true
Third-Party Vulnerability: JQuery / JQuery-ui

Background

BD is voluntarily sharing this notification with Information Sharing and Analysis Organizations (ISAOs).

BD communicates with our customers about cybersecurity vulnerabilities to enable healthcare providers to manage potential risks through awareness and guidance.

BD is aware of and currently monitoring publicly disclosed vulnerabilities in jQuery v1.7.1 and jQuery-ui v1.10.4 libraries. These third-party vulnerabilities are not specific to BD or our products. BD is providing this update to let customers know which BD products could be affected by these third-party vulnerabilities.

BD has not received any reports of these vulnerability being exploited on BD products.

Products that utilize impacted versions of jQuery and jQuery-ui

This notification applies to the following BD products:

  • BD Alaris™ Communication Engine (ACE), versions 2.0.1 and earlier

 

BD ACE does not directly affect the function of individual infusion pumps and is not sold in the U.S. This vulnerability does not impact customers who use BD Alaris™ PCU 8015 or BD Alaris™ Systems Manager.

This list does not indicate the patch or device status. The list may be updated if more products are identified. Please check back periodically for updates.

Response

BD is currently planning to update the in-scope BD product that utilizes these third-party components. BD does not have a confirmed schedule at this time. Please refer to the Bulletins and Patches page for all approved product security patching notifications. Please check back periodically for updates.

Additionally, BD recommends the following compensating controls for customers using BD products that utilize the affected software:

  • Ensure physical access controls are in place and only authorized end-users have access to the in-scope BD products.  
  • Maintain proper network segmentation and protection: Place clients and servers which host the affected products behind a correctly configured firewall and have proper network segmentation in place.
  • Ensure that the hosting clients and servers are up-to-date and have proper patch management controls in place where applicable.
  • Have proper user rights management controls in place.
  • Avoid using dedicated devices (such as these) for general-purpose tasks including accessing email or Internet browsing.

Additional Resources

For product- or site-specific concerns, contact your BD service representative.