============================================================================= Run Date: JUN 06, 2022 Designation: MAG*3*302 Package : MAG - IMAGING Priority: EMERGENCY Version : 3 SEQ #221 Status: Released Compliance Date: JUN 13, 2022 ============================================================================= Subject: HDIG DEFECTS AND ADAPTIVE MAINTENANCE ITEMS Category: - Routine Description: ============ Description: This document describes MAG*3.0*302, a patch that provides fixes to Defects, AM Fortify Scan Remediation, and Log4j Vulnerability Remediation. This patch also addresses the removal of Internet Explorer (IE) dependencies to be replaced with Microsoft Edge and Google Chrome as the dependent browsers. Prerequisite: MAG*3.0*302 can be only installed on 30.273.2.7063 or 30.273.2.7064. Note: With the release of MAG*3.0*302, the following HDIG versions will be available to sites to suit several scenarios: - MAG*3.0*302 - Displayed as 30.302.3.7073 in HDIG Stats page. SMB1 and SMB2 functionality but with Importer performance issues. - MAG*3.0*302 - Displayed as 30.302.3.7074 in HDIG Stats page. Only SMB1 functionality. This patch addresses the following issues: Defect(s): ---------- 1. INC15100531 - DICOM Corrects coming into Consult Listeners are showing as Radiology 2. INC15239642 - HDIG is not accepting SOP Class 1.2.840.10008.5.1.4.1.1.6 This ticket is duplicated by INC16874313 - DICOM Importer III SOP Instance Failure. 3. INC14754453 - HDIG web browser launch needs to accommodate for change in VA policy from IE Adaptive Maintenance: --------------------- 1. HDIG Fortify Scan Remediation This is duplicated by HDIG Fortify Software Assurance Application (SWA) approval. 2. HDIG Log4j Mitigation - v2.17.0 Associated Patches: ------------------- This patch must be installed after MAG*3.0*273. Patch Components: ----------------- Files & Fields Associated: File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- -------------------- N/A Forms Associated: Form Name File Number New/Modified/Deleted --------- ----------- -------------------- N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted --------------- -------------------- N/A Options Associated: Option Name Type New/Modified/Deleted ----------- ---- -------------------- N/A Protocols Associated: Protocol Name New/Modified/Deleted ------------- -------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Templates Associated: Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ -------------------- N/A Remote Procedures Associated: Remote Procedure Name New/Modified/Deleted --------------------- -------------------- N/A Parameter Definitions Associated: Parameter Name New/Modified/Deleted -------------- -------------------- N/A Additional Information: ----------------------- N/A Parameter Definitions Associated: Parameter Name New/Modified/Deleted -------------- -------------------- Blood Bank Team Coordination: N/A New Service Requests (NSRs): N/A Patient Safety Issues (PSIs): N/A Defect Tracking System Ticket(s) & Overview: -------------------------------------------- 1. INC15100531- DICOM Corrects coming into Consult Listeners are showing as Radiology Problem: -------- Studies going to DICOM Correct are coming into the HDIG with Application Entity Titles (AET) that are designated as Consults (CON) in the Application Entity Security Matrix (AESM) and into a port that configured as Consult, but the Instrument Service Entry in the ImporterWorkItemDetails.xml is radiology (RAD). Resolution: ----------- Whenever there was no accession number in the DICOM header of images, the listeners were defaulted to Radiology. The code has now been updated to check the listener and assign RAD or CON appropriately when there is no accession number. 2. INC15239642 - HDIG is not accepting SOP Class 1.2.840.10008.5.1.4.1.1.6 This ticket is duplicated by INC16874313 - DICOM Importer III SOP Instance Failure. Problem: -------- The HDIG is not accepting SOP Class 1.2.840.10008.5.1.4.1.1.6. The SOP Class is active in the listen file on the HDIG, but the HDIG is not recognizing it. Error from ImageExchangeWebApp.log 07 Dec 2020 09:40:32,649 ERROR [Thread-430002] (DicomDataSetImpl.java:868) - gov.va.med.imaging.dicom.dcftoolkit.common.impl.DicomDataSetImpl: Error or Exception: /nIOD Validation does not know this SOP Class: 1.2.840.10008.5.1.4.1.1.6 07 Dec 2020 09:40:32,649 ERROR [Thread-430002] (DoIODValidationImpl.java:119) - gov.va.med.imaging.dicom.dcftoolkit.storagescp.impl.DicomStorageSCPImpl: Exception thrown while validating object IOD. /nIOD Validation general problem. 