============================================================================= Run Date: APR 06, 2023 Designation: MAG*3*314 Package : MAG - IMAGING Priority: Mandatory Version : 3 SEQ #239 Status: Released Compliance Date: MAY 08, 2023 ============================================================================= Associated patches: (v)MAG*3*324 <<= must be installed BEFORE `MAG*3*314' Subject: VISTA IMAGING - VistA Imaging Hybrid DICOM Image Gateway (HDIG) Maintenance Category: - Routine Description: ============ MAG*3.0*314 addresses Authority to Operate (ATO) remediations for Java and issues highlighted by Fortify scans. Defect(s): ---------- 1. INC25377972/HDSO-3108 - Issue with Apache stopping and starting ever since patch 324 update. INC25492627/HDSO-3115 - Apache freezing and Importer III creating/splitting up single exams into multiple ones. Adaptive Maintenance: --------------------- 1. HDSO-2234 - Addressed NULL reference and Access Specifier Manipulation issues in response to Fortify scan findings. 2. HDSO-1174 - Upgrade Java to 8u331 for ATO compliance. 3. INC25005359/HDSO-2681 - Instructions needed to Set Memory pool on HDIG Server. Patch Components: ----------------- Files & Fields Associated: File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- -------------------- N/A Forms Associated: Form Name File Number New/Modified/Deleted --------- ----------- -------------------- N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted --------------- -------------------- N/A Options Associated: Option Name Type New/Modified/Deleted ----------- ---- -------------------- N/A Protocols Associated: Protocol Name New/Modified/Deleted ------------- -------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Templates Associated: Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ -------------------- N/A Remote Procedures Associated: Remote Procedure Name New/Modified/Deleted --------------------- -------------------- N/A Parameter Definitions Associated: Parameter Name New/Modified/Deleted -------------- -------------------- N/A Additional Information: ----------------------- N/A Blood Bank Team Coordination: N/A New Service Requests (NSRs): N/A Patient Safety Issues (PSIs): N/A Defect Tracking System Ticket(s) & Overview: -------------------------------------------- 1. INC25377972 - Issue with Apache stopping and starting ever since patch 324 update. INC25492627 - Apache freezing and Importer III creating/splitting up single exams into multiple ones. Problem: -------- It was discovered that there was a byte[65535] array filled with "0" being created repeatedly that the garbage collector was not destroying. This showed that the site was having a memory leak. The problem was isolated to the object 'jcifs.CIFSContext'. Only 'SMBStorageUtility.java', which resides in the 'VistaStorage' Java project, invokes 'jcifs.CIFSContext' twice, specifically in the SmbStorageUtility.getSmbFile() method. This object has a close() method that is never called. Resolution: ----------- Added a close() method for each of the jcifs.CIFSContext objects at the end of the method. The baseContextWrapper.close() and contextWithCred.close() methods resolved the memory leak. Adaptive Maintenance Tracking System Ticket(s) & Overview: ---------------------------------------------------------- 1. HDSO-2234 - Addressed NULL reference and Access Specifier Manipulation issues in response to Fortify scan findings. Description: ------------ A. NULL reference issue Fortify application found the following issue which affected 4 files: NULL pointer dereference is occurring when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. B. Access Specifier Manipulation issue Fortify application also found the following issue which affected 1 file: The AccessibleObject API allows the programmer to get around the access control checks provided by Java access specifiers. It enables the programmer to allow a reflected object to bypass Java access controls and in turn change the value of private fields or invoke private methods, behaviors that are normally disallowed. Resolution: ----------- Fixed both categories of issues that were found on Fortify scan: A. NULL reference/dereference: NULL Dereference was repaired by adding NULL checks before using variables identified as issues. B. Access Specifier Manipulation: Access Specifier Manipulation issue was addressed by changing from setAccessible(accessible) to setAccessible(newAccessibleObject[] {field}, accessible) as recommended by Fortify, which resolved the issue. 2. HDSO-1174 - Upgrade Java to 8u331 for ATO compliance Description: ------------ Upgrade HDIG Java version from 8u281 to 8u331 to meet current ATO compliance requirements. Note: During MAG*3.0*314T2 testing, the following issue was found which this patch also addresses: "HDIG is giving the error "Transformer Exception: /nJAXP0801003: the compiler encountered XPath expressions with an accumulated '10,003' operators that exceeds the '10,000' limit set by 'FEATURE_SECURE_PROCESSING'." Resolution: ----------- In accordance with ATO compliance requirements, Java 8u281 was updated to Java 8u331. Also updated Tomcat 9 "Java Options" settings to resolve the error found in previous testing. 