============================================================================= Run Date: JUN 23, 2025 Designation: ANRV*5.1*15 Package : ANRV - VISUAL IMPAIRMENT SERVICE TE Priority: Mandatory Version : 5.1 SEQ #12 Status: Released Compliance Date: JUL 24, 2025 ============================================================================= Subject: Blind Rehabilitation SAML Token Vulnerability Fix Category: - Informational - Other Description: ============ ANRV*5.1*15 "Informational" patch is for Blind Rehabilitation Services (BRS) 5.1 Java Graphic User Interface (GUI). After release, the BRS GUI/Web Server version will be 5.1.10.2. Patch ANRV*5.1*15 will address the following defects: 1. VISTARBM-2476 INC38610974 BRS SAML Token Vulnerability Fix EHRM Impact Statement: ---------------------- - This patch should have no EHRM impact, and can be installed at all sites, including EHRM converted sites. Patch Components: ----------------- Files & Fields Associated: File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- -------------------- N/A Forms Associated: Form Name File Number New/Modified/Deleted --------- ----------- -------------------- N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted --------------- -------------------- N/A Options Associated: Option Name Type New/Modified/Deleted ----------- ---- -------------------- N/A Protocols Associated: Protocol Name New/Modified/Deleted ------------- -------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Templates Associated: Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ -------------------- N/A Remote Procedures Associated: Remote Procedure Name New/Modified/Deleted --------------------- -------------------- N/A Parameter Definitions Associated: Parameter Name New/Modified/Deleted -------------- -------------------- N/A Additional Information: ----------------------- None New Service Requests (NSRs): ---------------------------- N/A Patient Safety Issues (PSIs): ----------------------------- N/A Additional Information: ----------------------- N/A Defect Tracking System Tickets(s) & Overview: ============================================= 1. VISTARBM-2476NC38610974 BRS SAML Token Vulnerability Fix Problem: Currently, your application or system is authenticating with VistA using an IAM SSOi SAML token that fails digital signature validation (XMLDSIG). Your application system must be remediated so that it successfully passes digital signature validation when authenticating with VistA using an IAM SSOi SAML token. Resolution: ----------- Wrote code to perform signature validation on token to make sure it was valid. Test Sites: =========== Business Office Verification SNOW Change Order Number: ------------------------- CHG0620509 Software and Documentation Retrieval Instructions: ================================================== The software for this patch is being deployed by the IO Enterprise Server Support Team. Documentation describing the new functionality is included in this Release. Documentation can be found on the VA Software Documentation Library at: https://www.domain.ext/vdl/ Documentation can also be obtained at: https://www.download.vista.domain.ext/index.html/SOFTWARE/ Documentation Title File Name ---------------------------------------------------------------------- Blind Rehab 5.1 Release Notes ANRV_5_1_15_RN.pdf Blind Rehab 5.1 Centralized Server Installation/Implementation Guide ANRV_5_1_15_CIG.pdf Installation Instructions: ========================== This is a web application Java Build. This is a centralized server promotion. No installation is required at local sites. Routine Information: ==================== No routines included. ============================================================================= User Information: Entered By : Date Entered : MAY 06, 2025 Completed By: Date Completed: JUN 20, 2025 Released By : Date Released : JUN 23, 2025 ============================================================================= Packman Mail Message: ===================== No routines included