07 Dec 2020 09:40:32,654 INFO [Thread-430002] (Listen.java:561) - Facade is ending an association on port 60500. Resolution: ----------- Added an entry for SOP Class 1.2.840.10008.5.1.4.1.1.6 in the DicomIODDescriptionsSource.xml so that there is no IOD Validation error. 3. INC14754453 - HDIG web browser launch needs to accommodate for change in VA policy from IE Problem: -------- A VA policy change has gone into effect where Edge has become the default browser. Microsoft is discontinuing support of Microsoft Internet Explorer. We need to make sure our applications and web pages (status pages, home page, web app log page files, etc) can launch as intended in the other supported browsers. From TRM ( https://trm.oit.domain.ext/ToolPage.aspx?tid=16): Microsoft Internet Explorer (IE) is a graphical web browser developed by Microsoft and an integrated component of Windows operating systems. Microsoft is phasing out IE in favor of Edge and no new enhancements are planned for IE as of this writing. Users are strongly encouraged to migrate their use of IE to other approved VA browser solutions that have planned enhancements. On August 17, 2020, Microsoft published a timeline indicating that Microsoft Teams will stop supporting Internet Explorer 11 on November 30, 2020 whereas Microsoft 365 products will end Internet Explorer 11 support on August 17, 2021. IE 11 remains supported for other uses And from the Microsoft Edge Bulletin Microsoft Edge Bulletin No. 1 August 11 2020 BLUF: In July, the Office of Information and Technology (OIT) upgraded the version of Edge that is installed on our Windows 10 Department of Veterans Affairs (VA) computers in accordance with current VA change management and Action Item processes. Future actions include changing the VA's default web browser from the aging Internet Explorer 11 (IE11) to the new, Chromium-based Edge. The schedule for this change is currently being vetted by stakeholders and will be determined based on the testing results of accessing VA web sites and other related web pages across the Enterprise. Resolution: ----------- Removed basic authentication and implemented form-based authentication by creating a new custom login page for user to enter their credentials. Adaptive Maintenance Tracking System Ticket(s) & Overview: ---------------------------------------------------------- 1. HDIG Fortify Scan Remediation This is duplicated by HDIG Fortify Software Assurance Application (SWA) approval. Description: ------------ The recommended Fortify Scan is to fix the issues related to Cross-Site Scripting, Weak Encryption, Insecure Randomness, Unreleased Resource: Sockets, Dynamic Code Evaluation: Unsafe Deserialization, Null Dereference, Unreleased Resource: Streams, Race Condition: Singleton Member Field, and Unreleased Resource: Synchronization. Resolution: ----------- As part of the Fortify Scan Remediation, the JavaScript code has been updated to execute in "strict mode." A try-with-resources statement has been applied to ensure each resource is closed at the end of the statement execution. During testing of MAG*3.0*302, it was found that the changes to encryption caused a significant degradation in performance. To remediate, the Data encryption was removed from the Java logging and the log level was changed from Debug to Info in the log4j2.xml. 2. HDIG Log4j Mitigation - v2.17.0 Description: ------------ The HDIG uses the Java-based logging library Log4j, and a series of vulnerabilities have been identified with this utility which requires mitigation. Resolution: ----------- Update Java components to address security vulnerabilities in the Apache Log4j processes on affected production HDIG servers. The Log4j components listed below will be updated from version 1.2.14 to version 2.17.0 via manual deployment process that is included in the delivery package: log4j-api-2.17.0.jar log4j-core-2.17.0.jar log4j-slf4j-impl-2.17.0.jar Test Sites: ----------- VA Puget Sound Health Care System - Seattle Division (Seattle, WA) Central Texas Veterans Health Care System (Temple, TX) Software and Documentation Retrieval Instructions: -------------------------------------------------- The software for this patch can be installed by following the installation guide: VistA Imaging Hybrid