Bulletin and Patches

Third-Party Vulnerability

Apache Log4j
Dec 13, 2021 Bulletins CRITICAL

Background

Last Updated: February 4, 2022

BD is aware of and actively monitoring the recent vulnerability in Apache Log4j, versions 2.0-beta9 to 2.14.1 (CVE-2021-44228). Log4j is an open-source, Java-based logging library widely used by enterprise applications and cloud services. According to an alert from the Cybersecurity and Infrastructure Agency (CISA), threat actors are actively exploiting this vulnerability.

BEGIN UPDATE B: February 4, 2022

BD has assessed the additional software-enabled products and hosted offerings listed below and determined they are not impacted by this vulnerability.

  • BD Action Manager
  • BD Diabetes Care App Cloud*
  • BD FACSCalibur™
  • BD FACSCount™
  • BD FACSJazz™
  • BD FACSVerse™
  • BD Inventory Connect
  • BD Pyxis™ RapidRx
  • BD ReadyMed

 

Additionally, BD continues to assess third-party components used within BD software-enabled products. None of the BD products listed in this bulletin contain third-party components impacted by the Apache Log4j vulnerability. For a list of BD products that contain impacted third-party components, refer to Apache Log4j Vulnerability: BD Third-Party Components Impacted.

*After completing the additional investigation and assessment for the BD Diabetes Care App Cloud as mentioned in Update A below, BD determined that the BD Diabetes Care App Cloud hosted offering is not impacted by the Apache Log4j vulnerability.

END UPDATE B: February 4, 2022

BEGIN UPDATE A: December 21, 2021

BD is aware of an additional CVE-2021-45046 which was added to the Apache Log4j vulnerability. This bulletin is inclusive of both CVEs.

BD has assessed the software-enabled products and hosted offerings listed below and determined they are not impacted by this vulnerability. However, BD products may contain or be used in association with third-party components, and we are still assessing those components across all versions of BD software-enabled products. As needed, BD will publish third-party bulletins and link to them from this page.

