): ----------------------------- N/A Defect Tracking System Ticket(s) & Overview: -------------------------------------------- 1. INC23859115 Problem: ------- Multiple Oracle Java Vulnerabilities Assigned Plugin 156888 Oracle Java SE 1.7.0_331 / 1.8.0_321 / 1.11.0_14 / 1.17.0_2 Multiple Vulnerabilities (Unix January 2022 CPU) Assets: vaausapppcm200 Assigned Plugin 161241 Oracle Java SE Multiple Vulnerabilities (Unix April 2022 CPU)Assets: vaausapppcm200 | Vaauswebpcm400 | vaphcapppcm101 | vaausapppcm202 | vaphcapppcm22 | vaphcapppcm300 | Vaauswebpcm201 | Vaauswebpcm200 Resolution ---------- Updated build to include library into ear file so it can be loaded from ear automatically. 2. INC25113528 PCMM Remediate Fortify scan issues for report as of 11/17/2022 Problem: -------- There is a critical security issue (data leakage in the logs ) from the Fortify scan. Resolution: ------------ Commented out the logging statements. 3. INC25026923 LDAP Bulletin No. 2: VA LDAP services that may impact PCMM Problem: -------- There are going to be changes to the security of VA LDAP services that may impact PCMM. PCMM uses an LDAP service account, VHACISSPCMM, to pull user information from LDAP. Here is a link to the bulletin the VA put out in May that has more information: LDAP Bulletin No. 2 -------- Resolution: ------------ We updated the LDAP URLs to use secure LDAP protocols, Imported LDAP Server Certificate into the Java trust store and updated Java properties to utilize the new certificates. 4. INC21878853 STA 614 | PLS GIVE TO PLM.HEALTH.HealthCareAdmin (PCMM) | Territories and Commonwealths missing from Non-VA Provider/Practice options Problem: -------- When assigning Non-VA Providers and creating Non-VA practices, there is currently no place to indicate a US Territory or Commonwealth in the address fields. This would include Guam, Puerto Rico, Philippines, USVI and possibly others. This was discovered for a patient receiving CITC in Guam, but that PFC put Guam as part of the city and used HI as the state. This is incorrect. Resolution: ------------ Created a view in the database to include the missing entries and updated the code to use the view instead of the standard table. 5. INC24855980 Update the whitelist to include the new AITC report server Problem: -------- There is a whitelist in the code for security purposes to allow the app to only go to approved URLs. One of those URLs is the link to Reports in the PCMM application. The code will have to be updated to include the URL for the new AITC server. The URL to be included in the whitelist is https://vaausnodpcm211.aac.dva.domain.ext/Reports/ The files that contain the whitelist are main.b31cfe40.js and main.b31cfe40.js.map found in folder static/pcmmr/static/js/ in the war file pcmmr_web-3.2022.04.26.1.war Resolution: ------------ Updated the whitelist with the new URL. 6. INC24912734 PCMM MIN Sta. 618! Inactive Position is displaying in CPRS as an unassigned position. Problem: -------- Inactive Positions in PCMM are displaying in CPRS as an unassigned position. The issue includes where both the Primary Care Provider and Designated WH Pcp is showing on the CPRS banner, however the Primary care Provider role is in an inactive state. Resolution: ------------ Modified the code to filter out the inactive positions from CPRS pop up window. 7. INC25068020 Team Start Date Needs Editing/Correction The team start date and times are being set to GMT. Problem: -------- Under certain conditions when a STATUS CHANGE TIMELINE is incorrect and it's edited the date time stamp will default to a future even hour related to GMT 4 hours to 5 hours ahead. Since this date hasn't happened yet work with the team is delayed. Resolution: ------------ The time stamp converter was updated to handle multiple formats of the incoming time and this fixed the problem. 8. INC22328200 The window for FTE error message has a spelling error Problem: -------- Attempting to remove FTE resulted in error message as expected, but the word "required" is misspelled. Resolution: ------------ The spelling error was corrected. Test Sites: ----------- Memphis - VA Medical Center (Memphis, TN) Roseburg - Healthcare System (Roseburg, OR) Software and Documentation Retrieval Instructions: -------------------------------------------------- Documentation describing the new functionality is included in this release. Documentation can be found on the VA Software Documentation Library at: https://www.domain.ext/vdl/. Documentation can also be obtained at https://download.vista.domain.ext/index.html/SOFTWARE. Documentation Title File Name --------------------------------------------------------------------- Deployment, Installation Back-Out, WEBP_1.0_27_DIBRG.DOCX and Rollback Guide WEBP_1.0_27_DIBRG.PDF --------------------------------------------------------------------- PCMM Web Version Description WEBP_1.0-27_VDD.DOCX Document WEBP_1.0-27_VDD.PDF Patch Installation: =================== PCMM Web patch, WEBP*1*27, is a centrally managed web-based application and will be implemented and deployed to a central web server. No installation is required by sites. Pre/Post Installation overview: --------------------------------------- See WEBP_1.0_27_DIBRG.PDF for additional information. Pre-Installation Instructions: ------------------------------ Installation Instructions: ------------------------- ****************************************************************** ** PLEASE NOTE: THERE IS NO INSTALLATION FOR THIS PATCH. ** ****************************************************************** This informational patch, WEBP*1.0*27, is for PCMM Web. Installation is done on a centralized server. Please refer to the WEBP_1.0_27_DIBRG.PDF for more details. Post-Installation Instructions: ----------------------------- N/A Back-Out Plan: -------------------------- Backout plan is provided as part of deployment guide detailed in the Deployment, Installation Back-Out, and Rollback Guide (WEBP_1.0_27_DIBRG.pdf). Routine Information: ==================== No routines included. ============================================================================= User Information: Entered By : Date Entered : NOV 02, 2022 Completed By: Date Completed: FEB 15, 2023 Released By : Date Released : FEB 22, 2023 ============================================================================= Packman Mail Message: ===================== No routines included