============================================================================= Run Date: JUN 29, 2023 Designation: WEBP*1*32 Package : WEBP - PATIENT CENTERED MANAGEMENT Priority: Mandatory Version : 1 SEQ #29 Status: Released Compliance Date: JUL 30, 2023 ============================================================================= Subject: PCMM SUPPLEMENTAL SECURITY UPDATES Category: - Informational Description: ============ Note: PATCH WILL APPEAR AS WEBP*1*29B IN THE APPLICATION. The purpose of the patch is to record and track progress of upgrading libraries to remediate security issues in Fortify Composite Analysis report. There are following 28 security issues recorded in this patch. 1. PCMMW-229: CVE-2020-10683 security vulnerability in dom4j-1.1.jar 2. PCMMW-231: CVE-2022-36437 security vulnerability in hazelcast-all-3.12.12.jar 3. PCMMW-233: CVE-2013-4221 security vulnerability in com.noelios.restlet-1.1.5.jar 4. PCMMW-234: CVE-2013-4271 security vulnerability in com.noelios.restlet-1.1.5.jar 5. PCMMW-235: CVE-2017-14868 security vulnerability in com.noelios.restlet-1.1.5.jar 6. PCMMW-236: CVE-2017-14949 security vulnerability in com.noelios.restlet-1.1.5.jar 7. PCMMW-237: CVE-2014-0114 security vulnerability in commons-beanutils-1.8.3.jar 8. PCMMW-238: CVE-2019-10086 security vulnerability in commons-beanutils-1.8.3.jar 9. PCMMW-239: CVE-2015-6420 security vulnerability in commons-collections-3.2.1.jar 10. PCMMW-241: 04-28-23: CVE-2022-25647 security vulnerability in gson-2.8.6.jar 11.PCMMW-242: CVE-2016-10750 security vulnerability in hazelcast-all-3.12.12.jar 12.PCMMW-243: CVE-2022-36437 security vulnerability in hazelcast-all-3.12.12.jar 13.PCMMW-244: CVE-2022-36437 security vulnerability in hazelcast-all-3.12.12.jar 14.PCMMW-245: CVE-2022-36437 security vulnerability in hazelcast-all-3.12.12.jar 15.PCMMW-246: CVE-2022-36437 security vulnerability in hazelcast-all-3.12.12.jar 16.PCMMW-247: CVE-2016-10750 security vulnerability in hazelcast-all-3.12.12.jar 17.PCMMW-248: CVE-2016-2141 security vulnerability in jgroups-2.12.1.3.Final.jar 18.PCMMW-251: CVE-2016-10750 security vulnerability in hazelcast-all-3.12.12.jar 19.PCMMW-256: CVE-2020-36518 security vulnerability in jackson-databind-2.11.0.jar 20.PCMMW-257: CVE-2022-42003 security vulnerability in jackson-databind-2.11.0.jar 21.PCMMW-259: CVE-2022-42004 security vulnerability in jackson-databind-2.11.0.jar 22.PCMMW-262: CVE-2014-9970 security vulnerability in jasypt-1.8.jar 23.PCMMW-267: CVE-2013-4221 security vulnerability in org.restlet-1.1.5.jar 24.PCMMW-268: 04-28-23: CVE-2013-4271 security vulnerability in org.restlet-1.1.5.jar 25.PCMMW-269: CVE-2017-14868 security vulnerability in org.restlet-1.1.5.jar 26.PCMMW-270: CVE-2017-14949 security vulnerability in org.restlet-1.1.5.jar 27.PCMMW-279: CVE-2020-13936 security vulnerability in velocity-1.7.jar 28.PCMMW-280: CVE-2022-36437 security vulnerability in hazelcast-all-3.12.12.jar Patch Components: ---------------- N/A File Name Description ========================================================= PCMMR-1.0-29B-05.EAR Installation file PCMMR_UNATTENDED_EAR-1.0-29B-05.EAR Installation file cissUserManagement-1.0-29B-05.ear Installation file Files & Fields Associated: File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- ------------------- N/A Forms Associated: Form Name File Number New/Modified/Deleted --------- ----------- -------------------- N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted -------------- -------------------- N/A Options Associated: Option Name Type New/Modified/Deleted ----------- ---- -------------------- N/A Protocols Associated: Protocol Name New/Modified/Deleted ------------- -------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Templates Associated: Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ ------------------- N/A Remote Procedures Associated: Remote Procedure Name New/Modified/Deleted --------------------- -------------------- N/A Parameter Definitions Associated: Parameter Name New/Modified/Deleted -------------- -------------------- N/A Additional Information: ----------------------- N/A New Service Requests (NSRs): N/A Patient Safety Issues (PSIs): N/A Enhancement Tracking System Ticket(s) in JIRA & Overview: --------------------------------------------------------- 1. PCMMW-229: CVE-2020-10683 security vulnerability in dom4j-1.1.jar Problem: ------- Composite Analysis Scan flagged this jar for security vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2020-10683). Resolution: ---------- Removed vulnerable jar from the build. 2. PCMMW-231: CVE-2022-36437 security vulnerability in hazelcast-all-3.12.12.jar Problem: ------- Composite Analysis Scan flagged this jar for security vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36437). Resolution: ---------- Upgraded library to the version without vulnerability. 