============================================================================= Run Date: NOV 22, 2023 Designation: MAG*3*345 Package : MAG - IMAGING Priority: Mandatory Version : 3 SEQ #249 Status: Released Compliance Date: DEC 28, 2023 ============================================================================= Associated patches: (v)MAG*3*314 <<= must be installed BEFORE `MAG*3*345' (v)MAG*3*172 <<= must be installed BEFORE `MAG*3*345' (v)MAG*3*332 <<= must be installed BEFORE `MAG*3*345' Subject: VISTA IMAGING - HYBRID DICOM IMAGE GATEWAY (HDIG) DEFECTS AND MAINTENANCE Category: - Routine - Other Description: ============ MAG*3.0*345 provides fixes to Hybrid DICOM Image Gateway (HDIG). This patch addresses the following defects: Defect(s): ========== 1. HDSO-1172/INC19052620 HDSO-1171/INC19770181 - HDIG rejects the image as a duplicate when users attempt to store a new SOP class image that was previously deleted from the VistA storage location. 2. HDSO-1305/INC16991544 HDSO-1306/INC17199836 - HDIG does not process images with Illegal Series and SOP Instance UIDs 3. HDSO-720/INC23738137 - HDIG unable to process certain images, due to SOP Instance error. Adaptive Maintenance: ===================== 1. HDSO-724/INC23671534 - Laurel Bridge DCF Toolkit upgrade to 3.3.68C, HDSO-1176 making the DCF Toolkit TRM compliant 2. HDSO-1173 - HDIG New Style Communication for RPC Broker implementation 3. HDSO-1170 - Modifications to remove vulnerabilities from default, VA-implemented error page, default index page, example JSPs, etc. 4. HDSO-4194 - Fortify Scan identified several security vulnerabilities. 5. HDSO-5625 - Laurel Bridge 3.3.68C license activation Patch Components: ----------------- Files & Fields Associated: File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- -------------------- N/A Forms Associated: Form Name File Number New/Modified/Deleted --------- ----------- -------------------- N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted --------------- -------------------- N/A Options Associated: Option Name Type New/Modified/Deleted ----------- ---- -------------------- N/A Protocols Associated: Protocol Name New/Modified/Deleted ------------- -------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Templates Associated: Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ -------------------- N/A Remote Procedures Associated: Remote Procedure Name New/Modified/Deleted --------------------- -------------------- N/A Parameter Definitions Associated: Parameter Name New/Modified/Deleted -------------- -------------------- N/A Additional Information: ----------------------- Blood Bank Team Coordination: N/A New Service Requests (NSRs): N/A Patient Safety Issues (PSIs): N/A Defect Tracking System Ticket(s) & Overview: -------------------------------------------- 1. HDSO-1172/INC19052620 HDSO-1171/INC19770181 - HDIG rejects the image as a duplicate when users attempt to store a new SOP class image that was previously deleted from the VistA storage location. Problem: -------- When a user attempts to store a new SOP class image that was previously deleted from the VistA storage location, HDIG rejects the image as a duplicate. Display of the deleted image information in the VistA Image Instance File (2005.65) shows "STATUS: INACCESSIBLE and (the image is "NOT ON FILE)". Resolution: ----------- Modified the entry point of Remote Procedure Calls (RPCs) listed below to check the STATUS of the UIDs (STUDY, SERIES, and SOP). If the STATUS is "INACCESSIBLE", the RPCs will return a status of '0' to indicate there are no matches found in VistA. HDIG will then process the images as if they were new, without rejecting the images. No changes to the SOP Instance UID, just another set of images entering the database. NOTE: The RPC definition has not changed and is therefore not exported in the patch. Remote Procedure Call (RPC): Entry Point: ---------------------------- ------------ MAGV STUDY UID CHECK STUDY^MAGVUID MAGV SERIES UID CHECK SERIES^MAGVUID MAGV SOP UID CHECK SOP^MAGVUID 2. HDSO-1305/INC16991544 - HDIG does not process images with Illegal Series and SOP Instance UIDs HDSO-1306/INC17199836 - Duplicate of HDSO-1305/INC16991544. Problem: -------- When a study comes in with an illegal Series and SOP Instance UID, new UIDs are generated correctly. However, if the rejectDuplicates