This notification provides product security information and recommendations related to insufficient session expiration vulnerability in specific versions of BD Synapsys™ Informatics Solution. For maximum awareness, BD has voluntarily reported this vulnerability to the U.S. Food and Drug Administration (FDA) and Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the Health Information Sharing and Analysis Center (H-ISAC).
CVE-2022-30277 - BD Synapsys™, versions 4.20, 4.20 SR1, and 4.30, contain an insufficient session expiration vulnerability. If exploited, threat actors may have an extended period of time to be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII).
BD Synapsys™ is a software application delivering data management and workflow functionality across clinical diagnostic activities in a laboratory. To exploit this vulnerability, a threat actor would need to gain access to the customer environment and physical access to a BD Synapsys™ workstation.
This vulnerability was discovered by BD through standard internal testing. There have been no reports of this vulnerability being exploited in a laboratory setting.
BD Synapsys™ v4.20 SR2 will be released in June 2022 and will remediate this vulnerability. Customers receiving BD Synapsys™ v4.30 will be allowed to upgrade to v5.10, which is expected to be available by August 2022.
Additionally, BD recommends the following compensating controls for customers using the impacted versions of BD Synapsys™:
For product- or site-specific concerns, contact your BD service representative.