Last Updated: February 4, 2022
BD is aware of and actively monitoring the recent vulnerability in Apache Log4j, versions 2.0-beta9 to 2.14.1 (CVE-2021-44228). Log4j is an open-source, Java-based logging library widely used by enterprise applications and cloud services. According to an alert from the Cybersecurity and Infrastructure Agency (CISA), threat actors are actively exploiting this vulnerability.
BEGIN UPDATE B: February 4, 2022
BD has assessed the additional software-enabled products and hosted offerings listed below and determined they are not impacted by this vulnerability.
- BD Action Manager
- BD Diabetes Care App Cloud*
- BD FACSCalibur™
- BD FACSCount™
- BD FACSJazz™
- BD FACSVerse™
- BD Inventory Connect
- BD Pyxis™ RapidRx
- BD ReadyMed
Additionally, BD continues to assess third-party components used within BD software-enabled products. None of the BD products listed in this bulletin contain third-party components impacted by the Apache Log4j vulnerability. For a list of BD products that contain impacted third-party components, refer to Apache Log4j Vulnerability: BD Third-Party Components Impacted.
*After completing the additional investigation and assessment for the BD Diabetes Care App Cloud as mentioned in Update A below, BD determined that the BD Diabetes Care App Cloud hosted offering is not impacted by the Apache Log4j vulnerability.
END UPDATE B: February 4, 2022
BEGIN UPDATE A: December 21, 2021
BD is aware of an additional CVE-2021-45046 which was added to the Apache Log4j vulnerability. This bulletin is inclusive of both CVEs.
BD has assessed the software-enabled products and hosted offerings listed below and determined they are not impacted by this vulnerability. However, BD products may contain or be used in association with third-party components, and we are still assessing those components across all versions of BD software-enabled products. As needed, BD will publish third-party bulletins and link to them from this page.