============================================================================= Run Date: JUN 09, 2022 Designation: MAG*3*269 Package : MAG - IMAGING Priority: EMERGENCY Version : 3 SEQ #223 Status: Released Compliance Date: JUN 15, 2022 ============================================================================= Associated patches: (v)MAG*3*185 <<= must be installed BEFORE `MAG*3*269' (v)MAG*3*284 <<= must be installed BEFORE `MAG*3*269' Subject: QUERY RETRIEVE Category: - Informational - Routine Description: ============ This patch addresses the following issues and new capabilities: Unless noted otherwise, each change applies to VIX and CVIX. 1. Enhancement (IMAG-1718): Enable Commercial PACS and various query retrieve devices at Department of Veterans Affairs (VA) facilities to query, retrieve, and display remote images in addition to local images. Also enable NilRead(TM) and various query retrieve devices at DoD (Department of Defense) facilities to query, retrieve, and display VA reports and images. 2. Defect (IMAG-1722) Upgrade to Tomcat 9.0.40. 3. Defect (IMAG-1822) Upgrade to JRE 8u291. 4. Defect (IMAG-1720) Solve Office of Information Services (OIS) Fortify scan issues. 5. Enhancements for Installation improvements. A. Enhancement (IMAG-1719) Back up configuration folder and track history in C:\VIXBackup. B. Enhancement (IMAG-1837) Automate logs folder deletion in the C:\VixConfig folder during installation to avoid JAVA conflict. C. Enhancement (IMAG-1840) Automate setting port range and setting TCP/IP connection timeout value via registry update. D. Defect (IMAG-1844) Remove Yes/No prompt regarding Apache Tomcat service account password, replace Release of Information (ROI) page with VistA page, require entry of access and verify codes for Tomcat and VistA service accounts, remove press any key prompt for PowerShell pop-up scripts, and fix uninstall so messages regarding failing to purge the image render database and cannot remove the viewer render cache do not appear. 6. Defect (IMAG-1838) Fix Continuous Readiness Information System Patching (Crisp) vulnerability for apachetomcat user. 7. Defect (IMAG-1839) Address Federal Information Processing Standard (FIPS) 140 compliance. 8. Defect (IMAG-72) Prevent error in VistA error trap when selecting a patient with images linked to a deleted report. 9. Defect (IMAG-1823) Add SSN prefix or pattern to configuration to filter out MUSE test patients. 10. Enhancement (IMAG-2005) Add time to the VixLog tool's output. 11. Enhancement (IMAG-2007) Add Acuo time-outs and HTTPS. 12. Enhancement (IMAG-2036) Include P284 changes into P269. 13. Defect (IMAG-10) Support Server Message Block (SMB) 2.0 by updating Java CIFS Client Library (JCIFS) portion of the VIX code. 14. Enhancement (IMAG-2217) Support the display of Rich Text Format (RTF)and TXT files. 15. Defect (IMAG-2218) Upgrade to Visual Studio 2019 and .NET Framework 4.7.2. 16. Enhancement (IMAG-1974) Add Windows Server 2016 support. 17. Defect (IMAG-2469) Address Text Integration Utility (TIU) Note Duplication Issue. 18. Enhancement (IMAG-2523) Support HTTP/2. 19. Defect (IMAG 2948) Resolve Java logging library log4j security vulnerability. 20. Enhancement (IMAG-2910) Support Edge and Chrome with new VIX Tools page. Patch Components: ----------------- Files & Fields Associated: File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- -------------------- N/A Forms Associated: Form Name File Number New/Modified/Deleted --------- ----------- -------------------- N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted --------------- -------------------- N/A Options Associated: Option Name Type New/Modified/Deleted ----------- ---- -------------------- N/A Protocols Associated: Protocol Name New/Modified/Deleted ------------- -------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Templates Associated: Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ -------------------- N/A Remote Procedures Associated: Remote Procedure Name New/Modified/Deleted --------------------- -------------------- N/A Parameter Definitions Associated: Parameter Name New/Modified/Deleted -------------- -------------------- N/A Additional Information: ----------------------- Blood Bank Team Coordination: N/A New Service Requests (NSRs): N/A Patient Safety Issues (PSIs): N/A Defect Tracking System Ticket(s) & Overview: (IMAG numbers are from VA Jira) 1. Enhancement (IMAG-1718): Enable Commercial PACS and various query retrieve devices at Department of Veterans Affairs (VA) facilities to query, retrieve, and display remote images in addition to local images. Also enable NilRead(TM) and various query retrieve devices at DoD (Department of Defense) facilities to query, retrieve, and display VA reports and images. Problem: -------- Prior to this change, Commercial PACS and various query retrieve device users at VA facilities could only view local images. Also prior to this change, NilRead(TM) and various query retrieve device users at DoD facilities could not display VA reports and images. Resolution: ----------- Commercial PACS, NilRead(TM), and other query retrieve device users at VA and DoD facilities can now query, retrieve, and display remote reports and images. This works by the query retrieve device calling the new DICOM SCP on the VIX (for VA devices) or CVIX (for DoD devices). Please see the Pre/Post Installation Overview section, located below in this Patch Description, for further information. 