============================================================================= Run Date: MAR 01, 2024 Designation: MAG*3*364 Package : MAG - IMAGING Priority: EMERGENCY Version : 3 SEQ #254 Status: Released Compliance Date: MAR 15, 2024 ============================================================================= Subject: LEGACY DICOM GATEWAY SECURITY FIXES Category: - Other Description: ============ This document describes Emergency Patch MAG*3.0*364 that implements a solution to address security vulnerabilities in - IRIS which uses Apache HTTP server by upgrading it to version 2.4.58 on Legacy DICOM Gateway (LDGW) servers. The patch also addresses TLS 1.0/1.1 vulnerabilities on Hybrid DICOM Image Gateway (HDIG) severs. This patch addresses the following issue: Adaptive Maintenance: ---------------------- 1. InterSystems IRIS Apache Server upgrade to version 2.4.58 2. TLS 1.0/1.1 vulnerabilities on HDIG) Patch Components: ----------------- File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- -------------------- Forms Associated: Form Name File Number New/Modified/Deleted --------- ----------- -------------------- N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted --------------- -------------------- N/A Options Associated: Option Name Type New/Modified/Deleted ----------- ---- -------------------- N/A Protocols Associated: Protocol Name New/Modified/Deleted ------------- -------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Templates Associated: --------------------- Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ -------------------- N/A Remote Procedures Associated: Remote Procedure Name New/Modified/Deleted --------------------- -------------------- N/A Parameter Definitions Associated: Parameter Name New/Modified/Deleted -------------- -------------------- N/A Additional Information: ----------------------- N/A Blood Bank Team Coordination: N/A New Service Requests (NSRs): N/A Patient Safety Issues (PSIs): N/A Adaptive Maintenance Tracking System Ticket(s) & Overview: ---------------------------------------------------------- 1. InterSystems IRIS Apache Server upgrade to version 2.4.58 Description: ------------ The InterSystems IRIS uses the Apache HTTP Server to display the IRIS Management Portal. The current version installed with LDGW has security vulnerabilities. Resolution: ----------- Update the version of Apache HTTP Server to 2.4.58. This patch replaces the C:\InterSystems\IRISHealth\httpd\bin and C:\InterSystems\IRISHealth\httpd\modules folders to ensure that the Apache Web Service is brought up to the latest approved version, 2.4.58. 2. Addressing TLS 1.0/1.1 vulnerabilities in HDIG Description: ------------ VA has recently implemented a requirement to disable the SSL v1.0, TLS v1.0, and TLS v1.1 protocols. The current HDIG application utilizes TLS v1.0/v1.1. Resolution: ----------- The patch entails disabling TLS 1.0/1.1 and enabling TLS v1.2 protocols through registry edits and modifications to the server.xml file. Additionally, the HDIG version is updated to reflect the current build number by modifying the VixConfig.XML Test Sites: ----------- Alexandria VA Medical Center (Pineville, LA) Lebanon VA Medical Center (Lebanon, PA) Test Sites - SNOW Change Order #: --------------------------------- Alexandria VA Medical Center (Pineville, LA)-Change Order number CHG0457753 Lebanon VA Medical Center (Lebanon, PA) - Change Order number CHG0458427 Software and Documentation Retrieval Instructions: -------------------------------------------------- All patch files can be obtained from the SOFTWARE library by accessing the URL: https://download.vista.domain.ext/index.html/SOFTWARE. File Title File Name --------------------------------------------------------------------- MAG3_0P364_APACHEUPGRADE_TLS MAG3_0P364_APACHEUPGRADE_TLS.ZIP PowerShell Script Documentation Title File Name ------------------- ---------- Patch Description for MAG*3.0*364 MAG3_0P364_PATCH_DESCRIPTION.PDF Deployment, Installation, Back-Out, MAG3_0P364_DIBORG.PDF and Rollback Guide Patch Installation: ------------------- Pre-Installation Instructions: ------------------------------- PowerShell script is used to update Apache Service, disable TLS 1.0/1.1 and enable TLS v1.2 on DICOM Gateway servers. This patch will affect all DICOM Gateways, including Legacy, Text and Routing, as well as HDIGs. The script will detect if a server has an HDIG installed. If not installed, it will not attempt to update the server.xml and vixconfig.xml. 1. Login to the Gateway server. 2. Open command prompt. a. Run "C:\InterSystems\IRISHealth\httpd\bin\httpd -v" command 3. Verify the current Apache Server version is less than "Apache/2.4.58" Installation Instructions: -------------------------- 1. Create a new folder: C:\Temp 2. Copy the downloaded "MAG3_0P364_APACHEUPGRADE_TLS.ZIP" to C:\Temp directory. 3. Extract the contents of the "MAG3_0P364_APACHEUPGRADE_TLS.ZIP" file to the folder C:\TEMP\MAG3_0P364_APACHEUPGRADE_TLS. 4. Shut down all LDGW processing windows (2-3, 2-5, 3-3, 2-8-2, etc.) as well as all legacy listeners on the Imaging Gateway before executing the Windows PowerShell script. 5. Run Windows PowerShell as an administrator. 6. If prompted with "Do you want to allow the following program from an unknown publisher to make changes to this computer?", click Yes. 7. Once Windows PowerShell launches, type the following command: CD C:\temp\MAG3_0P364_APACHEUPGRADE_TLS Press [ENTER] to change the working directory to this folder. 8. Type the command: .\MAG3_0P364_APACHEUPGRADE_TLS.ps1 Press [ENTER] to execute the automated script. 9. When Prompted to Enter IRIS root Path. Press Enter to use default value[C:\InterSystems\IRISHealth]: Press [ENTER] Note: The script automatically stops and restarts IRIS during execution 10. Upon successful completion of the commands, the following message will be displayed: "P364 - Emergency patch script completed." 11. Press [ENTER] to complete installation process and exit. "Press Enter to exit:" Note: If IRIS needs to be reinstalled on any Image Gateway, MAG*3.0*364 must be reapplied to remediate the Apache Web Service security vulnerabilities. Installation Verification: ------------------------------- 1. If IRIS is not automatically started after upgrade, right-click on the IRIS icon on bottom right corner of the taskbar and select "Start IRIS". 2. Log in to the IRIS Management Portal and verify that the previous settings have been retained (Refer to the VistA Imaging DICOM Gateway Installation Guide if needed). 3. Go to "C:\InterSystems\IRISHealth\httpd" folder and verify Apacheversion.txt file exists. 4. Open the file to verify the contents show "Apache 2.4.58". 5. In a browser, verify the View HDIG Statistics displays the Version as 30.364.1.8004. Back-Out/Roll Back Plan: ------------------------ Uninstalling the Applications: ----------------------------- If it is necessary to uninstall the MAG*3.0*364 the current versions of the LDGW and HDIG need to be reinstalled. 1. For uninstalling the LDGW and instructions on reinstalling the previous patch (MAG*3.0*319), refer to the LDGW Installation Guide. 2. For uninstalling the HDIG and instructions on reinstalling the previous patch (MAG*3.0*314 or MAG*3.0*345), refer to the HDIG Installation Guide. Routine Information: ==================== No routines included. Routine Information: ==================== No routines included. ============================================================================= User Information: Entered By : Date Entered : JAN 30, 2024 Completed By: Date Completed: MAR 01, 2024 Released By : Date Released : MAR 01, 2024 ============================================================================= Packman Mail Message: ===================== No routines included