3. PCMMW-233: CVE-2013-4221 security vulnerability in com.noelios.restlet-1.1.5.jar Problem : ------- Composite Analysis Scan flagged this jar for security vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4221). Resolution: ---------- Removed vulnerable jar from the build. 4. PCMMW-234: CVE-2013-4271 security vulnerability in com.noelios.restlet-1.1.5.jar Problem: ------- Composite Analysis Scan flagged this jar for security vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4271). Resolution: ---------- Removed vulnerable jar from the build. 5. PCMMW-235: CVE-2017-14868 security vulnerability in com.noelios.restlet-1.1.5.jar Problem: ------- Composite Analysis Scan flagged this jar for security vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14868). Resolution: ---------- Removed vulnerable jar from the build. 6. PCMMW-236: CVE-2017-14949 security vulnerability in com.noelios.restlet-1.1.5.jar Problem: ------- Composite Analysis Scan flagged this jar for security vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14949). Resolution: ---------- Removed vulnerable jar from the build. 7. PCMMW-237: CVE-2014-0114 security vulnerability in commons-beanutils-1.8.3.jar Problem: ------- Composite Analysis Scan flagged this jar for security vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114). Resolution: ---------- Upgraded library to the version without vulnerability. 8. PCMMW-238: CVE-2019-10086 security vulnerability in commons-beanutils-1.8.3.jar Problem: ------- Composite Analysis Scan flagged this jar for security vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-10086). Resolution: ---------- Upgraded library to the version without vulnerability. 9. PCMMW-239: CVE-2015-6420 security vulnerability in commons-collections-3.2.1.jar Problem: ------- Composite Analysis Scan flagged this jar for security vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6420). Resolution: ---------- Upgraded library to the version without vulnerability. 10. PCMMW-241: CVE-2022-25647 security vulnerability in gson-2.8.6.jar Problem: ------- Composite Analysis Scan flagged this jar for security vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25647). Resolution: ---------- Upgraded library to the version without vulnerability. 11.PCMMW-242: CVE-2016-10750 security vulnerability in hazelcast-all-3.12.12.jar Problem: ------- Composite Analysis Scan flagged this jar for security vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10750). Resolution: ---------- Upgraded library to the version without vulnerability. 12.PCMMW-243: CVE-2022-36437 security vulnerability in hazelcast-all-3.12.12.jar Problem: ------- Composite Analysis Scan flagged this jar for security vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36437). Resolution: ---------- Upgraded library to the version without vulnerability. 13.PCMMW-244: CVE-2022-36437 security vulnerability in hazelcast-all-3.12.12.jar Problem: ------- Composite Analysis Scan flagged this jar for security vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36437). Resolution: ---------- Upgraded library to the version without vulnerability. 14.PCMMW-245: CVE-2022-36437 security vulnerability in hazelcast-all-3.12.12.jar Problem: ------- Composite Analysis Scan flagged this jar for security vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36437). Resolution: ---------- Upgraded library to the version without vulnerability. 15.PCMMW-246: CVE-2022-36437 security vulnerability in hazelcast-all-3.12.12.jar Problem: ------- Composite Analysis Scan flagged this jar for security vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36437). Resolution: ---------- Upgraded library to the version without vulnerability. 16.PCMMW-247: CVE-2016-10750 security vulnerability in hazelcast-all-3.12.12.jar Problem: ------- Composite Analysis Scan flagged this jar for security vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10750). Resolution: ---------- Upgraded library to the version without vulnerability. 17.PCMMW-248: CVE-2016-2141 security vulnerability in jgroups-2.12.1.3.Final.jar Problem ------- Composite Analysis Scan flagged this jar for security vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2141). Resolution: ---------- Upgraded library to the version without vulnerability. 18.PCMMW-251: CVE-2016-10750 security vulnerability in hazelcast-all-3.12.12.jar Problem: ------- Composite Analysis Scan flagged this jar for security vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10750). Resolution: ---------- Upgraded library to the version without vulnerability. 19.PCMMW-256: CVE-2020-36518 security vulnerability in jackson-databind-2.11.0.jar Problem: ------- Composite Analysis Scan flagged this jar for security vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-36518). Resolution: ---------- Upgraded library to the version without vulnerability. 