2. Defect (IMAG-1722) Upgrade to Tomcat 9.0.40. Problem: -------- The Tomcat version in MAG*3.0*284 was 9.0.34 and required an upgrade in accordance with the Technical Reference Model (TRM). Resolution: ----------- Tomcat is now upgraded to supported version 9.0.40 according to the TRM. 3. Defect (IMAG-1822) Upgrade to JRE 8u291. Problem: -------- The Java (JRE) version in MAG*3.0*284 was 8u251 and required an upgrade in accordance with the TRM. Resolution: ----------- JRE is now upgraded to supported version 8u291 according to the TRM. 4. Defect (IMAG-1720) Solve Office of Information Services (OIS) Fortify scan issues. Problem: -------- To meet Application Security Testing (ATO) requirements, the Fortify static code analyzer analyzed the source code and identified security issues. Resolution: ---------- The source code is now modified to address Critical, High, and Medium vulnerabilities reported by the Fortify Tool. 5. Enhancements for Installation improvements. A. Enhancement (IMAG-1719) Back up configuration folder and track history in C:\VIXBackup. Problem: -------- Prior to this change, only some critical configuration files were backed up before installation, and no tracking history was provided to track multiple installations over time. Resolution: ----------- The VIX Install now backs up critical configuration file folders before the installation of a new patch. Further, to reduce disk space, prior critical configuration file folder backups are zipped up before creating new critical configuration file folder backups. The VIX Install also now includes a tracking history file to track installations over time. B. Enhancement (IMAG-1837) Automate logs folder deletion in the C:\VixConfig folder during installation to avoid JAVA conflict. Problem: -------- Prior to this change, deleting the logs folder in the C:\VixConfig folder was a manual step performed during installation, if needed, to avoid JAVA conflict. Resolution: ----------- The VIX Install now automates the deletion of the logs folder in the C:\VixConfig folder as part of the VIX Installation Wizard. C. Enhancement (IMAG-1840) Automate setting port range and setting TCP/IP connection timeout value via registry update. Problem: -------- Prior to this change, setting the port range and setting the TCP/IP socket connection timeout value were both manual steps. Resolution: ----------- The VIX Install now automates the port range setting and TCP/IP connection timeout value as part of the VIX Installation Wizard. D. Defect (IMAG-1844) Remove Yes/No prompt regarding Apache Tomcat service account password, replace Release of Information (ROI) page with VistA page, require entry of access and verify codes for Tomcat and VistA service accounts, remove press any key prompt for PowerShell pop-up scripts, and fix uninstall so messages regarding failing to purge the image render database and cannot remove the viewer render cache do not appear. Problem: -------- Prior to this change, for an update installation as part of the VIX Installation Wizard, a Yes/No prompt appeared for the Apache Tomcat service account password. Also, prior to this change, for an update installation as part of the VIX Installation Wizard, access and verify codes already entered from the prior patch update were not required to be entered. Further, prior to this change, a press any key prompt for PowerShell pop-up scripts appeared requiring a key entry. In addition, prior to this change, for the uninstall of the prior patch, messages would appear about failing to purge the image render database and cannot remove the viewer render cache. Resolution: ----------- The VIX Install no longer displays a Yes/No prompt for the Apache Tomcat service account password as part of the VIX Installation Wizard. The VistA page replaces the Release of Information (ROI) page and the VIX Install requires entry of the access and verify codes for both Tomcat and VistA service accounts as part of the VIX Installation Wizard. The press any key prompt for PowerShell pop-up scripts no longer displays, and the scripts close when complete with their installation tasks. Updated the VIX Installation Wizard so that messages regarding failing to purge the image render database and cannot remove the viewer render cache do not display and the cache is removed during uninstall. 6. Defect (IMAG-1838) Fix Continuous Readiness Information System Patching (Crisp) vulnerability for apachetomcat user. Problem: -------- The security scan Crisp identified a permissions vulnerability for Tomcat executables for the apachetomcat user. Resolution: ----------- The VIX Install was modified to remove permissions to write or modify Tomcat executables for the apachetomcat user account. 