Please find our Security Advisories here

Security Advisories

F5 Advisory (CVE-2022-41622) and (CVE-2022-41800) - (2022 November 18)

Publication Date: 2022 November 18

Update Date: 2022 November 22

Philips is currently monitoring developments and updates related to the recent security advisory released by F5, a cloud application services and security company, concerning two critical vulnerabilities (CVE-2022-41622) and (CVE-2022-41800) within their BIG-IP and BIG-IQ product line. F5 is currently working on introducing a fix for these vulnerabilities.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips’s product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips’s product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by the above mentioned F5 vulnerabilities. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

837507 – IntelliSpace PACS ¹

For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below:

¹ Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure. Please note that ISPACS is only impacted by CVE-2022-41622.

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect

F5 Advisories (Multiple CVEs) - (2022 November 3)

Publication Date: 2022 November 3

Update Date: 2022 November 22

Philips is currently monitoring developments and updates related to the recently released list of 19 security vulnerabilities for F5 products. These vulnerabilities affect numerous BIG-IP, F5OS, and NGINX versions and modules.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

837507 – IntelliSpace PACS ¹

For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below:

¹ Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure"

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect

OpenSSL Advisory (CVE-2022-3602) and (CVE-2022-3786) - (2022 November 2)

Publication Date: 2022 November 2

Update Date: 2022 November 2

Philips is currently monitoring developments and updates related to the recently released OpenSSL security update concerning two high risk vulnerabilities (CVE-2022-3602 & CVE-2022-3786) that could be triggered within the X.509 certificate verification process. OpenSSL has released an updated version (V3.07) that fixes both vulnerabilities.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

Microsoft Common Log File System Driver Elevation of Privilege Vulnerability (CVE-2022-37969) - (2022 October 20)

Publication Date: 2022 October 20

Update Date: 2022 October 31

Philips is currently monitoring developments and updates related to the recently released Microsoft security update concerning a zero-day vulnerability (CVE-2022-37969) pertaining to Windows Common Log File System Driver Elevation of Privilege. Microsoft states that an attacker who successfully exploited this vulnerability could gain SYSTEM privileges. However, an attacker must already have access and the ability to run code on the target system. This technique does not allow for remote code execution in cases where the attacker does not already have that ability on the target system.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by Microsoft’s vulnerability. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

867113 - Focal Point ^1,2

860292 - Holter SW ^1,2

860343 - ST80i ²

For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below:

¹ Software only products.

² Information or patch available in Incenter. Please contact your local service support team.

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

Microsoft Exchange Server Advisory (CVE-2022-41040) and (CVE-2022-41082) - (2022 October 6)

Publication Date: 2022 October 6

Update Date: 2022 October 6

Philips is currently monitoring developments and updates related to the recently released Microsoft security update concerning two zero-day vulnerabilities (CVE-2022-41040 & CVE-2022-41082) within Microsoft Exchange Server. Microsoft continues to investigate the two reported vulnerabilities but, in the interim, has provided mitigation guidance.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

FBI's Private Industry Notification (2022 September 19)

Publication Date: 2022 September 19

Update Date: 2022 September 19

Philips is aware of the recent FBI Private Industry Notification warning healthcare facilities of the risks associated with unpatched and outdated medical devices.

This warning highlights the fact that the FBI has seen an increase in the number of vulnerabilities posed by unpatched medical devices that are running on outdated software and devices that are not adequately protected. Philips follows these recommendations and encourages our customers to do the same.

For more information, see: https://www.ic3.gov/media/news/2022/220912.pdf

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

Oracle Advisory (CVE-2022-21500) - (2022 September 2)

Publication Date: 2022 September 2

Update Date: 2022 September 2

Philips is currently monitoring developments and updates related to the recently released Oracle security update concerning a vulnerability (CVE-2022-21500) within the E-Business Suite (V12.2) product. Oracle has released a patch and recommends that it be applied as soon as possible.