flag is set to true in the C:\vixconfig\DicomServerConfiguration.config file the HDIG processes the first image correctly but rejects the rest of the study as duplicates. The rejected images have the same Series UID but different SOP Instance UIDs, so they should be accepted. Resolution: ----------- Modified the entry point of the RPCs listed below and the Java code to properly separate an illegal Instance UID from a duplicate Instance UID. Illegal Instance UID is no longer treated the same as a duplicate instance UID. NOTE: The RPC definition has not changed and is therefore not exported in the patch. Remote Procedure Call (RPC): Entry Point: ---------------------------- ------------ MAGV STUDY UID CHECK STUDY^MAGVUID MAGV SERIES UID CHECK SERIES^MAGVUID 3. HDSO-720/INC23738137 - HDIG unable to process certain images, due to SOP Instance error. Problem: -------- DIG unable to processing images with SOP Class 1.2.840.10008.5.1.4.1.1.9. An example: "Error or Exception: /nIOD Validation does not know this SOP Class: 1.2.840.10008.5.1.4.1.1.9" Resolution: ----------- Added the SOP Class definition to the DicomIODDescriptionsSource.xml for the missing SOP Class. This file is used for SOP Class DICOM Object IOD Validation process. Adaptive Maintenance Tracking System Ticket(s) & Overview: ---------------------------------------------------------- 1. HDSO-724/INC23671534 HDSO-1176 - Laurel Bridge DCF Toolkit upgrade to 3.3.68C, making the DCF Toolkit TRM compliant Problem: -------- Laurel Bridge DCF Toolkit upgrade from 3.3.40c to 3.3.68c is necessary to meet current TRM compliance requirements. Resolution: ----------- In accordance with TRM compliance requirements, DCF Toolkit Update to 3.3.68C. 2. HDSO-1173 - HDIG New Style Communication for RPC Broker Problem: -------- HDIG is using the old-style VistA RPC Broker (where VistA calls back to a different port on the client workstation when making a connection) only. Resolution: ----------- Purpose of work item is to implement new-style RPC Broker. Modified NewRPCBroker.java to add more debug lines wrapping around RPC calls. Modified VistaConnection.java to successfully control sockets. Left the Fortify changes in place. Modified VistaQuery.java to properly support ARRAY parameters for VistaQuery.buildNewStyleMessage() method. Ran multiple tests with successful results while using the new-style RPC Broker. Modified code in VistaQuery.buildNewStyleMessage() method. Converted to using StringBuffer for string building to increase performance. Added unit test to validate performance to build a message in under a second. Unit test originally took over 8 seconds. It now takes approximately 25 milliseconds. 3. HDSO-1170 - Modifications to remove vulnerabilities from default error page, default index page, example JSPs, etc. Problem: -------- Within the HDIG application, HDIGManagementWebApp, JmxWebApp, and VixServerHealthWebApp web applications, the default error page, default index page, example JSPs and/or example servlets were able to expose Tomcat server information. These files should be removed from these web applications as they may help an attacker uncover information about the Tomcat install or host itself. NOTE: The default error page, default index page, example JSPs and/or example servlets that are installed by Apache Tomcat at the root level will be removed in a subsequent patch. These files should be removed as they may help an attacker uncover information about the remote Tomcat install or host itself. Resolution: ----------- Default index.jsp index pages were removed and default error.jsp error pages were added to hide Tomcat version information within the HDIG web applications HDIGManagementWebApp, JmxWebApp, and VixServerHealthWebApp. The "web.xml" file was updated to handle default error cases. 