BD is aware of and currently monitoring a Microsoft vulnerability, which affects the .NET Framework, Microsoft SharePoint, and Visual Studio. This third-party vulnerability, which Microsoft corrected with their July 14, 2020 patch release, is not specific to BD or our products. Additionally, we have not received any reports regarding this vulnerability being exploited on BD products.
CVE-2020-1147 is a remote code execution vulnerability that exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input. This vulnerability affects Windows Workstation 7, 8, and 10, and Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, and 2019. The security patch, made by Microsoft, addresses the vulnerability by correcting how .NET Framework, Microsoft SharePoint, and Visual Studio validate the source markup of XML content.
To exploit this vulnerability, an attacker could potentially upload a specially crafted document to a server utilizing an affected product to process content. If successful, the attacker could potentially run arbitrary code in the context of the process responsible for deserialization of the XML content.
BD is currently working to test and validate the Microsoft patch for BD products that use the affected third-party components. Please review the Product Security Patching website for all approved product security patching notifications. Additionally, we recommend the following compensating controls for customers using BD products that utilize Windows Workstation 7, 8, and 10, and Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, and 2019:
BD is currently working to test and validate the Microsoft patch for BD products that use the affected third-party components. Please review the Product Security Patching website for all approved product security patching notifications. Additionally, we recommend the following compensating controls for customers using BD products that utilize Windows Workstation 7, 8, and 10, and Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, and 2019:
BD has not received any reports of this third-party vulnerability being exploited on BD products. The product list below is available to customers to help identify existing BD products that utilize Windows Workstation 7, 8, and 10, and Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, and 2019. The list provided below is not comprehensive and may be updated as more products are identified. It does not indicate the patch or device status.
Customers that maintain patches independently of BD automated delivery should ensure these actions are performed as the acting responsible entity to maintain the correct security posture of the system(s).
Ensure the following Microsoft patches have been applied:
For product-or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by this third-party vulnerability, disconnect the device from the network and contact your BD service representative immediately.