At this point of time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

Realtek Advisory (CVE-2022-27255) - (2022 August 25)

Publication Date: 2022 August 25

Update Date: 2022 August 25

Philips is currently monitoring developments and updates related to the Realtek AP-Router SDK Advisory (CVE-2022-27255). Realtek has confirmed that their eCos SDK-based routers, the ‘SIP ALG’ module is vulnerable to buffer overflow.

Successful execution of this vulnerability could allow a crash or achieve the remote execution code. Realtek has released a patch that remediate this vulnerability.

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate. Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips’s product-specific, verified & validated, authorized, and communicated customer procedures or field actions. If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips’s product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

Cisco Advisory (CVE-2022-20866) - (2022 August 18)

Publication Date: 2022 August 18

Update Date: 2022 August 18

Philips is currently monitoring developments and updates related to the recently released Cisco advisory. Cisco has confirmed a critical vulnerability (CVE-2022-20866) exists in the handling of RSA keys on devices running Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software.

Successful execution of this vulnerability could allow an unauthenticated, remote attacker to retrieve an RSA private key. Cisco has released software updates that help remediate this vulnerability.

Microsoft DCOM Server Protocol Advisory (CVE-2021-26414) - (2022 August 17)

Publication Date: 2022 August 17

Update Date: 2022 August 17

Philips is currently monitoring developments and updates related to the recently released Microsoft security update concerning a Security Feature Bypass vulnerability (CVE-2021-26414) within the DCOM sever protocol. Microsoft is addressing this vulnerability in a phased rollout with the final update scheduled for Q1 2023.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

Capsule Neuron (V2 & V3)	IntelliSpace Portal Server 10/11 ^1,2	IntelliSpace Portal Server 12 ^1,2
IntelliSpace Enterprise Concerto ^1,2

For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below:

¹ Software only products.

² Information or patch available in Incenter. Please contact your local service support team.

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

Cisco Advisory (CVE-2022-20715) - (2022 August 17)

Publication Date: 2022 August 17

Update Date: 2022 August 17

Philips is currently monitoring developments and updates related to the recently released Cisco advisory. Cisco has confirmed that a critical vulnerability (CVE-2022-20715) exists in their Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software.

Successful execution of this vulnerability could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. Cisco has released software updates that help remediate this vulnerability.

Twilio Data Breach - (2022 August 11)

Publication Date: 2022 August 11

Update Date: 2022 August 11

Philips is currently monitoring developments and updates related to the recently disclosed Twilio security breach. A Short Message Service (SMS) phishing campaign was used to compromise employee credentials and gain access to Twilio internal systems, where attackers were able to access certain customer data.

Twilio has since then revoked access to the compromised employee accounts to mitigate the attack and is awaiting results from an ongoing forensic investigation. Please visit the Twilio security alert page for future updates.

At this point of time, no Philips products are known to be impacted by this breach. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

F5 Advisory (Multiple CVE's) - (2022 August 9)

Publication Date: 2022 August 9

Update Date: 2022 November 21

Philips is currently monitoring developments and updates related to the recently released F5 security alert concerning several critical vulnerabilities within the BIG-IP product line. F5 has already released mitigations to help eliminate the vulnerabilities.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by these vulnerabilities. To the best of our knowledge, the list is complete and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

837507 - IS PACS ¹

836240 - Universal Data Manager ¹ (UDM)

For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below:

¹ Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure"

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

VMware Security Advisory VMSA-2022-0021 (Multiple CVE's) - (2022 August 4)

Publication Date: 2022 August 4

Update Date: 2022 August 4

Philips is currently monitoring developments and updates related to the recently released VMware Security (VMSA-2022-0021) advisory concerning multiple critical vulnerabilities within several VMware products.

Successful execution could allow a remote attacker to exploit these vulnerabilities and take control of the system.

Microsoft Windows Support Diagnostic Tool Vulnerability (CVE-2022-30190) - Follina (2022 June 30)

Publication Date: 2022 June 30

Update Date: 2022 November 18

Philips is currently monitoring developments and updates related to the recently released Microsoft advisory concerning a critical Remote Code Execution vulnerability (CVE-2022-30190) within the Windows Support Diagnostic Tool (MSDT) and known as “Follina”.