4. HDSO-4194 - Fortify Scan identified several security vulnerabilities. Problem: -------- Fortify Scan identified the following security vulnerabilities: A. XML External Entity Injection: There is code with XML input that needs to be parsed. Application needs to prevent XML External Entity Injection. B. File Path Manipulation: The value of file path saved in the code can be manipulated. C. Unreleased Resource Streams: Fortify scan identified Unreleased Resource Streams, where a stream is opened and needs to be closed in all cases to prevent vulnerability or unauthorized reading of private data. Resolution: ----------- A. XML External Entity Injection: Code containing XML input is processed to prevent external entity injection. B. File Path Manipulation: Sanitized the file path using Apache commons-io library. There is code which filters file path to ensure only a certain set of safe characters are allowed. C. Unreleased Resource Streams: Declared a variable to store stream outside of try/catch to ensure the stream is always closed at the end of function, and a call to close the stream is ensured in a try/catch/finally statement. 5. HDSO-5625 - Laurel Bridge 3.3.68C license activation Problem: -------- When installing the HDIG application users were unable to activate the Laurel Bridge license. The following errors were displayed. Automatic Activation Request Failed: Error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetPKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Manual Activation Manual activation failed: Error: License invalid after adding activation code: XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX Invalid license - unable to start. Error validating activation code: Invalid activation code: Decode error 2 Current value for DCF_CFG = C:\DCF_RunTime_x64\cfg A workaround was put in place to manually import a missing security certificate prior to activation step. Resolution: ----------- Fixed the issue with the HDIG install Laurel Bridge activation to automatically import the missing security certificate so that the sever can communicate with Laurel Bridge web site. Test Sites: ----------- VA Tampa Health Care (Tampa, FL) Milwaukee VAMC (Milwaukee, WI) VA Central Western Massachusetts Health Care (Leeds, MA) VA Northern California Health Care (Martinez, CA) Test Sites - SNOW Change Order #: VA Tampa Health Care (Tampa, FL): CHG0393283 Milwaukee VAMC (Milwaukee, WI): CHG0393172 VA Central Western Massachusetts Health Care (Leeds, MA): CHG0395776 VA Northern California Health Care (Martinez, CA): CHG0393965 Software and Documentation Retrieval Instructions: -------------------------------------------------- The software for this patch is being released using a host file. The host file is available at the following location: /srv/vista/patches/SOFTWARE/MAG3_0P345.KID Other Software Files: This release also includes other software files. Other software files can be obtained by accessing the URL: https://download.vista.domain.ext/index.html/SOFTWARE File Title File Name --------------------------------------------------------------------- Kernel Installation and MAG3_0P345.KID Distribution System (KIDS) build for Patch 345 Hybrid DICOM Gateway MAG3_0P345_HDIG_SETUP.MSI Installation File Documentation describing the new functionality is included in this release. Documentation can be found on the VA Software Documentation Library at: https://www.domain.ext/vdl/. Documentation can also be obtained at https://download.vista.domain.ext/index.html/SOFTWARE Documentation Title Name File -------------------------------------------------------------------------- Patch Description for MAG*3.0*345 MAG3_0P345_PATCH_DESCRIPTION.PDF Deployment, Installation, Back-Out, MAG3_0P345_DIBORG.PDF and Rollback Guide Patch Installation: ------------------- Pre/Post Installation Overview: ------------------------------- MAG*3.0*345 must be installed on the VistA System and on 64-bit HDIG servers. This patch must be installed by the compliance date. All sites running VistA Imaging 3.0 must install the KIDS portion of this patch. This patch can be loaded while the VistA Imaging System is active, and users are on the system. Installing the MAG*3.0*345 KIDS takes 2-5 minutes. The HDIG install requires .NET version of 4.6.2 or later. NOTES: 1. To avoid losing configuration changes, sites with a modified HDIG Listen file will need to save a copy of the file before installing this patch. After the installation is complete, restore the Listen file and restart the Tomcat service. The location of Listed file is here: C:\DCF_RunTime_x64\cfg\apps\defaults. 