============================================================================= Run Date: AUG 28, 2024 Designation: WEBP*1*41 Package : WEBP - PATIENT CENTERED MANAGEMENT Priority: Mandatory Version : 1 SEQ #40 Status: Released Compliance Date: SEP 28, 2024 ============================================================================= Subject: PCMM WEB DEFECT AND SECURITY SCAN REMEDIATION V Category: - Other - Informational Description: ============ The purpose of the patch is to remediate defects, security scan findings and add tools for troubleshooting. There are four issues, two of which are defects. Defects: -------- 1. PCMMW-759 - Address 508 Compliance Issue: Note 11, Defect 11: High - Content is not properly encoded and causes assistive technology to convey incorrect information. 2. PCMMW-1748 - Fix creation of erroneous orphaned MultiPCP requests. Adaptive Maintenance: --------------------- 1. PCMMW-1908 - Fortify scan security issues: Medium: Cross-Site Scripting: Poor Validation. 2. PCMMW-1909 - Fortify scan security issues: Medium: Dynamic Code Evaluation: Unsafe Deserialization Patch Components: ----------------- Files & Fields Associated: File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- -------------------- N/A Forms Associated: Form Name File Number New/Modified/Deleted --------- ----------- -------------------- N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted --------------- -------------------- N/A Options Associated: Option Name Type New/Modified/Deleted ----------- ---- -------------------- N/A Protocols Associated: Protocol Name New/Modified/Deleted ------------- -------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Templates Associated: Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ -------------------- N/A Remote Procedures Associated: Remote Procedure Name New/Modified/Deleted --------------------- -------------------- N/A Parameter Definitions Associated: Parameter Name New/Modified/Deleted -------------- -------------------- N/A Additional Information: ----------------------- N/A New Service Requests (NSRs): N/A Patient Safety Issues (PSIs): N/A Defect Tracking System Ticket(s) & Overview: -------------------------------------------- 1. PCMMW-759 - Address 508 Compliance Issue: Note 11, Defect 11: High - Content is not properly encoded and causes assistive technology to convey incorrect information. Problem: -------- On the Create a New Team | PCMM screen Submit (CHYSHR (#983)) -> Teams -> Create a Team), the radio buttons are not read correctly by assistive technology. When tab is used to move the focus to the radio buttons, Patient Capacity group Assignment Status: * Open radio button checked 1 of 1 is read. This incorrectly conveys that this is the only radio button in the group. (New: 07/12/2022) Resolution: ----------- JAWS wasn't reading the radio button correct due to an interruption from a tooltip. The tooltip was reconfigured so the buttons can be properly grouped and read out now. 2. PCMMW-1748 - Fix creation of erroneous orphaned MultiPCP requests. Problem: -------- When batch move is performed from one team to another an patient assignment already has a multi pact attached both should not create a new multi pact request. All the erroneous multi-pact request that do not have a properly attached to team assignment need to be eventually cleaned out. Resolution: ----------- Updated mass reassignment code to re-attach existing multipact to new assignment and not to create new multipact that is later orphaned. Created cleanup scripts to be run at later date per SMEs' direction. Adaptive Maintenance Tracking System Ticket(s) & Overview: ---------------------------------------------------------- 1. PCMMW-1908 - Fortify scan security issues: Medium: Cross-Site Scripting: Poor Validation Problem: -------- User may inject attacking code in call parameters and perform indirect attack. Resolution: ----------- Added validation and enabled HTML entities encoding. 2. PCMMW-1909 - Fortify scan security issues: Medium: Dynamic Code Evaluation: Unsafe Deserialization Problem: -------- User may inject attacking code in call parameters and perform indirect attack. Resolution: ----------- Added validation and enabled HTML entities encoding to prevent injection. 2. PCMMW-1909 - Fortify scan security issues: Medium: Dynamic Code Evaluation: Unsafe Deserialization Problem: -------- User may supply crafted binary class representation that invokes arbitrary code execution on deserialization. Resolution: ----------- Changed object stream implementation to one that verifies class before deserialization is finished to verify class is correct pef Fortify recommendation encoding. Test Sites: ----------- Memphis VA Medical Center (Memphis, TN) VA Montana Health Care System (Ft. Harrison, Miles City) SNOW Change Order #: -------------------- CHG0513941 - Centralized Servers - Austin Information Technology Center, Austin, TX Software and Documentation Retrieval Instructions: -------------------------------------------------- PCMM Web patch, WEBP*1*41, is a centrally managed web-based application and will be implemented and deployed to a central web server. Sites do not need to download any file for the patch installation. Documentation describing the new functionality is included in this release. Documentation can be found on the VA Software Documentation Library at: https://www.domain.ext/vdl/. Documentation can also be obtained at https://download.vista.domain.ext/index.html/SOFTWARE. Documentation Title File Name --------------------------------------------------------------------- Deployment, Installation Back-Out, WEBP_1.0_41_DIBRG.DOCX and Rollback Guide WEBP_1.0_41_DIBRG.PDF Other Software Files: --------------------- This release also includes other software files. Other software files can be obtained by accessing the URL: https://download.vista.domain.ext/index.html/SOFTWARE File Name Description -------------------------------------------------------- PCMMR_EAR-1.41.03.EAR Installation file PCMMR_UNATTENDED_EAR-1.41.03.EAR Installation file Patch Installation: =================== PCMM Web patch, WEBP*1*41, is a centrally managed web-based application and will be implemented and deployed to a central web server. No installation is required by sites. Pre/Post Installation overview: --------------------------------------- N/A. Pre-Installation Instructions: ------------------------------ Installation Instructions: ------------------------- ****************************************************************** ** PLEASE NOTE: THERE IS NO INSTALLATION FOR THIS PATCH. ** ****************************************************************** This informational patch, WEBP*1.0*41, is for PCMM Web. Installation is done on a centralized server. Please refer to the WEBP_1.0_41_DIBRG.PDF for more details. Post-Installation Instructions: ----------------------------- N/A Back-Out Plan: -------------------------- Backout plan is provided as part of deployment guide detailed in the Deployment, Installation Back-Out, and Rollback Guide (WEBP_1.0_41_DIBRG.PDF Routine Information: ==================== No routines included. ============================================================================= User Information: Entered By : Date Entered : AUG 05, 2024 Completed By: Date Completed: AUG 28, 2024 Released By : Date Released : AUG 28, 2024 ============================================================================= Packman Mail Message: ===================== No routines included