============================================================================= Run Date: JUL 29, 2020 Designation: PRPF*4*4 Package : PRPF - INTEGRATED PATIENT FUNDS Priority: Mandatory Version : 4 SEQ #4 Status: Released Compliance Date: AUG 29, 2020 ============================================================================= Subject: VPFS SINGLE SIGN ON/2FA IMPLEMENTATION Category: - Informational Description: ============ Veterans Personal Finance System (VPFS) patch PRPF*4*4, will implement two-factor authentication (2FA). Also upgraded are the following: the application server from WebLogic 8 to WebLogic 10.3.6, the operating system (OS) to enterprise Linux 6/7+, Technical Reference Model (TRM)-driven application and database upgrades (Log4j 2.10, Oracle 11g), Fortify-identified security and code quality fixes to the VPFS codebase. This is an informational only patch and is bundled with the Kernel Authentication & Authorization for Java 2 Enterprise Edition (KAAJEE) patches XU*8.0*694 and XU*8.0*696, and the VistALink patch XOBV*1.6*5. NOTE: This implementation of 2FA authentication upgrades VPFS from Access and Verify codes to use the new Single Sign-On Internal (SSOI) Personal Identification Verification (PIV) login. All current VPFS users *MUST* be appropriately provisioned with the SSOI system for each of their corresponding VPFS VistA stations. Patch Components: ================= JARs added to VPFS in the patch: * pslWeb_4.0.4.4.jar * esapi.jar * log4j-api-2.10.0.jar * log4j-core-2.10.0.jar * struts1filter-1.0.0.jar JARs removed from VPFS in the patch: * log4j-1.2.8.jar Properties files added: * ESAPIValidation.properties * ESAPIValidator.properties Java Development Kit (JDK) upgraded: * Removed JDK 1.4 * Added JDK 1.7.0_251 WebLogic upgraded: * Removed WebLogic 8.1 * Added WebLogic 10.3.6 Files & Fields Associated: File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- -------------------- N/A Forms Associated: Form Name File # New/Modified/Deleted --------- ------ -------------------- N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted --------------- -------------------- N/A Options Associated: Option Name Type New/Modified/Deleted ----------- ---- -------------------- N/A Protocols Associated: Protocol Name New/Modified/Deleted ------------- -------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Templates Associated: Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ -------------------- N/A Additional Information: ----------------------- N/A New Service Requests (NSRs): ---------------------------- N/A Patient Safety Issues (PSIs): ----------------------------- N/A Defect Tracking System Ticket(s) & Overview: ============================================ 1. Rational Defect 733360 Fortify Scan & Remediation & Testing-VPFS Problem: ------- Address the Fortify Secure Code and Code Quality security findings in VPFS. Issues are Listed Below: * Cross-Site Scripting Reflected * Cross-Site Scripting Persistent * SQL Injection * Password Management * Header Manipulation: SMTP * Path Manipulation * Privacy Violation * Access Control: Database * Access Specifier Manipulation * Dynamic Code Evaluation * File Disclosure * Log Forging * Null Dereference * Poor Error Handling * Portability Flaw * System Information Leak * Unreleased Resource Resolution: ----------- Implement the enabling of VPFS application two-factor authentication. Implement the Open Web Application Security Project (OWASP) and Enterprise Security application programming interface (ESAPI) to address the issues found by the vulnerability finding tool Fortify. The API is used for validating data and Uniform Resource Locators (URLs) being exchanged between VPFS and a user's browser. This update for Fortify will also improve the overall reliability of the application. In addition, several code fixes and remediations were done in VPFS to help better secure the application. 2. Rational Defect 733887 - TRM Upgrade - VPFS Problem: -------- Several components within VPFS were found to be non-compliant with the VA TRM, which includes the Standards Profile and Product List, and serves as a technology roadmap and tool for supporting Office of Information and Technology (OIT). Resolution: ----------- Certain VPFS components were upgraded to be compliant with VA TRM standards, including: * WebLogic 8.1 upgraded to WebLogic 10.3.6 * Oracle 11g upgraded to Oracle 11.2/12 * J2EE 1.3 upgraded to J2EE 1.8 * JDK 1.3 upgraded to JDK 1.7 * Log4j 1.2 upgraded to Log4j 2.10.0 * VistALink 1.5.2 upgraded to VistALink 1.6.1.010 Test Sites: =========== Edith Nourse Rogers Memorial Veterans Hospital (Bedford) Northport VA Medical Center Salem VA Medical Center Documentation Retrieval Instructions: ===================================== Documentation describing the new functionality is included in this release. Documentation can be found on the VA Software Documentation Library at: https://www.domain.ext/vdl/. Documentation can also be obtained at https://download.vista.domain.ext/index.html/SOFTWARE The following documents have been updated/added with the release of this patch: FTP Mode: Binary Document Title File Name ------------------------------------------------------------------- VPFS System Management Guide 1.2.0 VPFS_SYSTEMS_MANAGEMENT_GUIDE.PDF VPFS Install Guide 1.2.0 VPFS_INSTALL_GUIDE.PDF VPFS User Guide 1.2.0 VPFS_USER_GUIDE.PDF VPFS Release Notes 1.2.0 PRPF_4_4_RELEASE_NOTES.PDF VistAMigration Users Guide VISTAMIGRATE_1_DATAMIGRATIONGUIDE.PDF PFOP Data Diagnostics Patch User Guide PRPF_DATAMIGRATIONPATCHUSERGUIDE.PDF Pre-Installation Instructions: ============================== N/A Installation Instructions: ========================== VPFS is a Java based web application build. This is a centralized-server promotion. No installation is required at local sites. Post-Installation Instructions: =============================== N/A Back-Out Plan: ============== A back-out plan will be sent to Martinsburg and attached to the installation change order (CO) in a separate document. Routine Information: ==================== No routines included. ============================================================================= User Information: Entered By : Date Entered : APR 11, 2017 Completed By: Date Completed: JUL 28, 2020 Released By : Date Released : JUL 29, 2020 ============================================================================= Packman Mail Message: ===================== No routines included