Successful execution of this vulnerability could allow an attacker to run arbitrary code with privileges and take control of the system.

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by this vulnerability. To the best of our knowledge, the list is complete, and products & solutions not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified

Flex Cardio ²

XperIM ^1,2

SensaVue ²

For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below:

¹Software only products with customer owned operating systems.

² Information or patch available on Incenter. Please contact your local service support team.

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

OFFIS DCMTK Vulnerabilities (Multiple CVE's) (2022 June 29)

Publication Date: 2022 June 29

Update Date: 2022 June 29

Philips is currently monitoring developments and updates related to the recently released OFFIS advisory concerning multiple vulnerabilities (CVE-2022-2119), (CVE-2022-2120), (CVE-2022-2121) within several versions (All prior to 3.6.7) of the DCMTK libraries and software.

Successful execution of these vulnerabilities could allow an attacker to cause a denial-of-service condition, write malformed DICOM files into arbitrary directories, and gain remote code execution.

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips’s product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips’s product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

CISA Emergency Directive VMware (Multiple CVE's) (2022 May 20)

Publication Date: 2022 May 20

Update Date: 2022 May 20

Philips is currently monitoring developments and updates related to the recently released CISA directive concerning multiple vulnerabilities in several VMware products. The emergency directive is in response to observed or expected active exploitation of a series of vulnerabilities (CVE 2022-22954, CVE 2022-22960, CVE-2022-22972, CVE-2022-22973) in the following VMware products:

VMware Workspace ONE Access (Access),
VMware Identity Manager (vIDM),
VMware vRealize Automation (vRA),
VMware Cloud Foundation,
vRealize Suite Lifecycle Manager (impacted VMware products).

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing the vulnerable VMware products for potential impacts from these reported vulnerabilities and validating actions. Philips is also monitoring for VMware updates related to these vulnerabilities and evaluating further possible actions as needed.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

F5 Advisory (CVE-2022-1388) (2022 May 13)

Publication Date: 2022 May 13

Update Date: 2022 November 21

Philips is currently monitoring developments and updates related to the recently released F5 security alert concerning a critical vulnerability (CVE-2022-1388) within the iControl REST component of their BIG-IP product line. F5 has already released recommended actions and mitigations to help eliminate the vulnerability.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by this vulnerability. To the best of our knowledge, the list is complete and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

837507 - IS PACS ¹

836240 - Universal Data Manager ¹ (UDM)

For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below:

¹ Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure"

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

Microsoft Denial of Service Vulnerability on Cluster Shared Volumes (CVE-2022-26784) (2022 April 27)

Publication Date: 2022 April 27

Update Date: 2022 June 8

Philips is currently monitoring developments and updates related to the recently released update for Microsoft Denial of Service vulnerability on Cluster Shared Volumes (CSV) advisory. (CVE-2022-26784)

Microsoft has already released a patch for this vulnerability as part of their April security update.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by this vulnerability. To the best of our knowledge, the list is complete and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

Holter Recorder DigiTrak XT (DTXT) - v3.0.4 ^1,2

IntelliSpace ECG - TMV C.03.06 ¹

ST80i - A.03.01.00 ^1,2

For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below:

¹ Software only products with customer owned Operating Systems.

² Information or patch available in Incenter. Please contact your local service support team.

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

Microsoft Remote Procedure Call (RPC) Advisory (CVE-2022-26809) (2022 April 26)

Publication Date: 2022 April 26

Update Date: 2022 November 18

Philips is currently monitoring developments and updates related to a critical Remote Code Execution vulnerability (CVE-2022-26809) within the Remote Procedure Call Runtime library of Microsoft Windows Operating System. Successful exploitation of the vulnerability could allow a remote, unauthenticated attacker to take control of the system.

