true

Third-party Vulnerability

Third-party Vulnerability Libwebp

CRITICAL

Background

This notification is voluntarily shared by BD with Information Sharing and Analysis Organizations (ISAOs).

BD communicates with our customers about cybersecurity vulnerabilities to help enable healthcare providers to manage potential risks through awareness and guidance.

BD is aware of and currently monitoring a vulnerability affecting Google’s library libwebp. This third-party vulnerability is not specific to BD or our products. Additionally, we have not received any reports of this vulnerability being exploited on BD products. BD is providing this update to let customers know which BD products could be affected by the following third-party libwebp vulnerability:

  • CVE-2023-4863 – Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.
    • CVSS: 8.8 (Critical) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

BD Products that contain third-party components that utilize libwebp

The libwebp library is included in the Google Chrome and Windows Edge browsers. The products below contain the browser though it may not be utilized in their operation.

This notification applies to the following BD products:

Microsoft Edge Browser libwebp:

  • BD Viper™ LT System
  • BD MAX™
  • BD Phoenix™ M50
  • BD BACTEC™ FX and FX40
  • BD Totalys™ Multiprocessor, SlidePrep, and Datalink
  • BD COR™
  • BD EpiCenter™
  • BD Assurity Linc™

 

Google Chrome Browser libwebp:

  • BD Accuri™ C6 Plus
  • BD COR™
  • BD FACSAria™ Fusion
  • BD FACSAria™ III 
  • BD FACSCanto™ 10-color
  • BD FACSCanto™ 10-color clinical
  • BD FACSCanto™ II
  • BD FACSCanto™ II clinical
  • BD FACSCelesta™
  • BD FACSDiscover™ S8
  • BD FACSLink™
  • BD FACSLyric™
  • BD FACSMelody™ 
  • BD FACS™ Sample Prep Assistant (SPA) III
  • BD FACSymphony™ A1
  • BD FACSymphony™ A3 / A5
  • BD FACSymphony™ S6
  • BD FACS™ Workflow Manager
  • BD Kiestra™ ReadA
  • BD Kiestra™ InoqulA
  • BD Kiestra™ InoqulA+
  • BD Kiestra™ TLA/WCA with an SCU
  • BD Kiestra™ TLA Track
  • BD Influx™
  • LSRFortessa™
  • LSRFortessa™ X-20 

Response

BD is currently working to test and validate the patch(es) or other mitigations for BD products that use the affected third-party component. Please refer to the Bulletins and Patches page for all approved product security patching notifications. BD recommends the following mitigations and compensating controls to reduce risk associated with this vulnerability:

  • BD products should be used in a manner consistent with their approved workflows.  
  • Ensure physical access controls are in place and only authorized end-users can access the BD products. 
  • If BD products must be connected to a network, ensure industry-standard network security policies and procedures are followed, including but not limited to:
    • Intrusion Detection/Prevention System to monitor network traffic
    • Network segmentation
    • Whitelist required websites only