20.PCMMW-257: CVE-2022-42003 security vulnerability in jackson-databind-2.11.0.jar Problem: ------- Composite Analysis Scan flagged this jar for security vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42003). Resolution: ---------- Upgraded library to the version without vulnerability. 21.PCMMW-259: CVE-2022-42004 security vulnerability in jackson-databind-2.11.0.jar Problem: ------- Composite Analysis Scan flagged this jar for security vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42004). Resolution: ---------- Upgraded library to the version without vulnerability. 22.PCMMW-262: CVE-2014-9970 security vulnerability in jasypt-1.8.jar Problem: ------- Composite Analysis Scan flagged this jar for security vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9970). Resolution ---------- Upgraded library to the version without vulnerability. 23.PCMMW-267: CVE-2013-4221 security vulnerability in org.restlet-1.1.5.jar Problem: ------- Composite Analysis Scan flagged this jar for security vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4221). Resolution: ---------- Upgraded library to the version without vulnerability. 24.PCMMW-268: CVE-2013-4271 security vulnerability in org.restlet-1.1.5.jar Problem: ------- Composite Analysis Scan flagged this jar for security vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4271). Resolution: ---------- Upgraded library to the version without vulnerability. 25.PCMMW-269: CVE-2017-14868 security vulnerability in org.restlet-1.1.5.jar Problem: ------- Composite Analysis Scan flagged this jar for security vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14868). Resolution: ---------- Upgraded library to the version without vulnerability. 26.PCMMW-270: CVE-2017-14949 security vulnerability in org.restlet-1.1.5.jar Problem ------- Composite Analysis Scan flagged this jar for security vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14949). Resolution ---------- Upgraded library to the version without vulnerability. 27.PCMMW-279: CVE-2020-13936 security vulnerability in velocity-1.7.jar Problem ------- Composite Analysis Scan flagged this jar for security vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13936). Resolution ---------- Upgraded library to the version without vulnerability. 28.PCMMW-280: CVE-2022-36437 security vulnerability in hazelcast-all-3.12.12.jar Problem: ------- Composite Analysis Scan flagged this jar for security vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36437). Resolution: ---------- Upgraded library to the version without vulnerability. Test Sites: ----------- Memphis - VA Medical Center (Memphis, TN) Roseburg - Healthcare System (Roseburg, OR) Software and Documentation Retrieval Instructions: -------------------------------------------------- Documentation describing the new functionality is included in this release. Documentation can be found on the VA Software Documentation Library at: https://www.domain.ext/vdl/. Documentation can also be obtained at https://download.vista.domain.ext/index.html/SOFTWARE. Documentation Title File Name --------------------------------------------------------------------- Deployment, Installation Back-Out, WEBP_1.0_32_DIBRG.DOCX and Rollback Guide WEBP_1.0_32_DIBRG.PDF PCMM Web Version Description WEBP_1.0-32_VDD.DOCX Document WEBP_1.0-32_VDD.PDF Patch Installation: =================== PCMM Web patch, WEBP*1*32, is a centrally managed web-based application and will be implemented and deployed to a central web server. No installation is required by sites. Pre/Post Installation overview: ------------------------------- See WEBP_1.0_32_DIBRG.PDF for additional information. Pre-Installation Instructions: ------------------------------ Installation Instructions: ------------------------- ****************************************************************** ** PLEASE NOTE: THERE IS NO INSTALLATION FOR THIS PATCH. ** ****************************************************************** This informational patch, WEBP*1.0*32, is for PCMM Web. Installation is done on a centralized server. Please refer to the WEBP_1.0_32_DIBRG.PDF for more details. Post-Installation Instructions: ----------------------------- N/A Back-Out Plan: -------------------------- Backout plan is provided as part of deployment guide detailed in the Deployment, Installation Back-Out, and Rollback Guide (WEBP_1.0_32_DIBRG.PDF). Routine Information: ==================== No routines included. ============================================================================= User Information: Entered By : Date Entered : MAY 08, 2023 Completed By: Date Completed: JUN 28, 2023 Released By : Date Released : JUN 29, 2023 ============================================================================= Packman Mail Message: ===================== No routines included