============================================================================= Run Date: JUL 29, 2020 Designation: XOBV*1.6*5 Package : XOBV - VISTALINK Priority: Mandatory Version : 1.6 SEQ #4 Status: Released Compliance Date: AUG 29, 2020 ============================================================================= Subject: JAVA TRM AND FORTIFY CHANGES Category: - Informational Description: ============ This is an informational only patch and is bundled with the Veterans Personal Finance System (VPFS) patch, PRPF*4*4, Kernel Authentication & Authorization for Java 2 Enterprise Edition (KAAJEE) patches XU*8.0*694 and XU*8.0*696. This VistALink patch, XOBV*1.6*5, addresses Java codebase in the Technical Reference Model (TRM) and Fortify remediation. There is no functionality or workflow changes. Patch Components: ================= Files & Fields Associated: File Name (Number) Field Name (Number) New/Modified/Deleted ================== =================== ==================== N/A Forms Associated: Form Name File # New/Modified/Deleted ========= ====== ==================== N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted =============== ===================== N/A Options Associated: Option Name Type New/Modified/Deleted =========== ===== ==================== N/A Protocols Associated: Protocol Name New/Modified/Deleted ============== ===================== N/A Security Keys Associated: Security Key Name ================= N/A Templates Associated: Template Name Type File Name (Number) New/Modified/Deleted ============== ===== ================== ==================== N/A Additional Information: N/A New Service Requests (NSRs): ============================= N/A Patient Safety Issues (PSIs): ============================= N/A Defect Tracking System Ticket(s) & Overview: ============================================ 1. Rational defect 762867 - TRM Code Changes Problem: ======== After a review of the technologies used in VistALink 1.6, the following TRM components were upgraded: - Log4j libraries and API calls were upgraded to the 2.10 version - WebLogic Server JCA 1.5 supported specification - Java 1.7 upgrade Resolution: =========== The new libraries, Log4j, will be used in replace of the old library. In addition, code changes have been made to support the new libraries. 2. Rational defect 762845 - Fortify Remediation Problem: ======== After scanning the VistALink code base through Fortify Security and Code Quality, there were several hundred problems listed as Critical and High priority. These issues include the following: Heap Inspection Privacy Violation Authentication Insecure Randomness Log Forging Key Management Null Dereference Often Misused Boolean Java Naming and Directory Interface (JNDI) Reference Injection Resource Injection Byte Array to String conversion System Information Leak Unreleased Resource Java 2 platforms Enterprise Edition (J2EE) Bad Practices: Sockets Resolution: =========== Updated and corrected all code that was flagged during the Fortify code scan; all issues have been resolved. Test Sites: =========== Edith Nourse Rogers Memorial Hospital (Bedford) Northport VA Medical Center Salem VA Medical Center Documentation Retrieval Instructions: ===================================== Documentation describing the new functionality is included in this release. Documentation can be found on the VA Software Documentation Library at: https://www.domain.ext/vdl/. Documentation can also be obtained at https://download.vista.domain.ext/index.html/SOFTWARE Title File Name ========================================================================== VistALink Release Notes VISTALINK_1_6_5_RN.PDF VistALink System Management Guide VISTALINK_1_6_5_SM.PDF VistALink Developer Guide VISTALINK_1_6_5_DG.PDF VistALink Installation Guide VISTALINK_1_6_5_IG.PDF Patch Installation: =================== No installation is required at local sites. Martinsburg performs the patch installation on a centralized web server. Pre/Post Installation Overview: =============================== N/A Pre-Installation Instructions: ============================== N/A Installation Instructions: ========================== ****************************************************************** ** PLEASE NOTE: THERE IS NO INSTALLATION FOR THIS PATCH. ** ****************************************************************** This informational patch, XOBV*1.6*5, is for VISTALINK Java component only. Installation is done by Martinsburg on a centralized server. Please refer to the VistALink v1.6 System Management Guide for more details. Back-Out Plan: ============== A back-out plan will be sent to Martinsburg and attached to the installation Change Order (CO) found in the, VistALink Install Guide. Routine Information: ==================== No routines included. ============================================================================= User Information: Entered By : Date Entered : JUN 20, 2018 Completed By: Date Completed: JUL 28, 2020 Released By : Date Released : JUL 29, 2020 ============================================================================= Packman Mail Message: ===================== No routines included