7. Defect (IMAG-1839) Address Federal Information Processing Standard (FIPS) 140 compliance. Problem: -------- FIPS 140 compliance requires that cryptographic algorithm implementations pass National Institute of Standards and Technology (NIST) validation. Resolution: ----------- The VIX Install and the VIX Image Viewer now use FIPS 140-validated cryptographic algorithms. 8. Defect (IMAG-72) Prevent error in VistA error trap when selecting a patient with images linked to a deleted report. Problem: -------- When clicking the camera icon for a radiology report in JLV, an error could result if the images were linked to a radiology report that was deleted in its home VistA. Resolution: ----------- This process now fails gracefully, and the VistA error trap does not log an error. 9. Defect (IMAG-1823) Add SSN prefix or pattern to configuration to filter out MUSE test patients. Problem: -------- When making calls to MUSE for patient data, test patients with specific patient identifiers were matching against real patients. Resolution: ----------- A new filter is in the MUSE configuration file to prevent test patients from receiving MUSE calls. The default filter value prevents MUSE calls for patients with "000-00" patient identifiers. 10. Enhancement (IMAG-2005) Add time to the VixLog tool's output Problem: -------- Until this patch, the output from the VixLog tool did not contain a time, so the only way to filter the log was by date. Resolution: ----------- The output from the VixLog tool now contains a time, so we can now filter with more granularity and precision. 11. Enhancement (IMAG-2007) Add Acuo time-outs and HTTPS Problem: -------- Before this patch, the Acuo/ECIA connection could time-out too frequently for DICOM CFIND queries, and the HTTPS file protocol could fail when retrieving DOD studies. Resolution Note: --------------- Incident was addressed in CVIX only hotfix 01 in MAG*3.0*254 and carried forward into the MAG*3.0*284 release and subsequently MAG*3.0.269 release. Resolution: ----------- Acuo time-outs are now configurable and HTTPS "file://" protocol is now supported. 12. Enhancement (IMAG-2036) Include P284 changes into P269 Problem: -------- P269 was originally based on P254, and P284 was introduced before P269 was released. Resolution: ----------- All functionality introduced in P284 is included in P269. This incorporates changes to the VIX Installer and the Ingest Web Services. For further information, please refer to the P284 Patch Description. 13. Defect (IMAG-10) Support Server Message Block (SMB) 2.0 by updating Java CIFS Client Library (JCIFS) portion of the VIX code. Problem: -------- Before this patch SMB 2.0 was not working. Resolution: ----------- Updates have been made so SMB 2.0 support has been added by updating JCIFS. 14. Enhancement (IMAG-2217) Support the display of Rich Text Format (RTF) and TXT files. Problem: -------- When a user views an RTF or TXT file in the VIX Viewer, the file never displays. Resolution: ----------- The VIX Viewer now uses LibreOffice to convert an RTF or TXT file to a Portable Document Format (PDF) file allowing for display, export, and print. To support the conversion, the VIX Service Installer Wizard now installs LibreOffice version 7.0.6 in compliance with the TRM. As an added benefit, LibreOffice can open MS Office files (docx, xlsx, etc.) on VIX/CVIX servers. 15. Defect (IMAG-2218) Upgrade to Visual Studio 2019 and .NET Framework 4.7.2. Problem: -------- Before this patch, the .NET components of CVIX and VIX (the VIX Viewer, the VIX Service Installation Wizard, and "behind-the-scenes" programs to build those components) used Visual Studio 2013 and .NET Framework 4.5 and required upgrades in accordance with the TRM. Resolution: ----------- The .NET components of CVIX and VIX are now upgraded to use supported Visual Studio 2019 and .NET Framework 4.7.2 to comply with the TRM. 16. Enhancement (IMAG-1974) Add Windows Server 2016 support. Problem: -------- Before this patch, the CVIX and VIX, including the VIX Viewer and the VIX Service Installation Wizard, functioned only on Windows Server 2012 R2. The TRM requires support of Windows Server 2016. Resolution: ----------- The CVIX and VIX now function on Windows Server 2016 to comply with the TRM. The VIX Viewer correctly displays all file types as on Windows Server 2012 R2 plus the new RTF and TXT (see item 14). The Installer Wizard shows the correct Operating System (OS) version, and the access control that caused a non-fatal error denying access to the apachetomcat account to C: is resolved. 