DICOM Image Gateway Installation Guide The host file is available at the following location: /srv/vista/patches/SOFTWARE/MAG3_0P302.KID Other Software Files: This release also includes other software files. These files can be obtained by accessing the URL: https://download.vista.domain.ext/index.html/SOFTWARE. File Title File Name --------------------------------------------------------------------- Kernel Installation and MAG3_0P302.KID Distribution System (KIDS) build for MAG*3.0*302 Hybrid DICOM Gateway MAG3_0P302_HDIG_SETUP.MSI Installation File Documentation Title File Name --------------------------------------------------------------------- Patch Description for MAG*3.0*302 MAG3_0P302_PATCH_DESCRIPTION.PDF Deployment, Installation, Back-Out, MAG3_0P302_DIBORG.PDF and Rollback Guide Patch Installation: ------------------- Supported Client Versions: When MAG*3.0*302 is released, the list of supported versions of HDIG will change: Client Versions Supported: -------------------------- 3.0.302 3.0.273 3.0.257 Client Versions No Longer Supported: ------------------------------------ 3.0.239 3.0.204 3.0.194 Pre/Post Installation Overview: ------------------------------- MAG*3.0*302 must be installed on the VistA System and on 64-bit HDIG servers. This patch must be installed by the compliance date. All sites running VistA Imaging 3.0 must install the KIDS portion of this patch. This patch can be loaded while the VistA Imaging System is active, and users are on the system. Installing the MAG*3.0*302 KIDS takes 2-5 minutes. There is a known issue if there are multiple Java versions on the system for HDIG and hence not recommended: - For a fresh installation, remove all installed Java applications before the installation of MAG*3.0*302. - Verify that the patches listed in the Associated Patches section of this document have been previously installed. To avoid losing configuration changes, sites with a modified HDIG Listen file will need to save a copy of the file before installing this patch. After the installation is complete, restore the Listen file and restart the Tomcat service. Location of Listen file: C:\DCF_RunTime_x64\cfg\apps\defaults To avoid losing configuration changes in the PeriodicCommandsConfiguration.config file, sites with a modified PeriodicCommandsConfiguration.config file will need to save a copy of the file before installing this patch. The location of the PeriodicCommandsConfiguration.config file is here: C:\VixConfig. Installation Instructions: -------------------------- 1. Use the Load a Distribution option contained on the Kernel Installation and Distribution System Menu to load the Host file. When prompted to "Enter a Host File:" enter /srv/vista/patches/SOFTWARE/MAG3_0P302.KID 2. From the Kernel Installation and Distribution System Menu, select the Installation Menu. From this menu: A. Select the Verify Checksums in Transport Global option to confirm the integrity of the routines that are in the transport global. When prompted for the INSTALL NAME, enter the patch or build name (ex. MAG*3.0*302). B. Select the Backup a Transport Global option to create a backup message of any routines and the build for this patch. It will not backup any other changes such as Data Dictionaries (DDs) or templates. C. You may also elect to use the following options: i. Print Transport Global - This option will allow you to view the components of the KIDS build. ii. Compare Transport Global to Current System - This option will allow you to view all changes that will be made when this patch is installed. It compares all components of this patch, such as routines, DDs, templates, etc. D. Select the Install Package(s) option and choose the patch to install. i. If prompted 'Want KIDS to Rebuild Menu Trees Upon Completion of Install?,' answer NO. ii. If prompted 'Want KIDS to INHIBIT LOGONs during the install?,' answer NO. iii. If prompted 'Want to DISABLE Scheduled Options, Menu Options, and Protocols?,' answer NO. KIDS Installation Example: -------------------------- Select Installation Option: 6 Install Package(s) Select INSTALL NAME: MAG*3.0*302 11/19/20@10:14:39 => VistA Imaging 3.0 - Patch 302 ;Created on Nov 09, 2020@20:45:05 This Distribution was loaded on Nov 19, 2020@10:14:39 with header of VistA Imaging 3.0 - Patch 302 ;Created on Nov 09, 2020@20:45:05 It consisted of the following Install(s): MAG*3.0*302 Checking Install for Package MAG*3.0*302 Install