2. To avoid losing configuration changes in the PeriodicCommandsConfiguration.config file, sites with a modified PeriodicCommandsConfiguration.config file will need to save a copy of the file before installing this patch. The location of the PeriodicCommandsConfiguration.config file is here: C:\VixConfig\DicomServerConfiguration.config 3. There is a known issue if there are multiple Java versions on the system for HDIG and hence not recommended. Supported Versions: -------------------------- When MAG*3.0*345 is released, the list of supported versions of HDIG will change: Versions Supported: ------------------- 3.0.345 3.0.314 3.0.324 Versions No Longer Supported: ----------------------------- 3.0.302 3.0.273 3.0.257 Pre-Installation Instructions: ------------------------------ This patch may be installed with users on the system although it is recommended that it be installed during non-peak hours to minimize potential disruption to users. This patch should take less than 5 minutes to install. KIDS Installation Instructions: ------------------------- 1. Use the Load a Distribution option contained on the Kernel Installation and Distribution System Menu to load the Host file. When prompted to "Enter a Host File:" enter /srv/vista/patches/SOFTWARE/MAG3_0P345.KID 2. From the Kernel Installation and Distribution System Menu, select the Installation Menu. From this menu, A. Select the Verify Checksums in Transport Global option to confirm the integrity of the routines that are in the transport global. When prompted for the INSTALL NAME enter the patch or build name. (ex. MAG*3.0*345) NOTE: Using will not bring up a Multi-Package build even if it was loaded immediately before this step. It will only bring up the last patch in the build. B. Select the Backup a Transport Global option to create a backup message. You must use this option and specify what to backup; the entire Build or just Routines. The backup message can be used to restore the routines and components of the build to the pre-patch condition. i. At the Installation option menu, select Backup a Transport Global ii. At the Select INSTALL NAME prompt, enter your build MAG*3.0*345. iii. When prompted for the following, enter "R" for Routines or "B" for Build. Select one of the following: B Build R Routines Enter response: Build iv. When prompted "Do you wish to secure this message? NO//", press and take the default response of "NO". v. When prompted with, "Send mail to: Last name, First Name", press to take default recipient. Add any additional recipients. vi. When prompted with "Select basket to send to: IN//", press and take the default IN mailbox or select a different mailbox. vii. Repeat step ii for each build in the host file. C. You may also elect to use the following options: i. Print Transport Global - This option will allow you to view the components of the KIDS build. ii. Compare Transport Global to Current System - This option will allow you to view all changes that will be made when this patch is installed. It compares all the components of this patch, such as routines, DDs, templates, etc. D. Select the Install Package(s) option and choose the patch to install. i. If prompted 'Want KIDS to Rebuild Menu Trees Upon Completion of Install? NO//', answer . ii. When prompted 'Want KIDS to INHIBIT LOGONs during the install? NO//', answer . iii. When prompted 'Want to DISABLE Scheduled Options, Menu Options, and Protocols? NO//', answer . Installing and Updating the HDIG: --------------------------------- For installing or updating the HDIG, refer to the Hybrid DICOM Image Gateway (HDIG) Installation Guide. Post-Installation Instructions: ------------------------------- N/A - Routine MAGIP345 is a post-installation routine that is automatically deleted after the KIDS installation. Back-Out/Roll Back Plan: ------------------------ Please refer to the Deployment, Implementation, Back-Out and Rollback Guide (MAG3_0P345_DIBORG.PDF) for instructions. Uninstalling the Application: ----------------------------- For installing or updating the HDIG, refer to the Hybrid DICOM Image Gateway (HDIG) Installation Guide (Previous Patch: MAG*3.0*314). KIDS Uninstall: --------------- If it is necessary to uninstall the MAG*3.0*345 VistA KIDS, the patch backup must be installed. The Kernel Installation & Distribution System menu option, Backup a Transport Global should have been used to create a patch backup of the build prior to installing the patch. (see Installation Steps section, step 2b). Administrators will need to check MailMan for the backup message sent by the Backup a Transport