============================================================================= Run Date: DEC 15, 2020 Designation: PREN*3.1*3 Package : PREN - PHARMACY PRODUCT SYS-NATL Priority: Mandatory Version : 3.1 SEQ #2 Status: Released Compliance Date: JAN 14, 2021 ============================================================================= Subject: PPS-N 3.1 Initial Security Compliance INFORMATIONAL PATCH Category: - Informational - Other Description: ============ The Pharmacy Product System - National (PPS-N) is a Web-based application that provides the ability to manage pharmacy-specific data across the VA enterprise ensuring that all facilities are using the same base data for their operations. It allows approved national VA personnel to easily, quickly, and safely manage the VA National Formulary which directs which products (such as medications and supplies) are to be purchased and used by the VA hospital system. PPS-N v3.1.0 release helps to bring the PPS-N application into compliance with VA Security Standards. Rational Task Id ----------------- Number: 1243371 Problem ----------- PPS-N application contains Java Enterprise components which are subject to compliance with VA security and code quality standards to maintain authority to operate (ATO). Routine Fortify scanning and remediation is performed to maintain compliance. Patch PREN*3.1*3 was initiated to identify and remediate security vulnerabilities and code quality issues in the current Java code. Resolution ----------- The PPS-N 3.1.0 application code has been updated to comply with VA Security and Code Quality Standards by remediating the PPS-N security vulnerabilities. Using the Fortify scan report as guidance, the application code has been scanned with the Fortify tool to identify security vulnerabilities and code quality issues. Code fixes have been applied to mitigate these findings and the application has been validated by the VA Software Assurance Team to ensure compliance with the standards. No application functionality has changed. All frameworks have been upgraded to a compliant Technical Reference Model (TRM) for this informational patch release. The PPS-N application patch PREN*3.1*3 also addresses the ESAPI validator defect which resulted in the rollback of patch PREN*3.1*1. The defect resulted in the application inappropriately flagging special characters when attempting to match NDCs, which resulted in a serious error. The ESAPI validator filter has been refined to permit these characters while still filtering out any truly malicious special characters that might be vulnerabilities for input/output to the database. This new patch includes all changes from PREN*3.1*1, plus resolution of this new defect. Defect Tracking System Ticket(s) & Overview: ============================================ INC9689278 - PPS-N application failed to advance to the next series of CMOP IDs for supply products. Problem ----------- PPS-N application failed to advance to the next series of CMOP IDs for supply products. Resolution: ----------- Update the portion of JAVA code to create the next series of CMOP IDs for supply products. In order to advance the next series of CMOP IDs the updated code logic will ensure that CMOP IDs is not already used in the CMOP history table. Test Sites: ----------- User acceptance testing successfully completed by the Business Office. Documentation and Software Retrieval ==================================== The PREN*3.1*3 Informational Patch is available on FORUM. The PREN*3.1*3 documentation can be found on the VA Documentation Library (VDL) at: https://www.domain.ext/vdl/ The documentation includes: Title File Name FTP Mode ------------------------------------------------------------------------ PPS-N v3.1 Troubleshooting Guide PREN_3_1_P3_TG.PDF Binary PPS-N v3.1 Deployment, Installation, Backout & Rollback Guide (DIBORG) PREN_3_1_P3_DIBR.PDF Binary Installation Instructions: -------------------------- This is a Web Application JAVA Build. This is a Centralized Server promotion. NO installation is required at Local sites. Routine Information: ==================== No routines included. ============================================================================= User Information: Entered By : Date Entered : MAY 18, 2020 Completed By: Date Completed: DEC 14, 2020 Released By : Date Released : DEC 15, 2020 ============================================================================= Packman Mail Message: ===================== No routines included