Microsoft has already released a patch for this vulnerability as part of their April security update.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

CareEvent (B.x/C.x)²	IntelliSpace Portal Server (12.0)^1,2	Universal Data Manager
Data Warehouse Connect ^1,2	ISP Enterprise Concerto (11.0) ^1,2	UroNav ²
IntelliSpace PACS	PICix (All Versions) ^1,2	VUE PACS (12.1.5, 12.2.1, 12.2.5, 12.2.8)
IntelliSpace Portal Server (10.0/11.0) ^1,2	SensaVue ²	VUE RIS (11.3, 11.5)

For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below:

¹ Software only products with customer owned Operating Systems.

² Information or patch available in Incenter. Please contact your local service support team.

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

Microsoft Network File System Advisory (CVE-2022-24491) (2022 April 15)

Publication Date: 2022 April 15

Update Date: 2022 May 26

Philips is currently monitoring developments and updates related to a critical Remote Code Execution vulnerability (CVE-2022-24491) within Microsoft’s Network File System protocol. Successful exploitation of the vulnerability could allow an attacker to enable a remote code execution.

Microsoft has already released a patch for this vulnerability as part of their April security update.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by Microsoft’s vulnerability. To the best of our knowledge, the list is complete, and products & solutions not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

IntelliBridge Enterprise (B.6-B.16) ^1,2	IntelliSpace Perinatal ¹	IntelliVue Guardian Software ¹
IntelliSpace Concerto (10,11,12)^1,2	IntelliSpace Portal (10,11,12)^1,2	IntelliVue XDS ¹

For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below:

1 Software only products with customer owned Operating Systems.

2 Information or patch available in Incenter. Please contact your local service support team.

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

VMWare Spring Cloud Function Advisory (CVE-2022-22963) (2022 April 6)

Publication Date: 2022 April 6

Update Date: 2022 July 8

Philips is currently monitoring developments and updates related to the recently released VMWare Spring Cloud Function advisory concerning a critical vulnerability impacting Spring Cloud Function versions 3.1.6, 3.2.2 and earlier versions (CVE-2022-22963)

The vulnerability affects spring expression language (SpEL) injection impacting Spring Cloud Function. An exploit was observed in open source. Security researchers allegedly observed a significant amount of activity regarding CVE-2022-22963.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

VMware Spring4Shell Advisory (CVE-2022-22965) (2022 April 5)

Publication Date: 2022 April 5

Update Date: 2022 July 8

Philips is currently monitoring developments and updates related to the recently released VMware Spring advisory concerning a critical Remote Code Execution vulnerability (CVE-2022-22965) within the Spring Core Java framework and known as “Spring4Shell”.

The vulnerability impacts the Spring MVC and Spring WebFlux applications. Successful execution of this vulnerability could allow a remote attacker to take control of the affected system.

CardioVascular Scheduler 4.0 ¹

¹Information or patch available on Incenter. Please contact your local service support team.

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching

Philips e-Alert Hardware Advisory (2022 March 29)

Publication Date: 2022 March 29

Update Date: 2022 March 29

Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.

In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding the Philips e-Alert hardware solution, versions 2.7 and prior.

Regarding the Philips e-Alert hardware solution, versions 2.7 and prior, the company has identified one potential vulnerability that may allow an attacker within the same subnet to impact system availability. The vulnerability may allow attackers of low skill to issue an unauthenticated remote shutdown command, leading to a denial of service of the e-Alert hardware solution. To restore system operation, the e-Alert hardware solution needs to be manually powered on again.

At this time, Philips has received no reports of exploitation of this vulnerability. Philips e-Alert hardware solution is not a medical device, therefore there is no risk to patient safety.

Philips has reported this vulnerability publicly and to the appropriate government agencies, including the U.S. Cybersecurity Infrastructure and Security Agency (CISA), which is issuing an advisory.

Users with questions regarding their specific Philips e-Alert hardware solution are advised by Philips to contact their Customer Success Manager (CSM), local Philips service support team, or regional service support. Philips contact information is available at the following location: https://www.usa.philips.com/healthcare/solutions/customer-service-solutions .

