============================================================================= Run Date: SEP 25, 2024 Designation: PREM*3*6 Package : PREM - MEDICATION ORDER CHECK (MOCH Priority: Mandatory Version : 3 SEQ #6 Status: Released Compliance Date: OCT 25, 2024 ============================================================================= Subject: MOCHA - JAXB, ESAPI, and Log4J Upgrade for TRM Compliance Category: - Informational - Other Description: ============ MOCHA application server is a component of the Medication Order Check Healthcare program that provides the capability to receive and validate the format of the request. Provided the format is correct, the MOCHA services will process the request by interacting with FDB's Med Knowledge Framework to perform the requested check and return the results. The purpose of this informational patch is to comply with the Technical Reference Model (TRM). JAXB and ESAPI libraries have been updated to be compliant with Technical Reference Model (TRM) to remediate security vulnerability. JAXB has been upgraded from 2.2.11 to TRM approved version 3.0.2. ESAPI has been upgraded from 2.2.0 to 2.5.2.0. Log4j has been upgraded from 2.20.0 to 2.21.0. SLF4J instances have been removed to be compliant with TRM. Patch Components: ----------------- Files & Fields Associated: File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- -------------------- N/A Forms Associated: Form Name File Number New/Modified/Deleted --------- ----------- -------------------- N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted --------------- -------------------- N/A Options Associated: Option Name Type New/Modified/Deleted ----------- ---- -------------------- N/A Protocols Associated: Protocol Name New/Modified/Deleted ------------- -------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Templates Associated: Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ -------------------- N/A Remote Procedures Associated: Remote Procedure Name New/Modified/Deleted --------------------- -------------------- N/A Parameter Definitions Associated: Parameter Name New/Modified/Deleted -------------- -------------------- N/A Additional Information: ----------------------- N/A New Service Requests (NSRs): ---------------------------- N/A Patient Safety Issues (PSIs): ----------------------------- N/A Defect Tracking System Ticket(s) & Overview: ============================================ JIRA Task Id: HDSO-6742 Problem: -------- MOCHA application contains Java components which are subject to compliance with Technical Reference Model (TRM) to maintain authority to operate (ATO). Resolution: ----------- JAXB and ESAPI libraries have been updated to be compliant with Technical Reference Model (TRM) to remediate security vulnerability. JAXB has been upgraded from 2.2.11 to TRM approved version 3.0.2. ESAPI has been upgraded from 2.2.0 to 2.5.2.0. Log4j has been upgraded from 2.20.0 to 2.21.0. SLF4J instances have been removed to be compliant with TRM. Test Sites: ----------- West Palm Beach (West Palm Beach, FL) Battle Creek (Battle Creek, MI) Test Sites - SNOW Change Order #: --------------------------------- West Palm Beach - CHG0514440 Battle Creek - CHG0511519 Software and Documentation Retrieval Instructions: -------------------------------------------------- The software for this patch is being deployed by the IO Enterprise Server Support Team. Documentation describing the new functionality is included in this Release. Documentation can be found on the VA Software Documentation Library at: https://www.domain.ext/vdl/. Documentation can also be obtained at https://download.vista.domain.ext/index.html/SOFTWARE. File Title File Name ------------------------------------------------------------------- MOCHA Server Version 3.4.1 Deployment, PREM_3_P6_DIBR.DOCX Installation, Back-out, and Rollback Guide PREM_3_P6_DIBR.PDF MOCHA Server Version 3.4.1 PREM_3_P6_MOCHA_SERVER_V3_4_1_IG.DOCX Installation Guide PREM_3_P6_MOCHA_SERVER_V3_4_1_IG.PDF Patch Installation: ------------------- Pre-Installation Instructions: ------------------------------ N/A Installation Instructions: -------------------------- This is a Java Application, and it is deployed on the centralized Weblogic application server. No installation is required at local sites. The Deployment, Installation, Back-Out and Rollback Guide (DIBR) for this patch contains detailed installation instructions on how to deploy this MOCHA Java application patch at the centralized Weblogic application Server. Post-Installation Instructions: ------------------------------- N/A Back-Out/Roll Back Plan: ------------------------ Patch will be backed out by AITC. For further information on the back out, refer to section 4 (Back-Out Procedure) in the Deployment,Installation, Back-Out and Rollback Guide (DIBR) for this patch. Validation of Back-out Procedure --------------------------------- Detailed information on the validation of back-out procedure is provided in the DIBR for this patch. For further information, refer to section 4 (Back-Out Procedure). Routine Information: ==================== No routines included. ============================================================================= User Information: Entered By : Date Entered : FEB 01, 2024 Completed By: Date Completed: SEP 24, 2024 Released By : Date Released : SEP 25, 2024 ============================================================================= Packman Mail Message: ===================== No routines included