17. Defect (IMAG-2469) Address Text Integration Utility (TIU) Note Duplication Issue. Problem: -------- Prior to this patch, if a VIX server was down it was possible for the CVIX and associated web service calls to result in a duplication of the TIU note. Resolution: ----------- The error handling for the federation services was updated and the federation services now return a failed response for a failed submission when a VIX server is down. 18. Enhancement (IMAG-2523) Support HTTP/2. Problem: -------- When the HTTP/2 protocol is used, images did not display in the VIX Viewer because the HTTP/2 protocol sends header names entirely in lower-case to the client-side code in the browser that was not expecting that. Resolution: ---------- The VIX Viewer Service and client-side browser code now ensure all HTTP headers they send are completely in lower case. When comparing received headers, the client and server code perform a case-insensitive match. This way, the VIX Viewer displays all images regardless of the HTTP protocol in use. 19. Defect (IMAG 2948) Resolve Java logging library log4j security vulnerability. Problem: -------- A 0-day exploit in the Java logging library log4j (version 2) used by the VIX/CVIX allowed for Remote Code Execution (RCE) by logging a certain string. Resolution: ----------- The Java logging library log4j was updated to a later version (2.17.2) that addresses all current security vulnerabilities. 20. Enhancement (IMAG-2910) Support Edge and Chrome with new VIX Tools page. Problem: -------- The VA is removing Internet Explorer in June 2022 and also removing basic authentication for any browser. Resolution: ----------- Internet Explorer is no longer supported. Edge and Chrome are supported and use the existing token authentication mechanism, meaning there is no change for logging into JLV before it accesses the CVIX, VIX, or VIX Viewer. The VIX Viewer Hydra.VistA.Workers reduced to a default setting of 5 processes. There is a new VIX Tools page for system administrators, not end-users, to access the newly secured web tools pages. The URL for this is https://YourFullServerName:343/vix/viewer/tools. A login page asks you for your VistA Access and Verify Codes. After you click the Login button, the VIX Tools page displays, and you do not need to login again during your browser session. You can access the VIX Tools page from your GFE or your server. Test Sites: ----------- * James A. Lovell Federal Health Care Center * Philadelphia VAMC * Richmond VAMC * VA Pacific Islands Health Care System * Veterans Health Care System of the Ozarks Software and Documentation Retrieval Instructions: --------------------------------------------------------------- The software for this patch is released using a host file. The host file (Kernel Installation and Distribution System (KIDS)) is available at the following location: /srv/vista/patches/SOFTWARE/MAG3_0P269.KID Other Software Files: This release also includes other software files. They can be obtained at location: /srv/vista/patches/SOFTWARE. Other software files can also be obtained by accessing the URL: https://download.vista.domain.ext/index.html/SOFTWARE File Title File Name ------------------------------------------------------------------------- VistA Imaging Exchange (VIX) Installer MAG3_0P269_VIX_SETUP.MSI Central VistA Imaging Exchange (CVIX) Installer*MAG3_0P269_CVIX_SETUP.MSI Documentation describing the new functionality is included in this release. Documentation is located in the VA Software Documentation Library: https://www.domain.ext/vdl/application.asp?appid=105. Documentation can also be obtained at https://download.vista.domain.ext/index.html/SOFTWARE. Documentation Title File Name ------------------------------------------------------------------------- Deployment, Installation, Backout, and Rollback Guide MAG3_0P269_DIBORG.PDF VistA Imaging Exchange (VIX) Installation Guide MAG3_0P269_VIX_INSTALLATION_GUIDE.PDF Central VistA Imaging Exchange (CVIX) Installation Guide* MAG3_0P269_CVIX_INSTALLATION_GUIDE.PDF VistA Imaging Exchange (VIX) Administration Guide MAG3_0P269_VIX_ADMINISTRATION_GUIDE.PDF CVIX Administrator's Guide and Product Operations Manual* MAG3_0P269_CVIX_POM.PDF VIX Readme MAG3_0P269_README.TXT *Note: Only the KIDS and VIX client for MAG*3.0*269 should be installed at medical centers. As a result, the CVIX Installer and related CVIX installation files are not provided to sites on the Network File Shares. Patch Installation: ------------------- Pre/Post Installation Overview: ------------------------------- MAG*3.0*269 KIDS must be installed on the VistA System prior to running the new executables. This patch must be installed by the compliance date. All sites running VistA Imaging 3.0 must install the KIDS portion of this patch. This patch may be loaded while the VistA Imaging System is active. The installation takes less than one minute. In support of the enhancement to allow commercial PACS, NilRead(TM) and other query retrieve devices to retrieve images (IMAG-1718), the post-install routine adds the following RPCs to the MAG WINDOWS RPC Context: * XHD GET SITE INFO * ORWCIRN FACLIST * ORRCQLPT PTDEMOS * ORWU USERINFO * DSIC DPT GET ICN * MAG STUDY UID QUERY Pre-Installation Instructions: ------------------------------- BEFORE BEGINNING VIX CLIENT INSTALLS OF MAG*3.0*269, SITES MUST UPDATE THE VISTA IMAGING SERVICE ACCOUNT IN THE