Cybersecurity & Infrastructure Security Agency (CISA) Advisory: https://www.cisa.gov/uscert/ics/advisories/icsma-22-088-01

Apache APISIX Advisory (CVE-2022-24112) (2022 March 29)

Publication Date: 2022 March 29

Update Date: 2022 March 29

Philips is currently monitoring developments and updates related to the recently released Apache APISIX advisory concerning a critical vulnerability impacting Apache APISIX versions 2.10.3 and earlier and APISIX versions 2.11.0 through 2.12.0. (CVE-2022-24112)

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

Apache Log4J 1.x Advisory (Multiple CVE’s) (2022 March 28)

Publication Date: 2022 March 28

Update Date: 2022 May 2

Philips is currently monitoring developments and updates related to multiple vulnerabilities found within Apache’s Log4J 1.x. Since Log4J 1.x is End of Life and no longer supported, Apache’s recommendation is to upgrade to the latest version of the utility, Log4j 2.x.

As part of the company’s product security policy and protocols, Philips teams are evaluating Philips’s products and solutions utilizing Apache’s Log4j utility for potential impacts from these reported vulnerabilities and validating actions.

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products that could be vulnerable to these vulnerabilities. To the best of our knowledge, the list is complete, and products & solutions not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

IntelliVue XDS¹

VuePACS (12.1.5, 12.2.x)

For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below:

¹ Software only products with customer owned Operating Systems. For products solutions where the server was provided it is customer responsibility to validate and deploy patches.

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

Microsoft Windows IKE Extension Advisory (CVE-2022-21849) (2022 March 23)

Publication Date: 2022 March 23

Update Date: 2022 May 10

Philips is currently monitoring developments and updates related to a critical Remote Code Execution vulnerability (CVE-2022-21849) within the IKE Extension component of Microsoft Windows Operating System. Microsoft has already released a patch for this vulnerability as part of their January security update.

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from this reported vulnerability and validating actions. At this time, Philips has identified a limited number of products that may be affected by this vulnerability. However, these products currently have validated software updates available that will prevent this issue from occurring. Philips is also monitoring for OS updates related to this vulnerability and evaluating further possible actions as needed.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by Microsoft’s vulnerability. To the best of our knowledge, the list is complete, and products & solutions not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

CareEvent (C.0x)^1,2	IntelliSpace Perinatal (K.x) ^1,2	IntelliVue Guardian Software (E.0x)^1,2
Data Warehouse Connect²	IntelliSpace Portal Server (11.0/12.0)^1,2	PICiX (C.0x)²
FocalPoint (A.0/A.01)^1,2	IntelliSpace Portal Enterprise (12.0)^1,2
IntelliBridge Enterprise (B.09-B.15)^1,2	ISP Enterprise Concerto (12.0)^1,2

For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below:

¹ Software only products with customer owned Operating Systems.

²Information or patch available in Incenter. Please contact your local service support team.

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

APC TLStorm Advisory (Multiple CVE’s) (2022 March 11)

Publication Date: 2022 March 11

Update Date: 2022 March 22

Philips is currently monitoring developments and updates related to the recently released Armis Advisory concerning three critical 0-day vulnerabilities and referred to as “TLStorm”. (CVE-2022-22805, CVE-2022-2806, CVE-2022-0715)

The vulnerabilities affect APC’s Smart-UPS devices that provide emergency backup power to mission critical assets. Successful exploitation to these vulnerabilities could allow remote attackers to take over the Smart-UPS devices and execute a remote code execution attack.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

Access:7 PTC Axeda Advisory (Multiple CVE’s) (2022 March 8)

Publication Date: 2022 March 8

Update Date: 2022 May 2

Philips is currently monitoring developments and updates related to a recently published CISA Advisory concerning multiple vulnerabilities affecting all versions of PTC’s Axeda Agent and Axeda Desktop Sever for Windows.

Axeda Agent and Axeda Desktop Server are a remote access connectivity software used as part of a cloud based IoT platform. Successful exploitation of the vulnerabilities could lead to remote code execution, log information access, file system read access and a denial-of-service condition.