  • Alaris™ CC Plus Guardrails™ Syringe Pump
  • Alaris™ CC Plus Syringe Pump
  • Alaris™ Enteral Plus Syringe Pump
  • Alaris™ Gateway Workstation
  • Alaris™ GP Plus Guardrails™ Volumetric Pump
  • Alaris™ GP Plus Volumetric Pump
  • Alaris™ PK Plus Syringe Pump
  • Alaris™ Technical Utility (ATU)
  • Alaris™ TiVA Syringe Pump
  • Alaris™ VP Plus Guardrails™ Volumetric Pump
  • BD Accuri™ C6 Plus
  • BD Alaris™ Auto-ID Module Model
  • BD Alaris™ Communications Engine
  • BD Alaris™ CQI Event Reporter
  • BD Alaris™ Guardrails™ Editor
  • BD Alaris™ Infusion Central
  • BD Alaris™ neXus CC Syringe Pump
  • BD Alaris™ neXus Editor v5.0
  • BD Alaris™ neXus GP Volumetric Pump
  • BD Alaris™ PCA Module Model 8120
  • BD Alaris™ Plus Editor
  • BD Alaris™ Point-of-Care Software
  • BD FACSCanto™ II (w Diva 9.0)
  • BD FACSCanto™ II clinical
  • BD FACSCelesta™
  • BD FACSDuet™
  • BD FACSLink™
  • BD FACSLyric™
  • BD FACSMelody™
  • BD FACSPresto™
  • BD FACS™ Lyse Wash Assistant
  • BD FACS™ Sample Prep Assistant (SPA) III
  • BD FACS™ Workflow Manager
  • BD FACSVia™
  • BD FACSymphony™ A1
  • BD FACSymphony™ A3 / A5
  • BD FACSymphony™ S6
  • BD FocalPoint™ APPS instrument
  • BD FocalPoint™ APPS workstation
  • BD FocalPoint™ LLS/SLS/GSRS
  • BD HD Check system
  • BD Intelliport™ Medication Management System
  • BD Kiestra™ InoqulA
  • BD Kiestra™ InoqulA+
  • BD MAX™
  • BD Phoenix™ 100
  • BD Phoenix™ AP
  • BD Phoenix™ M50
  • BD Prevue™ II Peripheral Vascular Access System
  • BD Probetec™
  • BD Pyxis™ Anesthesia Station 4000
  • BD Pyxis™ Anesthesia Station ES
  • BD Pyxis™ CIISafe™
  • BD Pyxis™ CUBIE™ System
  • BD Pyxis™ ES System
  • BD Pyxis™ IV Prep
  • BD Pyxis™ Logistics (Pyxis™ Pharmogistics™)
  • BD Pyxis™ Med Link Queue & Waste
  • BD Pyxis™ MedBank
  • BD Pyxis™ MedStation™ 4000 System
  • BD Pyxis™ MedStation™ ES
  • SeqGeq™ Software
  • Sherlock 3CG™ Standalone Tip Confirmation Systems
  • Site~Rite Prevue® PICC Ultrasound Systems
  • BD Alaris™ Point-of-Care Unit (PCU) Model 8015
  • BD Alaris™ Pump Module Model 8100
  • BD Alaris™ Syringe Module Model 8110
  • BD Alaris™ System Maintenance
  • BD Alaris™ Systems Manager
  • BD Arctic Sun™ 5000 Temperature Management System
  • BD Arctic Sun™ 6000 Stat Temperature Management System
  • BD Assurity Linc™
  • BD BACTEC™ 9050/9120/9240
  • BD BACTEC™ FX
  • BD BACTEC™ FX40
  • BD BACTEC™ MGIT™
  • BD Care Coordination Engine (CCE)
  • BD Cato™
  • BD COR™
  • BD EpiCenter™
  • BD FACSAria™ Fusion
  • BD FACSAria™ II
  • BD FACSAria™ III
  • BD FACSCanto™ 10-color
  • BD FACSCanto™ 10-color clinical
  • BD Pyxis™ Order Viewer
  • BD Pyxis™ ParAssist
  • BD Pyxis™ PARx™
  • BD Pyxis™ PharmoPack™
  • BD Pyxis™ ReadyMed
  • BD Pyxis™ SupplyStation™
  • BD Pyxis™ Tissue & Implant Management System
  • BD Pyxis™ Track and Deliver
  • BD Remote Support Services (RSS)
  • BD Rhapsody™ Single-Cell Analysis System
  • BD Rowa™ - Dose (Windows 10 platform)
  • BD Rowa™ - Dose (Windows 7 Workstations only)
  • BD Rowa™ - ProLog
  • BD Rowa™ - Smart
  • BD Rowa™ - Vmax
  • BD Rowa™ Pouch Packaging Systems
  • BD Sensica™ Urine Output System
  • BD Site~Rite™ 8 Ultrasound Systems
  • BD Totalys™ DataLink
  • BD Totalys™ Multiprocessor
  • BD Totalys™ SlidePrep
  • BD Veritor™
  • BD Viper™ LT
  • BD Viper™ XTR™
  • BD® LSR II
  • BD® Research Cloud
  • CoreLite
  • EnCor Enspire® Breast Biopsy System
  • EnCor Ultra® Breast Biopsy System
  • FlowJo™ Portal
  • FlowJo™ Software
  • Influx™
  • LSRFortessa™
  • LSRFortessa™ X-20
  • PleurX
  • QUANTAFLO™ Peripheral Arterial Disease Test
  • Restock Order
  • Site~Rite Prevue® Plus Ultrasound Systems
  • Specimen Collection Verification

Should any additional products and/or hosted offerings requiring assessment be identified, BD will update this bulletin as needed. Please check back periodically for updates.

BD previously assessed and listed the BD Diabetes Care App Cloud as a hosted offering that was not impacted by this vulnerability. However, as part of our ongoing review, we have determined that the BD Diabetes Care App Cloud requires further investigation and have removed it from the original list of hosted offerings that are not impacted by this vulnerability.

END UPDATE A: December 21, 2021

Response

BD has assessed the hosted offerings listed below and determined they are not impacted by this vulnerability.

  • BD Arctic Sun™ Analytics
  • BD HealthSight™ Clinical Advisor
  • BD HealthSight™ Data Manager
  • BD HealthSight™ Diversion Management
  • BD HealthSight™ Infection Advisor
  • BD HealthSight™ Inventory Optimization Analytics
  • BD HealthSight™ Medication Safety
  • BD Knowledge Portal for Infusion Technologies
  • BD Knowledge Portal for Medication Technologies
  • BD Knowledge Portal for BD Pyxis™ Supply
  • BD Synapsys™ Informatics Solution
  • BD Veritor™ COVID At Home Solution Cloud

 

We are continuing to assess BD software-enabled products and their third-party components, and we will provide updated communication on impacted products as necessary.

BD will continue to review guidance from CISA and take appropriate action as needed.

Chat with us
Our live chat is available between the hours of 8.30am - 5.00pm EST, Monday - Friday
×