============================================================================= Run Date: MAY 02, 2023 Designation: PRPF*4*7 Package : PRPF - INTEGRATED PATIENT FUNDS Priority: Mandatory Version : 4 SEQ #7 Status: Released Compliance Date: JUN 01, 2023 ============================================================================= Subject: VPFS - Fortify Findings Remediation Category: - Informational Description: ============ This patch addresses the following issues identified by the Fortify scan: Library | Number of CVEs ================================================= commons-beanutils.jar | 2 commons-collections-3.1.jar | 2 commons-fileupload.jar | 5 commons-httpclient-2.0.1.jar | 1 esapi-2.1.0.jar | 1 jaxen-core.jar | 1 jstl.jar | 1 standard.jar | 1 struts.jar | 24 wlclient.jar | 6 The identified libraries were replaced by their TRM-approved versions. In addition, Struts framework was upgraded to a version 1.3.10. Jars removed by this patch: --------------------------- commons-beanutils.jar commons-collections-3.1.jar commons-fileupload.jar commons-httpclient-2.0.1.jar commons-resources.jar commons-services.jar commons-fileupload.jar commons-lang.jar commons-logging.jar standard.jar jaxen-core.jar jstl.jar jaxen-dom.jar struts.jar wlclient.jar Jars added by this patch: --------------------------- commons-beanutils-1.9.4.jar commons-chain-1.2.jar commons-collections4-4.4.jar commons-digester-1.8.jar commons-fileupload-1.3.3.jar commons-logging-1.2.jar commons-net-3.9.0.jar commons-pool-1.2.jar commons-validator-1.7.jar esapi-2.4.0.0.jar jaxen-2.0.0.jar struts-core-1.3.10.jar struts-extras-1.3.10.jar struts-taglib-1.3.10.jar struts-tiles-1.3.10.jar taglibs-standard-impl-1.2.5.jar In addition, some of the dependent libraries were moved into the /external-libs folder, to be deployed as Shared Libraries on the Application Server. ************************************************************************** This is an informational only patch that will be released as a Veterans Personal Financial System (VPFS_ application update. Installation will be performed by Martinsburg on a centralized server. There is no action for VHA sites required by this patch. There is no server side (VistA PackMan or KIDS) part to the patch. There are no client side (Windows executable) programs for VHA production workstations. ************************************************************************** Defect Tracking System Ticket(s) & Overview: 1. INC25335497 - 2022 Fortify Scan Compliance, analyze and resolve Problem: -------- The composition Fortify scan for VPFS did not pass. There are several dozen of vulnerabilities and CWEs identified, most of them in the Critical and High category. Resolution: ----------- Application's offending dependencies were removed. TRM was used as authoritative source to identify the replacement libraries. The Struts web framework was upgraded to a version 1.3.10. Test Sites: ----------- Houston (580) Cleveland (541) Software and Documentation Retrieval Instructions: -------------------------------------------------- N/A Other Software Files: This release also includes other software files. They can be obtained at location: /srv/vista/patches/SOFTWARE Other software files can also be obtained by accessing the URL: https://download.vista.domain.ext/index.html/SOFTWARE File Title File Name Format --------------------------------------------------------------------- VPFS Application Archive vpfs-1.3.1.001.ear Binary Documentation describing the new functionality is included in this release. Documentation can be found on the VA Software Documentation Library at: https://www.domain.ext/vdl/. Documentation can also be obtained at https://download.vista.domain.ext/index.html/SOFTWARE. Documentation Title File Name --------------------------------------------------------------------- VPFS Installation Guide PRPF_4_7_Installguide.doc (WebLogic 12.2) VPFS Backout Guide PRPF_4_7_BCKOUT.doc Installation Instructions: ---------------------------------------------------------------------- ****************************************************************** ** PLEASE NOTE: THERE IS NO INSTALLATION FOR THIS PATCH. ** ****************************************************************** Installation is performed by the administrator of the WebLogic server. For instructions on the installation on the WebLogic Server please refer to the VPFS Installation Guide document. Post-Installation Instructions: ------------------------------- N/A Back-Out/Roll Back Plan: ------------------------ Please refer to the VPFS Backout Guide. Routine Information: ==================== No routines included. ============================================================================= User Information: Entered By : Date Entered : DEC 07, 2022 Completed By: Date Completed: MAY 01, 2023 Released By : Date Released : MAY 02, 2023 ============================================================================= Packman Mail Message: ===================== No routines included