============================================================================= Run Date: JUL 29, 2020 Designation: XU*8*696 Package : XU - KERNEL Priority: Mandatory Version : 8 SEQ #573 Status: Released Compliance Date: AUG 29, 2020 ============================================================================= Subject: KAAJEE SSPI TRM AND FORTIFY REMEDIATION CHANGES Category: - Informational Description: ============ This KAAJEE patch, XU*8*696, patch includes changes for Technical Reference Model (TRM) Upgrades to WebLogic Server 10.3.6 (minimum) - WL 12c (12.1.2), Log4j 2.1, Java 1.7 (minimum), Apache Commons 4.1, Apache Commons Pool 2.5, and Apache Commons DBCP 2.3. There are several dozen changes for Fortify Scanning Remediation. Fortify changes include: correcting Null Dereferences, Security Issues, and Releasing Resources. This is an informational only patch and is bundled with the Veterans Personal Finance System (VPFS) patch, PRPF*4*4, Kernel Authentication & Authorization for Java 2 Enterprise Edition (KAAJEE) patch XU*8.0*694, and VistALink patch XOBV*1.6*5. Patch Components: ================= Files & Fields Associated: File Name (Number) Field Name (Number) New/Modified/Deleted ================== =================== ==================== N/A Forms Associated: Form Name File # New/Modified/Deleted ========= ====== ==================== N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted =============== ==================== N/A Options Associated: Option Name Type New/Modified/Deleted =========== ==== ==================== N/A Protocols Associated: Protocol Name New/Modified/Deleted ============== ==================== N/A Security Keys Associated: Security Key Name ================= N/A Templates Associated: Template Name Type File Name (Number) New/Modified/Deleted ============= ==== ================== ==================== N/A Additional Information: N/A New Service Requests (NSRs): ============================ N/A Patient Safety Issues (PSIs): ============================= N/A Defect Tracking System Ticket(s) & Overview: ============================================ 1. Rational Defect 751022 - TRM Upgrades Problem: ======== After a review of the technologies used in KAAJEE Security Service Provider Interfaces (SSPI), upgrades were required to the following components: Log4j, Web Logic Server, and Apache Commons. Resolution: =========== Updated the .jar libraries of the new components mentioned above and implemented code changes to support the new libraries. 2. Rational Defect 751024 - Fortify Remediation Problem: ======== After scanning the KAAJEE code base through the Fortify Security scan, the following problems were listed as Critical and High priority: Redundant Null Check - A check-after-dereference error occurs when a program dereferences an object that can be null before checking if the object is null. Password Management - Storing passwords or password details in plain text anywhere in the system or system code may compromise system security in a way that cannot be easily remedied. Releasing Resources - The program can potentially fail to release a system resource. Resolution: =========== Updated and resolved all code that was flagged as Critical and High Priority issues from the Fortify scan. *Note: Assign the XUKAAJEE_SAMPLE security key to users testing with the KAAJEE sample application. Test Sites: =========== Edith Nourse Rogers Memorial Hospital (Bedford) Northport VA Medical Center Salem VA Medical Center Software and Documentation Retrieval Instructions: ================================================== This release includes software files. They can be obtained at location: /srv/vista/patches/SOFTWARE the software files can also be obtained by accessing the URL: https://download.vista.domain.ext/index.html/SOFTWARE File Title File Name Format --------------------------------------------------------------------- kaajee- 1.2.0.008 KAAJEE_1_2_0_008.ZIP Binary Documentation describing the new functionality is included in this release. Documentation can be found on the VA Software Documentation Library at: https://www.domain.ext/vdl/. Documentation can also be obtained at https://download.vista.domain.ext/index.html/SOFTWARE Title File Name ========================================================================== Deployment Guide 1.2 (WebLogic 10.3.6 and higher) KAAJEE_1_2_DEPLOYGUIDE.PDF Installation Guide 1.2 (WebLogic 10.3.6 and higher) KAAJEE_1_2_INSTALLGUIDE.PDF Release Notes 1.2 (WebLogic 10.3.6 and higher) KAAJEE_1_2_RELEASENOTES.PDF Patch Installation: =================== No installation is required at local sites. Martinsburg performs the patch installation on a centralized web server. Pre/Post Installation Overview: =============================== N/A Pre-Installation Instructions: ============================== N/A Installation Instructions: ========================== ****************************************************************** ** PLEASE NOTE: THERE IS NO INSTALLATION FOR THIS PATCH. ** ****************************************************************** This informational patch, XU*8.0*696, is for KAAJEE SSPI only. Installation is done by Martinsburg on a centralized server. Post-Installation Instructions: =============================== N/A Back-Out Plan: ============== A back-out plan will be sent to Martinsburg and attached to the installation change order (CO), found in the, Installation Guide 1.2 (WebLogic 10.3.6 and higher). Routine Information: ==================== No routines included. ============================================================================= User Information: Entered By : Date Entered : JUN 05, 2018 Completed By: Date Completed: JUL 28, 2020 Released By : Date Released : JUL 29, 2020 ============================================================================= Packman Mail Message: ===================== No routines included