============================================================================= Run Date: SEP 08, 2020 Designation: EAS*1*193 Package : EAS - ENROLLMENT APPLICATION SYSTEM Priority: Mandatory Version : 1 SEQ #164 Status: Released Compliance Date: OCT 09, 2020 ============================================================================= Subject: ENROLLMENT SYSTEM (ES) 5.13 RELEASE Category: - Informational Description: ============ The purpose of this informational patch description is to announce the release of the Enrollment System (ES) 5.13. This release, developed in Java technology, contains Enrollment System Modernization (ESM) Phase 3 development and upgrade efforts, including enhancements and defect fixes to support Enrollment System Community Care (ESCC), Electronic Health Record Modernization (EHRM), and ES Sustainment. ES 5.13 was successfully deployed on Friday, September 4, 2020. The following functionality is updated in this ES 5.13 release: Enrollment System Modernization (ESM) 1. ES has replaced Web Hospital Inquiry (WebHINQ) with the new VA Profile Service. When a data push from the Veterans Benefits Administration (VBA) occurs, all data - including all rated disabilities and all evaluation history - will be populated in the message from VA Profile. 2. ES now populates the original site and source for VA Profile. All contact information exceptions will be assigned to the VA Medical Center (VAMC) that made the error to resolve the errors. This provides the required provenance for accountability, reporting, and needed education activities to further improve VA contact information, including all Veteran address types, all Veteran phone number types, and all Veteran email address types. 3. Three fields in the Assets section of the Edit Financial Details screen are disabled: a. Cash and Bank Account Balance b. Land, Buildings Less Mortgage and Liens c. Other Property or Assets Removing user entry for the three asset fields will prevent the supplemental adjudication question from being presented. The supplemental adjudication question is no longer required as part of the financial assessment process (Means Test, Income Test) used to assign a Veteran's enrollment priority group, copay responsibilities, and other benefits. Electronic Health Record Modernization (EHRM) 1. ES will no longer create or retain any copies of the PDF files of the Veteran's Handbook. Links to view the handbook are removed from the user interface. 2. ES 5.12 replaced the landing page that contained the user security and privacy disclaimer with a popup screen containing the disclaimer. However, since ES inherits the system use notification/warning banner from the VA Enterprise Identity and Access Management (IAM) Single Sign-On Internal (SSOi) infrastructure when a user initially establishes a session, ES 5.13 is updated to no longer display the disclaimer popup message window when a user successfully logs into the application. 3. In ES 5.12, the system was modified to expire financial hardships at the end of the year. ES 5.13 is updated to provide a new letter that will inform Veterans up to 60 days in advance that their hardship is expiring so that they can submit a new means test. 4. ES is updated to store and display one renamed and four new "Carveout" VHA Profiles (VHAPs). a. Active Duty and Tricare Sharing Agreement - renamed b. VA DoD Direct Resource Sharing Agreements - new c. State Veteran Home - new d. Employee Veteran - new e. OWCP (Office of Workers Compensation Program) - new 5. In support of the Community Care Program, ES is updated to store and display the new "Carveout" Collateral of Veteran Other VHAP. Collateral of Veteran Other identifies collateral populations not identified in other specific VHAPs - A person, related to or associated with a Veteran (spouse, family member, or significant other) - receiving care from the Department of Veterans Affairs (VA). The person is seen by a professional member of the VA health care facility's (HCF's) staff either within the facility or at a site away from the facility for reasons relating to the Veteran's clinical care. This VHAP will be assigned to Collaterals for the VHA Transplant Program, Marriage/Family Counseling, and Collaterals that are not assigned to a Caregiver Program. 6. Four new Community Care Outcomes were created and will display in View Community Care Outcome and Community Care Determination: ART/IVF, Marriage/Family Counseling, Newborn, and VHA Transplant Program. 