3. INC25005359/HDSO-2681 - Instructions needed to Set Memory pool on HDIG Server. Problem: -------- There was no default memory pool, as it depended on the allocated size per the DIG server, as well as existing applications that were running on it. Resolution: ----------- The available memory in the server is now checked during HDIG installation and set programmatically. Memory is then allocated dynamically without the previous need for manual setting. The initial memory pool is set to 25% of memory allocated to the server and the maximum memory pool is set to 70%. Test Sites: ----------- VA Milwaukee Healthcare System (Milwaukee, WI) Northampton VAMC (Northampton, MA) Software and Documentation Retrieval Instructions: -------------------------------------------------- The software for this patch is being released using a host file. The host file is available at the following location: /srv/vista/patches/SOFTWARE/MAG3_0P314.KID Other Software Files: This release also includes other software files. These files can be obtained by accessing the URL: https://download.vista.domain.ext/index.html/SOFTWARE File Title File Name ------------------------------------------------------------------------ Kernel Installation and MAG3_0P314.KID Distribution System (KIDS) build for MAG*3.0*314 Hybrid DICOM Gateway MAG3_0P314_HDIG_SETUP.MSI Installation File Documentation describing the new functionality is included in this release. Documentation can be found on the VA Software Documentation Library at: https://www.domain.ext/vdl/. Documentation can also be obtained at https://download.vista.domain.ext/index.html/SOFTWARE Documentation Title File Name ------------------------------------------------------------------------ Patch Description for MAG*3.0*314 MAG3_0P314_PATCH_DESCRIPTION.PDF Deployment, Installation, Back-Out, MAG3_0P314_DIBORG.PDF and Rollback Guide Supported Client Versions: -------------------------- When MAG*3.0*314 is released, the list of supported versions of HDIG will change: Client Versions Supported: -------------------------- 3.0.314 3.0.324 3.0.302 Client Versions No Longer Supported: ------------------------------------ 3.0.273 3.0.257 3.0.239 Pre/Post Installation Overview: ------------------------------- MAG*3.0*314 must be installed on the VistA System and on 64-bit HDIG servers. This patch must be installed by the compliance date. All sites running VistA Imaging 3.0 must install the KIDS portion of this patch. This patch can be loaded while the VistA Imaging System is active, and users are on the system. Installing the MAG*3.0*314 KIDS takes 2-5 minutes. The HDIG Client install requires .NET version of 4.6.2 or later. NOTES: 1. To avoid losing configuration changes, sites with a modified HDIG Listen file will need to save a copy of the file before installing this patch. After the installation is complete, restore the Listen file and restart the Tomcat service. The location of Listed file is here: C:\DCF_RunTime_x64\cfg\apps\defaults. 2. To avoid losing configuration changes in the PeriodicCommandsConfiguration.config file, sites with a modified PeriodicCommandsConfiguration.config file will need to save a copy of the file before installing this patch. The location of the PeriodicCommandsConfiguration.config file is here: C:\VixConfig. 3. There is a known issue if there are multiple Java versions on the system for HDIG and hence not recommended. Please follow the steps below before installing MAG*3.0*314 (MAG3_0314_HDIG_Setup.msi) client. a. Stop all Legacy DICOM Gateway processing windows. b. Go to services and stop Apache Tomcat service. c. Go to Control Panel and uninstall the existing Java version 8u281 [Java 8 Update 281 (64-bit)] d. Go to Control Panel and uninstall the current HDIG Installation Wizard. e. Restart server manually. Installation Instructions: -------------------------- 1. Use the Load a Distribution option contained on the Kernel Installation and Distribution System Menu to load the Host file. When prompted to "Enter a Host File:" enter srv/vista/patches/SOFTWARE/MAG3_0P314.KID 2. From the Kernel Installation and Distribution System Menu, select the Installation Menu. From this menu: A. Select the Verify Checksums in Transport Global option to confirm the integrity of the routines that are in the transport global. When prompted for the INSTALL NAME, enter the patch or build name (ex.). NOTE: Using will not bring up a Multi-Package build even if it was loaded immediately before this step. It will only bring up the last patch in the build. B. Select the Backup a Transport Global option to create a backup message. You must use this option and specify what to backup; the entire Build or just Routines. The backup