Questions for MAG*3.0*302 Want KIDS to INHIBIT LOGONs during the install? NO// Want to DISABLE Scheduled Options, Menu Options, and Protocols? NO// Enter the Device you want to print the Install messages. You can queue the install by enter a 'Q' at the device prompt. Enter a '^' to abort the install. DEVICE: HOME// HERE Install Started for MAG*3.0*302: Nov 19, 2020@10:14:53 Build Distribution Date: Nov 09, 2020 Installing Routines:... Nov 19, 2020@10:14:53 Running Post-Install Routine: POS^MAGIP302. Post Install Mail Message: Nov 19, 2020@10:14:53 Updating Routine file...... Updating KIDS files....... MAG*3.0*302 Installed. Nov 19, 2020@10:14:53 Installing and Updating the HDIG: --------------------------------- For installing or updating the HDIG, refer to the VistA Imaging Hybrid DICOM Image Gateway Installation Guide. Post-Installation Instructions: ------------------------------- N/A Back-Out/Roll Back Plan: ------------------------ Please refer to the Deployment, Implementation, Back-Out and Rollback Guide (MAG3_0P302_DIBORG.PDF) for Client Installation instructions. Uninstalling the Application: ----------------------------- After uninstalling MAG*3.0*302, due to the change in the encryption algorithm, the existing ImagingExchangeWebApp.log and ImagingDCFApp.log should be renamed, so that the new installation will start fresh logs. Both log files are located at C:\Program Files\Apache Software Foundation\Tomcat 9.0\logs. For installing or updating the HDIG, refer to the Hybrid DICOM Image Gateway (HDIG) Installation Guide (Previous Patch: MAG*3.0*273 (SMB1 and SMB2 support) or MAG*3.0*330 (SMB1 support only)). KIDS Uninstall: --------------- If it is necessary to uninstall the MAG*3.0*302 VistA KIDS, select the Kernel Installation & Distribution System menu option, Backup a Transport Global, (see Installation Steps section, step 2-B must be done before installing the patch). Administrators will need to use the PackMan function INSTALL/CHECK MESSAGE. Check the MailMan messages for the backup message sent by the Backup a Transport Global function executed prior to the patch install. 1. Select the message shown below: Backup of MAG*3.0*302 install on And/Or Backup of MAG*3.0*302 install on Routines Only 2. Select the Xtract PackMan option. 3. Select the Install/Check Message option. 4. Enter Yes at the prompt. 5. Enter No at the backup prompt. There is no need to back up the backup. Enter message action (in IN basket): Ignore// Xtract PackMan Select PackMan function: ? Answer with PackMan function NUMBER, or NAME Choose from: 1 ROUTINE LOAD 2 GLOBAL LOAD 3 PACKAGE LOAD 4 SUMMARIZE MESSAGE 5 PRINT MESSAGE 6 INSTALL/CHECK MESSAGE 7 INSTALL SELECTED ROUTINE(S) 8 TEXT PRINT/DISPLAY 9 COMPARE MESSAGE Select PackMan function: Select PackMan function: 6 INSTALL/CHECK MESSAGE Warning: Installing this message will cause a permanent update of globals and routines. Do you really want to do this? NO// YES Routines are the only parts that are backed up. NO other parts are backed up, not even globals. You may use the Summarize Message option of PackMan to see what parts the message contains. Those parts that are not routines should be backed up separately if they need to be preserved. Shall I preserve the routines on disk in a separate back-up message? YES// NO No backup message built. Line 2 Message #43934 Unloading Routine MAGXXXX (PACKMAN_BACKUP) Select PackMan function: Select PackMan function: VistA KIDS Checksums: --------------------- This section lists modified routines for the VistA KIDS build. For each routine, the second line will contain the following information: ;;3.0;IMAGING;** [Patch List]**;**;Mar 19, 2002;Build 4 CHECK1^XTSUMBLD is used to generate the checksums. Routine Checksums: ------------------ Routine Checksum Before Checksum After Patch List ------- --------------- -------------- ----------- MAGIP302 New 4110362 **302** Routine MAGIP302 is an installation routine that is automatically deleted after the KIDS installation. Routine Information: ==================== No routines included. ============================================================================= User Information: Entered By : JR Date Entered : FEB 02, 2021 Completed By: Date Completed: JUN 03, 2022 Released By : Date Released : JUN 06, 2022 ============================================================================= Packman Mail Message: ===================== No routines included