7. To support the VA Maintaining Internal Systems and Strengthening Integrated Outside Networks (MISSION) Act, ES is enhanced to now reflect not enrolled covered Veterans as Community Care eligible. ES is enhanced to automate the determination of Entitled Care and Restricted Care Community Care Outcomes based on rules. Two new CCP VHAPs are created, stored, displayed, and automated to support not enrolled covered Veterans: a. Veteran Plan CCP Entitled Care: Assigned to Veterans who are not enrolled and have the following eligibility: Service Connected (SC) 50% to 100%. b. Veteran Plan CCP Restricted Care: Assigned to Veterans who are not enrolled and have the following eligibility: i. SC 0% to 40% ii. SC 0% (non-compensable) iii. Military Sexual Trauma (MST) Non-Veteran (Active Duty) iv. Emergent Mental Health (MH) Other-Than-Honorable (OTH) or Extended MH OTH 8. ES and VistA will share Community Care Collaterals and associated VHAPs via messaging. All new Veterans Community Care Eligibility (VCE) data are communicated from ES to the Community Care Network (CCN) vendor. New VCE data are available for the Enrollment & Eligibility (E&E) web service Community Care subscribers; new VHAP data are available for E&E web service subscribers. 9. ES is updated to instantiate an ES application session in response to a Cerner Revenue Cycle user clicking a link from within that application. ES will automatically log the user into the application and direct the user to the summary page for the Veteran received in the call from Revenue Cycle. 10. ES is updated to perform a single service call for address validation instead of two service calls and to change the processing of the response to account for a change to the response message content. 11. ES is updated to limit a user's access to their own record, receive sensitive records notifications, and log person record access data. ES Sustainment Defect Fixes: VES-529: Browser Compatibility: Chrome and Edge - Military Service Tab - When a Veteran record with a military episode and Camp Lejeune Eligibility is pulled up in ES, it does not show the expanded view of the Camp Lejeune Eligibility section. VES-541: Browser Compatibility - Chrome only - On the Person Search screen, Military Service Number and Claim Folder Number fields under the Additional Search Criteria section are misaligned. VES-544: Browser Compatibility: Chrome and Edge - On the "Edit Current Eligibility" screen for AAP scenario, the description does not populate for the code added under Rated SC Disabilities. VES-545: Browser Compatibility: Chrome and Edge - Eligibility Tab - When a Veteran record with military episode and Camp Lejeune Eligibility is pulled up in ES, it does not show the expanded view of the Camp Lejeune Eligibility section. VES-553: Browser Compatibility: Report Filter by Status feature does not work on Chrome but works on IE. VES-554: Browser Compatibility: Chrome - Military Service Screen: Military Service Episodes - HEC section: fields are misaligned. VES-555: Entry of future date of birth is being allowed during Add A Person (AAP). VES-580: Section 508: Field label is not included in incorrect format error messages on the Completed Reports screen. VES-586: The Z05 message is failing for long city names from the Health Care Application (HCA). VES-600: Section 508: Some active controls that generate an error are neither read with error nor marked as error (Demographics/ Personal). VES-604: The Programmable Logic Controller (PLC) letter response file fails to complete. VES-606: Errors occur when saving and opening VOA file attachments from Edit Eligibility. VES-632: The date of birth validation message for Purple Heart is displayed when it is not expected to be displayed. VES-906: Browser Compatibility: Chrome and Edge - When Member ID with a trailing space is pasted in the Member ID field or a 29-character ICN is pasted in the ICN field on the Person Search page, the focus jumps to a blank field adjacent to the respective fields. VES-907: The 10-10EZ PDF from either the Financials tab or the VOA version on the Enrollment tab is failing to generate. VES-915: Browser Compatibility: Chrome Only - The row and the page counters at the top of the table on the Facilities header are displayed to the left, when they should be displayed in the middle. VES-916: Browser Compatibility: Chrome Only - Worklist Tab - The "Search Criteria" and "Search Value" fields above the "My Items" tab are displayed on the left side of the screen (no impact to functionality). VES-917: Browser Compatibility - Chrome and Edge - On the "My Items" subtab of the "Worklist" tab, the "Assign" button is placed away from the "Assign Selected Items to" dropdown. VES-1297: If a user attempts to retransmit an ORU-Z11 message, the retransmit attempt fails with the following error message: "Unable to retransmit message due to error: Failed to resend a message: Failed to build outbound ORUZ11-S message due to an exception". VES-1304: The "623A Notify Applicant Priority Below EGT Letter" is not being sent. VES-1849: Fortify: Resolve all 1214 code warnings. VES-1850: A user is unable to update the "State" on the Personal screen as the field is not visible after initially adding the address. VES-1891: Fortify: Unreleased Resource: Streams - 14 issues Some allocated system resources fail to be released. VES-1892: Fortify: Log Forging - 1 issue Unvalidated user input could allow forging or injection of malicious content into the log. VES-1893: Fortify: Key Management: Empty Encryption Key - 1 issue Empty encryption keys can compromise security. VES-1894: Fortify: Dynamic Code Evaluation: Unsafe Deserialization - 1 issue Deserializing user-controlled object streams at runtime can allow attackers to execute arbitrary code on the server, abuse application logic, and/or lead to denial of service. VES-1895: Fortify: SQL Injection: Hibernate - 10 issues An SQL query build using input potentially coming from an untrusted source is being invoked. VES-1936: Fortify: Null Dereference - 1 issue Dereferencing a null pointer can crash the program. VES-1937: Fortify: Dynamic Code Evaluation: Unsafe XStream Deserialization - 1 issue The XStream library provides the developer with an easy way to transmit objects, serializing them to XML documents. However, XStream deserialization might enable an attacker to run arbitrary Java code on the server. VES-1960: WASA: A2 - Broken Authentication and Session Management VES-1961: WASA: A5 - Security Misconfiguration VES-4603: Fortify: Path Manipulation - 2 issues Attackers are able to control a file system path argument, which allows them to access or modify otherwise protected files. VES-4604: Fortify: Server-Side Request Forgery - 6 issues If data is retrieved from an external system, then it must be validated. VES-4605: Fortify: Log Forging - 10 issues Unvalidated user input to the log could enable forging of log entries or injection of malicious content into the log. VES-4606: Fortify: Null Dereference - 4 issues Dereferencing a null pointer can crash the system. VES-4607: Fortify: Unreleased Resource: Streams - 6 issues Some allocated system resources are failing to be released. VES-4608: Fortify: Unreleased Resource: Files Allowed files are sometimes failing to be released. VES-4609: Fortify: Portability Flaw: Locale Dependent Comparison VES-4610: Fortify: Dynamic Code Evaluation: Unsafe Deserialization VES-4611: Fortify: Unresolved Scan Issues: ES_HECMS_ui_web_admin VES-4612: Fortify: Unreleased Resource: Sockets: ES_WS_Webserv VES-4613: Fortify: Unresolved Scan Issues: ES_WS_Webserv VES-5553: Access Controls - Elevated Privileges The ability to edit a user profile is currently requiring administrator capability instead of just the single "edit user profile" capability. VES-5752: Section 508: Some fields on Schedule Reports screens are not read as "Required" by Job Access With Speech (JAWS). VES-5897: Fortify: Privacy Violation - 52 issues Confidential information is being mishandled. VES-5898: Fortify: Privacy Violation: Heap Inspection - 30 issues Sensitive data is being stored in such a way that it cannot be reliably purged from memory. VES-5899: Fortify: Race Condition: Singleton Member Field - 3 issues Certain classes are singletons, so the member fields are shared between users; the result is that one user could see another user's data. VES-6767: Changing a preferred facility to a new station that has never been assigned before does not create a new assignment date; it is inheriting the facility assignment date from the previously assigned record. VES-6912: Fortify : Unvalidated input into JavaScript Object Notation (JSON) could allow an attacker to inject arbitrary elements or attributes into the JSON entity. Patch Components: ----------------- N/A Files & Fields Associated: File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- -------------------- N/A Forms Associated: Form Name File # New/Modified/Deleted --------- ------ -------------------- N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted --------------- -------------------- N/A Options Associated: Option Name Type New/Modified/Deleted ----------- ---- -------------------- N/A Protocols Associated: Protocol Name New/Modified/Deleted ------------- -------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Templates Associated: Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ -------------------- N/A Remote Procedures Associated: Remote Procedure Name New/Modified/Deleted --------------------- -------------------- N/A Parameter Definitions Associated: Parameter Name New/Modified/Deleted -------------- -------------------- Additional Information: New Service Requests (NSRs): N/A Patient Safety Issues (PSIs): N/A Defect Tracking System Ticket(s) & Overview: Jira: Bug # Problem / Resolution: -------- -------------------- VES-529 