message can be used to restore the routines and components of the build to the pre-patch condition. i. At the Installation option menu, select Backup a Transport Global ii. At the Select INSTALL NAME prompt, enter your build MAG*3*314 iii. When prompted for the following, enter "R" for Routines or "B" for Build. Select one of the following: B Build R Routines Enter response: Build iv. When prompted "Do you wish to secure this message? NO//", press and take the default response of "NO". v. When prompted with, "Send mail to: Last name, First Name", press to take default recipient. Add any additional recipients. vi. When prompted with "Select basket to send to: IN//", press and take the default IN mailbox or select a different mailbox. vii. Repeat step ii for each build in the host file. C. You may also elect to use the following options: i. Print Transport Global - This option will allow you to view the components of the KIDS build. ii. Compare Transport Global to Current System - This option will allow you to view all changes that will be made when this patch is installed. It compares all components of this patch, such as routines, DDs, templates, etc. D. Select the Install Package(s) option and choose the patch to install. i. If prompted 'Want KIDS to Rebuild Menu Trees Upon Completion of Install?', answer NO. ii. When prompted 'Want KIDS to INHIBIT LOGONs during the install?', answer NO. Installing and Updating the HDIG: --------------------------------- For installing or updating the HDIG, refer to the Hybrid DICOM Image Gateway (HDIG) Installation Guide. Post-Installation Instructions: ------------------------------- Verify the initial memory pool is set to 25% of the total memory allocated to the server and the maximum memory pool is set to 70% of total memory. Verify that these entries are not listed in the Java options: -XmsXXXXM -XmxXXXXM -XX:PermSize=XXXM -XX:MaxPermSize=XXXXM If they are still present, these entries should be removed. Note: These instructions run counter to the current HDIG Installation Guide, which is still in the process of being updated. Back-Out/Roll Back Plan: ------------------------ Uninstalling the Application: ----------------------------- For installing or updating the HDIG, refer to the Hybrid DICOM Image Gateway (HDIG) Installation Guide (Previous Patch: MAG*3.0*324). Note: When uninstalling MAG*3.0*314, remove Java version 8u331, as patch MAG*3.0*324 is not compatible with this version. MAG*3.0*324 installation includes the correct version of Java. KIDS Uninstall: ---------------- If it is necessary to uninstall the MAG*3.0*314 VistA KIDS, the patch backup must be installed. The Kernel Installation & Distribution System menu option, Backup a Transport Global should have been used to create a patch backup of the build prior to installing the patch. (see Installation Steps section, step 2b). Administrators will need to check MailMan for the backup message sent by the Backup a Transport Global function executed prior to the patch install. The patch backup must first be loaded from the MailMan backup message, by performing the message action Xtract KIDS, followed by the PackMan function INSTALL/CHECK MESSAGE. The patch may then be installed using the Install Package(s) option in the KIDS Installation menu. 1. Navigate to the Mailman inbox containing the patch backup message. a. Select the MAG*3.0*314 backup message as shown below: * Backup of MAG*3.0*314 install on b. At the "Enter message action:" prompt, select the Xtract PackMan option. c. At the "Select PackMan function:" prompt, select the Install/Check Message option. d. Enter Yes at the prompt "OK to continue with Load?" 2. Navigate to the Kernel Installation and Distribution System Menu and select the Installation Menu. From this menu: a. Select the Install Package(s) option and choose the patch to install. i. If prompted 'Want KIDS to Rebuild Menu Trees Upon Completion of Install? NO//', answer NO. ii. When prompted 'Want KIDS to INHIBIT LOGONs during the install? NO//', answer NO. iii. When prompted 'Want to DISABLE Scheduled Options, Menu Options, and Protocols? NO//', answer NO. iv. When prompted 'Delay Install (Minutes): (0 - 60): 0//', answer 0. Example, Loading Patch Backup (Build) -------------------------------------------- IN Basket, 1504 messages (1-1847), 427 new *=New/!=Priority.......Subject.........................From.............. 1847. Backup of MAG*3.0*314 on Dec 02, 2022 IN Basket Message: 1842// 1847 Subj: Backup of MAG*3.0*314 on Dec 02, 2022 [#305565] 12/02/22@15:35 321 lines From: In 'IN' basket. Page 1 -------------------------------------------------------------------------- --- $TXT Created by at MBOXCACHE.FO-BIRM.DOMAIN.EXT (KIDS) on Friday, 12/02/22 at 15:35 Warning: Installing this backup patch message will install older versions of routines and Build Components (options, protocols, templates, etc.). Please verify with the Development Team that it is safe to install. $END TXT