LOCAL VISTA. Please refer to MAG*3.0*269 VIX Installation Guide Section 11, Appendix E: Service Account Settings. The service account is used for the Release of Information (ROI) periodic processing and DICOM Query Retrieve Service Class Provider (SCP) retrieve requests. You may also use it to log into the new VIX Tools page described in the MAG3_0P269_VIX_INSTALLATION_GUIDE.PDF - Post-Installation for New VIX Installations and Updating Existing VIX Installations - Verifying VIX Operations - 4.5.1 Verifying Access to the VIX Tools and VIX Transaction Log section for details. This patch may be installed with users on the system, although it is recommended that it be installed during non-peak hours to minimize potential disruption to users. This patch should take less than 5 minutes to install. Installation Instructions: ------------------------------- 1. This release is provided using a Host file, use the Load a Distribution option contained on the Kernel Installation and Distribution System Menu to load the Host file. When prompted to "Enter a Host File:" enter /srv/vista/patches/SOFTWARE/MAG3_0P269.KID 2. From the Kernel Installation and Distribution System Menu, select the Installation Menu. From this menu, A. Select the Verify Checksums in Transport Global option to confirm the integrity of the routines that are in the transport global. When prompted for the INSTALL NAME, enter the patch name MAG*3.0*269. NOTE: Using does not bring up a Multi-Package build even if it was loaded immediately before this step. It only brings up the last patch in the build. B. Select the Backup a Transport Global option to create a backup message of any routines exported with this patch. It does not back up any other changes such as DDs or templates. C. You can also use the following options: i. Print Transport Global - This option allows you to view the components of the KIDS build. ii. Compare Transport Global to Current System - This option allows you to view all changes made when this patch is installed. It compares all of the components of this patch, such as routines, DDs, templates, etc. D. Select the Install Package(s) option and choose the patch to install. i. If prompted 'Want KIDS to Rebuild Menu Trees Upon Completion of Install? NO//', answer ii. When prompted 'Want KIDS to INHIBIT LOGONs during the install? NO//', answer . iii. When prompted 'Want to DISABLE Scheduled Options, Menu Options, and Protocols? NO//', answer iv. When prompted 'Delay Install (Minutes): (0 - 60): 0//,' answer 0. KIDS installation takes 2 - 5 minutes. Installation Verification ------------------------- Successful VistA installation can be verified by reviewing the first two lines of the routines contained in the patch. The second line includes the patch number in the [PATCH LIST] section. The option Calculate and Show Checksum Values [XTSUMBLD-CHECK] can be run to compare the routine checksums to what is documented in the patch description. Successful VIX installation can be verified by following the instructions in the MAG3_0P269_VIX_INSTALLATION_GUIDE.PDF. Post-Installation Instructions ------------------------------ For post-installation instructions, please see the MAG3_0P269_VIX_INSTALLATION_GUIDE.PDF for more detail. Back-out Procedures for MAG Routines ------------------------------------ Back-out can be done only with the concurrence and participation of the development team and appropriate VA site/region personnel. The decision to back-out or rollback software can be a joint decision between the development team, VA site/region personnel, and other appropriate VA personnel. Routine MAGIP269 is an installation routine that is automatically deleted after the KIDS installation. Rollback, Back Out, or Uninstalling MAG*3.0*269 MSI --------------------------------------------------- If it is necessary to uninstall the MAG*3.0*269 VIX MSI, use the Uninstall option from Windows Control Panel to uninstall: "VIX Service Installation Wizard 30.269.5.7925". Then install the previous version of VIX, which was included in MAG*3.0*284. To back out the VIX and replace it with the prior version, please see the MAG3_0P269_VIX_ INSTALLATION_GUIDE.PDF for more detail. The versions should be validated during uninstall, rollback or back-out if necessary. Routine Information: ==================== Routine Name Before Checksum After Checksum Patch List(2nd line) ------------ --------------- -------------- --------------------- MAGIP269 N/A 6938390 **269** MAGNU003 39650764 41930074 **185,269** Routine MAGIP269 is an installation routine that is automatically deleted after the KIDS installation. Routine Information: ==================== No routines included. ============================================================================= User Information: Entered By : Date Entered : JUN 12, 2020 Completed By: Date Completed: JUN 09, 2022 Released By : Date Released : JUN 09, 2022 ============================================================================= Packman Mail Message: ===================== No routines included