Problem: Browser Compatibility: Chrome and Edge - Military Service Tab - When a Veteran record with a military episode and Camp Lejeune Eligibility is pulled up in ES, it does not show the expanded view of the Camp Lejeune Eligibility section. Resolution: Updated code to show the expanded view including all the fields on the Camp Lejeune Eligibility section of the Military Service tab. VES-541 Problem: Browser Compatibility - Chrome only - On the Person Search screen, Military Service Number and Claim Folder Number fields under the Additional Search Criteria section are misaligned. Resolution: Updated code to properly align the Military Service Number and Claim Folder fields under the Additional Search Criteria section. VES-544 Problem: Browser Compatibility: Chrome and Edge - On the "Edit Current Eligibility" screen for AAP scenario, the description does not populate for the code added under Rated SC Disabilities. Resolution: Updated code to display all descriptions in AAP. VES-545 Problem: Browser Compatibility: Chrome and Edge - Eligibility Tab - When a Veteran record with military episode and Camp Lejeune Eligibility is pulled up in ES, it does not show the expanded view of the Camp Lejeune Eligibility section. Resolution: Updated code to show the expanded view including all the fields on the Camp Lejeune Eligibility section of the Eligibility tab. VES-553 Problem: Browser Compatibility: Report Filter by Status feature does not work on Chrome but works on IE. Resolution: Updated code to enable the Report Filter by Status feature on both browsers. VES-554 Problem: Compatibility: Chrome - Military Service Screen: Military Service Episodes - HEC section: fields are misaligned. Resolution: Updated code to properly align the Military Service Screen: Military Service Episodes - HEC section fields. VES-555 Problem: Entry of future date of birth is being allowed during Add A Person (AAP). Resolution: Implemented validation rule to AAP: "Date of Birth Cannot Be in the Future". VES-580 Problem: Section 508: Field label is not included in incorrect format error messages on the Completed Reports screen. Resolution: Updated code to include field label on the incorrect format error message on the Completed Reports screen. VES-586 Problem: The Z05 message is failing for long city names from HCA. Resolution: Added logic to the HCA inbound message to validate the city if the name has more than 15 characters. VES-600 Problem: Section 508: Some active controls that generate an error are neither read with error nor marked as error (Demographics/Personal). Resolution: Updated code so that if Preferred Facility is not selected, an error is displayed and the field is highlighted. VES-604 Problem: The Programmable Logic Controller (PLC) letter response file fails to complete. Resolution: Updated batch process to rename the file to .DONE so that the process completes. VES-606 Problem: Errors occur when saving and opening VOA file attachments from Edit Eligibility. Resolution: Updated code to enable VOA file attachments to be saved directly as PDFs and opened. VES-632 Problem: The date of birth validation message for Purple Heart is displayed when it is not expected to be displayed. Resolution: Modified Check Birth Date / Received Date code for Purple Heart so that the validation message is not displayed when the Document Received Date field is updated with the current date. VES-906 Problem: Browser Compatibility: Chrome and Edge - When Member ID with a trailing space is pasted in the Member ID field or a 29-character ICN is pasted in the ICN field on the Person Search page, the focus jumps to a blank field adjacent to the respective fields. Resolution: Updated code to prevent focus from jumping to the blank fields when a Member ID with a trailing space or a 29- character ICN is entered. VES-907 Problem: The 10-10EZ PDF from either the Financials tab or the VOA version on the Enrollment tab is failing to generate. Resolution: Updated code to properly load the 10-10EZ PDF from all instances. VES-915 Problem: Browser Compatibility: Chrome Only - The row and the page counters at the top of the table on the Facilities header are displayed to the left, when they should be displayed in the middle. Resolution: Updated code to properly display the row and page counters at the top of the table on the Facilities header. VES-916 Problem: Browser Compatibility: Chrome Only - Worklist Tab - The "Search Criteria" and "Search Value" fields above the "My Items" tab are displayed on the left side of the screen (no impact to functionality). Resolution: Updated code to display the "Search Criteria" and "Search Value" fields above the "My Items" tab on the Worklist Tab on the right side of the screen. VES-917 Problem: Browser Compatibility - Chrome and Edge - On the "My Items" subtab of the "Worklist" tab, the "Assign" button is placed away from the "Assign Selected Items to" dropdown. Resolution: Updated code to place the "Assign" button next to the "Assign Selected Items to" dropdown menu on the "My Items" subtab of the "Worklist" tab. VES-1297 Problem: If a user attempts to retransmit an ORU-Z11 message, the retransmit attempt fails with the following error message: "Unable to retransmit message due to error: Failed to resend a message: Failed to build outbound ORUZ11-S message due to an exception". Resolution: Updated code to enable retransmission of the ORU-Z11 message. VES-1304 Problem: The "623A Notify Applicant Priority Below EGT Letter" is not being sent. Resolution: Changed the "order-by" in the COM_MAILING_STATUS_DETAIL table. VES-1849 Problem: Fortify: Resolve all 1214 code warnings. Resolution: Executed separate scan to resolve all files with the same filename in different folders. VES-1850 Problem: A user is unable to update the "State" on the Personal screen as the field is not visible after initially adding the address. Resolution: Updated "updateCountryFields" code so that the "State" field is visible on the Personal screen. VES-1891 Problem: Fortify: Unreleased Resource: Streams - 14 issues Some allocated system resources fail to be released. Resolution: Analysis found that the allocated resources will be released even if an exception occurs. VES-1892 Problem: Fortify: Log Forging - 1 issue Unvalidated user input could allow forging or injection of malicious content into the log. Resolution: Created a set of legitimate log entries that correspond to different events that must be logged, and only allow logging of entries from this set (always use server- controlled values rather than user-supplied data). VES-1893 Problem: Fortify: Key Management: Empty Encryption Key - 1 issue Empty encryption keys can compromise security. Resolution: Updated code so that encryption keys are never empty and are obfuscated and managed in an external source. VES-1894 Problem: Fortify: Dynamic Code Evaluation: Unsafe Deserialization - 1 issue Deserializing user-controlled object streams at runtime can allow attackers to execute arbitrary code on the server, abuse application logic, and/or lead to denial of service. Resolution: Analysis found that the identified class is performing deserializing file input stream on given class that is available from application classpath; the current class file is retrieved from the secured and trusted ES server classpath. VES-1895 Problem: Fortify: SQL Injection: Hibernate - 10 issues An SQL query build using input potentially coming from an untrusted source is being invoked. Resolution: Updated code to mitigate SQA injection risk. VES-1936 Problem: Fortify: Null Dereference - 1 issue Dereferencing a null pointer can crash the program. Resolution: The local variable that could be null was checked not null. VES-1937 Problem: Fortify: Dynamic Code Evaluation: Unsafe XStream Deserialization - 1 issue The XStream library provides the developer with an easy way to transmit objects, serializing them to XML documents. However, XStream deserialization might enable an attacker to run arbitrary Java code on the server. Resolution: Use whitelist rather than blacklist approach so that any class allowed in the whitelist is audited to make sure it is safe to deserialize. VES-1960 Problem: WASA: A2 - Broken Authentication and Session Management. Resolution: Updated the Cross-Site Scripting (XSS) filter. VES-1961 Problem: WASA: A5 - Security Misconfiguration Resolution: Enabled Cross Site Request Forgery (CSRF) Guard, updated build files and fixed Java Server Pages (JSPs). VES-4603 Problem: Fortify: Path Manipulation - 2 issues Attackers are able to control a file system path argument, which allows them to access or modify otherwise protected files. Resolution: Updated code to ensure that the user has no control over the path that is provided to the input stream. VES-4604 Problem: Fortify: Server-Side Request Forgery - 6 issues If data is retrieved from an external system, then it must be validated. Resolution: Updated code to check if provided IDs are in the expected format and match that of one of the documents associated with the current record. VES-4605 Problem: Fortify: Log Forging - 10 issues Unvalidated user input to the log could enable forging of log entries or injection of malicious content into the log. Resolution: Updated code to prevent unvalidated user input to the log. VES-4606 Problem: Fortify: Null Dereference - 4 issues Dereferencing a null pointer can crash the system. Resolution: Updated code to remove null dereferences. VES-4607 Problem: Fortify: Unreleased Resource: Streams - 6 issues Some allocated system