============================================================================= Run Date: FEB 03, 2021 Designation: XU*8*695 Package : XU - KERNEL Priority: Mandatory Version : 8 SEQ #585 Status: Released Compliance Date: MAR 06, 2021 ============================================================================= Subject: KAAJEE CLASSIC TECHNICAL REFERENCE MODEL (TRM) & FORTIFY CHANGES Category: - Informational Description: ============ This Kernel Authentication & Authorization for Java 2 Enterprise Edition (KAAJEE) patch, XU*8*695, will be bundled with Patient Centric Management Module (PCMM) release [WEBP*1*22]. This patch includes changes for TRM upgrades to WebLogic Server 10.3.6 and WebLogic Server 12.1, Log4j 2.1, Java 1.7, Apache Commons 4.1, Apache Commons Pool 2.5, and Apache Commons Database Connection Pools (DBCP) 2.3. In addition, this patch makes updates to Fortify Security Remediation which includes: correcting null dereferencing, security issues, and header manipulation. Patch Components: ----------------- N/A Files & Fields Associated: File Name (Number) Field Name (Number) New/Modified/Deleted ------------------ ------------------- -------------------- N/A Forms Associated: Form Name File # New/Modified/Deleted --------- ------ -------------------- N/A Mail Groups Associated: Mail Group Name New/Modified/Deleted --------------- -------------------- N/A Options Associated: Option Name Type New/Modified/Deleted ----------- ---- -------------------- N/A Protocols Associated: Protocol Name New/Modified/Deleted ------------- -------------------- N/A Security Keys Associated: Security Key Name ----------------- N/A Templates Associated: Template Name Type File Name (Number) New/Modified/Deleted ------------- ---- ------------------ -------------------- N/A Remote Procedures Associated: Remote Procedure Name New/Modified/Deleted --------------------- -------------------- N/A Parameter Definitions Associated: Parameter Name New/Modified/Deleted ------------- ------------------- N/A Additional Information: ---------------------------- N/A New Service Requests (NSRs): ---------------------------- N/A Patient Safety Issues (PSIs): ----------------------------- N/A Defect Tracking System Ticket(s) & Overview: -------------------------------------------- 1.JIRA ID KAAJEE-3 - TRM Upgrades Problem: --------- After a review of the technologies used in the KAAJEE application, version upgrades were required for the following components, Log4j, WebLogic Server, and Apache Commons. Resolution: ---------- Coding changes were made to support the updated .jar libraries of the new components. 2.JIRA ID KAAJEE-4 - Fortify Remediation Problem: ------- Fortify scanning of the KAAJEE Classic code indicated several critical and high priority security findings. These issues included: Redundant Null Check - A check-after-dereference error occurs when a program dereferences an object that can be null before checking if the object is null. Password Management - Storing passwords or password details in plaintext anywhere in the system or system code may compromise system security in a way that cannot be easily remedied. Header Manipulation - This enables Cookie manipulation attacks and can lead to other Hypertext Transfer Protocol (HTTP) Response header manipulation attacks like: cache-poisoning, cross-site scripting, cross- user defacement, page hijacking, or open redirect. Resolution: ---------- Updates were made to the code to resolve Fortify the security findings. Test Sites: ---------- Montana Health Care System Memphis VAMC Minneapolis VAMC Software and Documentation Retrieval Instructions: ---------------------------------------------------- This release includes software files. They can be obtained at location: /srv/vista/patches/SOFTWARE the software files can also be obtained by accessing the URL: https://download.vista.domain.ext/index.html/SOFTWARE File Title File Name Format --------------------------------------------------------------------- XU*8.0*695 XU_8_0_695.ZIP Binary Documentation describing the new functionality is included in this release. Documentation can be found on the VA Software Documentation Library at: https://www.domain.ext/vdl/. Documentation can also be obtained at https://download.vista.domain.ext/index.html/SOFTWARE Title File Name ============================================================================= Deployment Guide 1.2 (WebLogic 10.3.6 and WebLogic 12.1) KAAJEE_CLASSIC_1_2_DG.PDF Installation Guide 1.2 (WebLogic 10.3.6 and WebLogic 12.1) KAAJEE_CLASSIC_1_2_IG.PDF Release Notes 1.2 (WebLogic 10.3.6 and WebLogic 12.1) KAAJEE_CLASSIC_1_2_RN.PDF Pre-Installation Instructions: -------------------------- This "Information only" patch is referring to a centralized server promotion. No installation is required at local sites. Installation Instructions: -------------------------- ****************************************************************** ** PLEASE NOTE: THERE IS NO INSTALLATION FOR THIS PATCH. ** ****************************************************************** This informational patch, XU*8.0*695, is for KAAJEE CLASSIC only. Installation is done by Community Resource and Referral Center (CRRC) on a centralized server. Post-Installation Instructions: -------------------------- This "Information only" patch is referring to a centralized server promotion. No installation is required at local sites. Back-Out Plan: -------------------------- Backout plan is provided as part of deployment guide provided to CRRC. Routine Information: ==================== No routines included. ============================================================================= User Information: Entered By : Date Entered : JUN 05, 2018 Completed By: Date Completed: FEB 03, 2021 Released By : Date Released : FEB 03, 2021 ============================================================================= Packman Mail Message: ===================== No routines included