As part of the company’s product security policy and protocols, Philips teams are evaluating Philips’s products and solutions utilizing PTC’s vulnerable Axeda products for potential impacts from these reported vulnerabilities and validating actions.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be vulnerable to PTC’s Axeda vulnerabilities. To the best of our knowledge, the list is complete, and products & solutions not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

Capsule Support Access Tool

Respilink

Note:

Capsule products are not impacted by these vulnerabilities. Customers who have not used the Capsule Support Access Tool are not impacted. For Philips Capsule customers who opted for remote support through Capsule Support Access Tool, Philips is in the decommissioning process and will be sending out security notices that would include remediation and mitigation steps.

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are not affected by this vulnerability

CISA's Shields Up Advisory (2022 February 25)

Publication Date: 2022 February 25

Update Date: 2022 March 2

Philips is currently monitoring developments and updates related to the recently released Shields Up Advisory by the Cybersecurity and Infrastructure Security Agency (CISA), which is related to recent cyber-attacks on the Ukrainian government and critical infrastructure organizations.

The advisory recommends organizations to adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets. Philips strongly recommends that customers follow CISA’s guidance and recommendations to make near-term progress towards improving cybersecurity and resilience.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

For customers who utilize the Philips Remote Services Network (RSN, PRS), all customers are advised against geo-blocking or disconnecting the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.

PwnKit Advisory (CVE-2021-4034) (2022 January 28)

Publication Date: 2022 January 28

Update Date: 2022 May 2

Philips is currently monitoring developments and updates related to the recently published Red Hat advisory (CVE-2021-4034) concerning a local privilege escalation vulnerability and referred to as “Pwnkit”.

This vulnerability is found on polkit's pkexec utility which is installed by default on all major Linux distributions. According to Red Hat, successful exploitation of this vulnerability could allow an unprivileged local attacker to escalate privileges, bypassing any authentication and policies due to incorrect handling of the process’s argument vector.

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

Philips is providing the list below in order to better assist our customers in identifying any Philips’ products that could be vulnerable to CVE-2021-4034. To the best of our knowledge, the list is complete, and products & solutions not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

Philips IntelliSite Pathology Solution - Ultra Fast Scanner

Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.

Philips Engage Software (2022 January 6)

Publication Date: 2022 January 6

Update Date: 2022 January 6

Philips has already released and deployed to all customers an updated version (6.2.2) on September 28, 2021 in which the vulnerability was fixed. The current version of this software is version 6.2.3. which was released November 25, 2021.

The identified issue that has been corrected is a low-severity vulnerability (CVSS v3 score of 2.6 on a scale of 10) regarding improper access control (CWE-284). If exploited, this issue may allow an authenticated user to potentially view business contact information.

This issue requires a medium skill level and authenticated user login credentials to exploit.

At this time, Philips has received no reports of exploitation of this vulnerability or incidents from clinical use that we have been able to associate with this problem. Engage is a patient portal and medical device software under regulations in the markets where it is offered. Engage is used solely to support the self-management of patients and their care network and is not meant to be used for therapeutic or diagnostic purposes.

Philips has reported this potential vulnerability and its resolution to customers and the appropriate government agencies, including the U.S. Cybersecurity Infrastructure and Security Agency (CISA), which is issuing an advisory.

Users with questions regarding their specific Philips Engage software are advised by Philips to contact their Customer Success Manager (CSM), local Philips service support team, or regional service support. Philips contact information is available at the following location: https://www.usa.philips.com/healthcare/solutions/customer-service-solutions

Cybersecurity & Infrastructure Security Agency (CISA) Advisory:

https://www.cisa.gov/uscert/ics/advisories/icsma-22-006-01

Philips manufactures, sells and helps you maintain highly complex medical devices and systems. Per policy, only Philips authorized changes are allowed to be made to these systems, either by Philips personnel or under Philips explicit published direction.

Please contact your Philips service representative for specific information about potential vulnerabilities and the availability of patches for your equipment configuration.

Customers with specific questions regarding any security advisory or their Philips products are asked to send an e-mail to productsecurity@philips.com, contact their Philips Service Representative or contact their regional Philips Service Support.

Any media inquiries should be directed to:

Mario Fante, mario.fante@philips.com
or (outside N. America):
Steve Klink, steve.klink@philips.com