resources are failing to be released. Resolution: Updated code to allow release of the allocated system resources. VES-4608 Problem: Fortify: Unreleased Resource: Files Allowed files are sometimes failing to be released. Resolution: Updated code to release the allowed files. VES-4609 Problem: Fortify: Portability Flaw: Locale Dependent Comparison Resolution: Analysis found that there is no longer a flaw in ContactInformationInputParameter.java. VES-4610 Problem: Fortify: Dynamic Code Evaluation: Unsafe Deserialization Resolution: Removed "Sys" statement to enable safe deserialization. VES-4611 Problem: Fortify: Unresolved Scan Issues: ES_HECMS_ui_web_admin Resolution: Resolved all scan issues in file ES_HECMS_ui_web_admin. VES-4612 Problem: Fortify: Unreleased Resource: Sockets: ES_WS_Webserv Resolution: Updated code to release the Sockets: ES_WS_Webserv resource. VES-4613 Problem: Fortify: Unresolved Scan Issues: ES_WS_Webserv Resolution: Resolved all scan issues in file ES_WS_Webserv. VES-5553 Problem: Access Controls - Elevated Privileges The ability to edit a user profile is currently requiring administrator capability instead of just the single "edit user profile" capability. Resolution: Implementation corrected so that the ability to edit a user profile requires only the existing "edit user profile" capability. VES-5752 Problem: Section 508: Some fields on Schedule Reports screens are not read as "Required" by Job Access With Speech (JAWS). Resolution: Fixed the Generate Report, Day to Generate Report, and Time to Generate Report fields to be read as "Required" by JAWS. VES-5897 Problem: Fortify: Privacy Violation - 52 issues Confidential information is being mishandled. Resolution: Analysis found that the confidential information is being handled properly; the reported class is using a Business Entity class and not the "CCNFileData" class as reported. VES-5898 Problem: Fortify: Privacy Violation: Heap Inspection - 30 issues Sensitive data is being stored in such a way that it cannot be reliably purged from memory. Resolution: Analysis found that the instances identified are sensitive data. They are Enum values which are set to private variables. VES-5899 Problem: Fortify: Race Condition: Singleton Member Field - 3 issues Certain classes are singletons, so the member fields are shared between users; the result is that one user could see another user's data. Resolution: Analysis found that the reported classes are not singleton classes; this rule does not apply to its members being shared between users. VES-6767 Problem: Changing a preferred facility to a new station that has never been assigned before does not create a new assignment date; it is inheriting the facility assignment date from the previously assigned record. Resolution: Updated code to set the assignment date to the system date when a new preferred facility is added. VES-6912 Fortify: Unvalidated input into JavaScript Object Notation (JSON) could allow an attacker to inject arbitrary elements or attributes into the JSON entity. Resolution: Analysis found that JSON is created by ES; attributes are generated from the Java classes within ES, not from user input. Test Sites: ----------- Health Eligibility Center (HEC) Software and Documentation Retrieval Instructions: ---------------------------------------------------- Documentation describing the new functionality is included in this release. Documentation can be found on the VA Software Documentation Library at: https://www.domain.ext/vdl/. Documentation can also be obtained at https://download.vista.domain.ext/index.html/SOFTWARE. Documentation Title File Name ------------------------------------------------------------ ES 5.13 Release Notes ES_5_13_RN.PDF ES 5.13 User Guide ES_5_13_UG.PDF Patch Installation: ES will be installed at the Austin Information Technology Center (AITC). ****** This is an informational patch ONLY. ****** ****** There is NO install to be done by sites. ****** Pre/Post Installation Overview: ------------------------------- N/A Pre-Installation Instructions: ------------------------------ N/A Installation Instructions: ------------ ES will be installed at the AITC only. ****** This is an informational patch ONLY. ****** ****** There is NO install to be done by sites. ****** Post-Installation Instructions: ------------------------------- N/A Routine Information: ==================== No routines included. ============================================================================= User Information: Entered By : Date Entered : JUN 22, 2020 Completed By: Date Completed: SEP 08, 2020 Released By : Date Released : SEP 08, 2020 ============================================================================= Packman Mail Message: ===================== No routines included