security main L

Please find our Security Advisories here

Security Advisories

Sisense Advisory (2024 April 16)

Publication Date: 2024 April 16

Update Date: 2024 April 16

 

Philips is currently monitoring developments and updates related to a CISA security alert, issued in response to a compromise discovered by independent security researchers impacting Sisense, a company that provides data analytics services.


For more information, see: Compromise of Sisense Customer Data | CISA


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.


If a product does require any security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.


Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.


Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by this Sisense incident. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

Philips PerformanceBridge 4.x with Practice

Philips VitalHealth Questionnaire Manager 6.3.3.0 2

For all the above mentioned products, Philips is evaluating the best possible mitigations. Specific mitigations are listed below:

 

1 Information available on Philips Incenter. Please contact your local service support team.

2 Affected service has been disabled.


Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are not impacted by this Sisense cybersecurity incident and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

Terrapin Attack SSH Advisory (CVE-2023-48795) (2024 April 8)

Publication Date: 2024 April 8

Update Date: 2024 April 17

 

Philips is currently monitoring developments and updates related to a SSH transport protocol vulnerability (CVE-2023-48795) that affects many SSH client and server implementations. This vulnerability, also known as the "Terrapin attack", could allow an attacker to downgrade the security of a SSH connection by manipulating information transferred during the connection's initial handshake/negotiation sequence.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.


If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.


Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by this vulnerability. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

Cardiologs 2

MsMs 2

 Home+ 2

867173 – VitalSky

453564235171/81 – Smarthopping 2

718133 – Zenition 70 2

For all above products Philips is evaluating the best possible mitigations.

 

1 Software only products with customer owned Operating Systems.

2 For impacted customers, Philips is in the process of validating and deploying the patch to the managed infrastructure

Google Chrome Advisory (CVE-2024-2883) (2024 April 5)

Publication Date: 2024 April 5

Update Date: 2024 April 5

 

Philips is currently monitoring developments and updates related reports of A critical severity Zero-day vulnerability affecting all Chromium based browsers – including Edge – was disclosed recently.(CVE-2024-2883). The vulnerability affects ANGLE or Almost Native Graphics Layer Engine, used within WebGL graphics renderer. The issue was initially disclosed by Chrome, and then further by Microsoft, which confirmed that, as per Google, it was being exploited, and affects Microsoft Edge browsers.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by this vulnerability. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

866435 – Care Event 1

866389 - PICix (All Versions) 1

Data Warehouse Connect 1

867113 – Focal Point1

Acute Patient Monitoring Platform (ACPMP)

For all above products Philips is evaluating the best possible mitigations.

 

1 Software only products with customer owned Operating Systems.

XZ Utils Advisory (CVE-2024-3094) (2024 April 5)

Publication Date: 2024 April 5

Update Date: 2024 April 5

 

Philips is currently monitoring developments and updates related reports of malicious code being embedded in XZ Utils versions 5.6.0 and 5.6.1.(CVE-2024-3094). XZ Utils is data compression software and may be present in Linux distributions. The malicious code may allow unauthorized access to affected systems.


CISA recommends developers and users to downgrade XZ Utils to an uncompromised version—such as XZ Utils 5.4.6 Stable—hunt for any malicious activity and report any positive findings to CISA.

 

Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols,

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

DICOM Element Parsing Advisory (CVE-2024-24793, CVE-2024-24794) (2024 March 15)

Publication Date: 2024 March 15

Update Date: 2024 March 15

 

Philips is currently monitoring developments and updates related to two use-after-free vulnerabilities discovered within DICOM Element Parsing as implemented in Imaging Data Commons libdicom 1.0.5.(CVE-2024-24793, CVE-2024-24794). A patch to address the above critical vulnerabilities has been issued.

 

Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols,

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

Linux Kernel Advisory (CVE-2024-26582) (2024 February 29)

Publication Date: 2024 February 29

Update Date: 2024 February 29

 

Philips is currently monitoring developments and updates related to a vulnerability within the Linux kernel (CVE-2024-26582). A use-after-free vulnerability was found in the tls subsystem of the Linux kernel. The tls_decrypt_sg() function doesn't take references on the pages from clear_skb, so the put_page() in tls_decrypt_done() releases them and a use-after-free can be triggered in process_rx_list when trying to read from the partially-read skb. This issue could lead to a denial of service condition or code execution.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

 

Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by this vulnerability. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.

IIT REACTS 1

Collaboration Live 1

Cardiologs 1

863359/863380 - EarlyVue VS301

For all above products Philips is evaluating the best possible mitigations.

 

1 For impacted customers, Philips is in the process of validating and deploying the patch to the managed infrastructure


Note:

For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.

Ivanti Connect Secure and Policy Secure Advisory (Multiple CVE's) (2024 February 12)

Publication Date: 2024 February 12

Update Date: 2024 February 12

 

Philips is currently monitoring developments and updates related to multiple vulnerabilities discovered within all supported versions of Ivanti Connect Secure and Policy Secure products (CVE-2024-21888, CVE-2024-21893, CVE-2023-46805, CVE-2024-21893). Ivanti has released a patch to address the above critical vulnerabilities.

 

Philips’ teams are continuously evaluating Philips’ products and solutions for potential impacts from vulnerabilities and validating actions, as part of the company’s product security policy and protocols,

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. Customers (contract-entitled or otherwise) who still have questions are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

GitLab Critical Vulnerability (CVE-2023-7028) (2024 January 26)

Publication Date: 2024 January 25

Update Date: 2024 January 25

 

Philips is aware and is currently monitoring developments and updates related to the recent GitLab critical zero-click account hijacking vulnerability (CVE-2023-7028).

 

The vulnerability impacts GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.1 to 16.7.1 and was addressed with the release of GitLab versions 16.5.6, 16.6.4, and 16.7.2. The fix was backported to GitLab versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5.

 

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions for potential impacts from this reported vulnerability and validating actions.

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.


Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

Citrix NetScaler ADC and Gateway (CVE-2023-6548, CVE-2023-6549) (2024 January 22)

Publication Date: 2024 January 22

Update Date: 2024 January 22

 

Philips is currently monitoring developments and updates related to two vulnerabilities discovered in Citrix ADC and Gateway (CVE-2023-6548, CVE-2023-6549). Applicable products include Citrix NetScaler ADC and NetScaler Gateway.

 

These vulnerabilities affect the following supported versions of NetScaler ADC and NetScaler Gateway:

 

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
  • NetScaler ADC 13.1-FIPS before 13.1-37.176
  • NetScaler ADC 12.1-FIPS before 12.1-55.302
  • NetScaler ADC 12.1-NDcPP before 12.1-55.302

 

As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions for potential impacts from these reported vulnerabilities and validating actions.

 

At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.

 

Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

 

Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.

Philips manufactures, sells and helps you maintain highly complex medical devices and systems. Per policy, only Philips authorized changes are allowed to be made to these systems, either by Philips personnel or under Philips explicit published direction.


Please contact your Philips service representative for specific information about potential vulnerabilities and the availability of patches for your equipment configuration.

Customers with specific questions regarding any security advisory or their Philips products are asked to send an e-mail to productsecurity@philips.com, contact their Philips Service Representative or contact their regional Philips Service Support.

 

Any media inquiries should be directed to:


Mario Fante, mario.fante@philips.com
or (outside N. America):
Steve Klink, steve.klink@philips.com

You are about to visit a Philips global content page

Continue

You are about to visit a Philips global content page

Continue

Our site can best be viewed with the latest version of Microsoft Edge, Google Chrome or Firefox.