Global function executed prior to the patch install. The patch backup must first be loaded from the MailMan backup message, by performing the message action Xtract KIDS, followed by the PackMan function INSTALL/CHECK MESSAGE. The patch may then be installed using the Install Package(s) option in the KIDS Installation menu. 1. Navigate to the Mailman inbox containing the patch backup message. a. Select the MAG*3.0*345 backup message as shown below: * Backup of MAG*3.0*345 install on b. At the "Enter message action:" prompt, select the Xtract PackMan option. c. At the "Select PackMan function:" prompt, select the Install/Check Message option. d. Enter Yes at the prompt "OK to continue with Load?" 2. Navigate to the Kernel Installation and Distribution System Menu and select the Installation Menu. From this menu: a. Select the Install Package(s) option and choose the patch to install. At the "Select INSTALL NAME:" prompt, enter MAG*3.0*345b i. If prompted 'Want KIDS to Rebuild Menu Trees Upon Completion of Install? NO//', answer NO. ii. When prompted 'Want KIDS to INHIBIT LOGONs during the install? NO//', answer NO. Example, Loading Patch Backup (Build) -------------------------------------------- IN Basket, 1504 messages (1-1847), 427 new *=New/!=Priority........Subject...................Lines.From..........Read /Rcvd 41. [558486] 02/19/23 Backup of MAG*3.0*345 on 4803 Enter message number or command: 41 Subj: Backup of MAG*3.0*345 on Feb 19, 2023 [#558486] 02/19/23@12:33 4803 lines From: MANAGER,SYSTEMS In 'IN' basket. Page 1 -------------------------------------------------------------------------- $TXT Created by PROGRAMMER,MAG at CHY0128.FO-BAYPINES.DOMAIN.EXT (KIDS) on Sunday, 02/19/23 at 12:33 Warning: Installing this backup patch message will install older versions of routines and Build Components (options, protocols, templates, etc.). Please verify with the Development Team that it is safe to install. Type to continue or '^' to exit: ^ Enter message action (in IN basket): Ignore// Xtract KIDS Select PackMan function: 6 INSTALL/CHECK MESSAGE Line 8 Message #558486 Unloading KIDS Distribution MAG*3.0*345b OK to continue with Load? NO// YES Distribution OK! Want to Continue with Load? YES// Loading Distribution... MAG*3.0*345b Example, Installing Patch Backup (Build) ----------------------------------------------- Select OPTION NAME: XPD MAIN Kernel Installation & Distribution System Select Kernel Installation & Distribution System Option: INstallation Select Installation Option: INstall Package(s) Select INSTALL NAME: MAG*3.0*345b This Distribution was loaded on Feb 19, 2023@11:54:20 with header of Backup of MAG*3.0*345 on Feb 19, 2023 It consisted of the following Install(s): MAG*3.0*345b Checking Install for Package MAG*3.0*345b Install Questions for MAG*3.0*345b Want KIDS to Rebuild Menu Trees Upon Completion of Install? NO// Want KIDS to INHIBIT LOGONs during the install? NO// Want to DISABLE Scheduled Options, Menu Options, and Protocols? NO// Enter the Device you want to print the Install messages. You can queue the install by enter a 'Q' at the device prompt. Enter a '^' to abort the install. DEVICE: HOME// Linux Telnet /SSh MAG*3.0*345b -------------------------------------------------------------------------- Build Distribution Date: Feb 19, 2023 Installing Routines: Feb 19, 2023@11:54:36 Installing PACKAGE COMPONENTS: Installing OPTION Feb 19, 2023@11:54:36 Routine Information: ==================== The second line of each of these routines now looks like: ;;3.0;IMAGING;**[Patch List]**;Mar 19, 2002;Build 4 The checksums below are new checksums, and can be checked with CHECK1^XTSUMBLD. Routine Name: MAGGETUIDSTATUS Before: n/a After: B7454332 **345** Routine Name: MAGIP345 Before: n/a After: B4076424 **345** Routine Name: MAGVIM09 Before: B56577125 After: B56578341 **118,138,332,345** Routine Name: MAGVUID Before: B66333362 After: B79125566 **118,138,172,345** Routine list of preceding patches: 172, 332 ============================================================================= User Information: Entered By : Date Entered : SEP 28, 2022 Completed By: Date Completed: NOV 22, 2023 Released By : Date Released : NOV 22, 2023 ============================================================================= Packman Mail Message: ===================== No routines included