Publication Date: 2022 December 14 Update Date: 2022 December 14 Philips is currently monitoring developments and updates related to the recent security advisory released by Citrix, a cloud computing and virtualization technology company, concerning a critical vulnerability (CVE-2022-27518) affecting their Citrix Gateway and Citrix ADC products.
Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution. Citrix has released updated versions of both, Citrix Gateway and ADC that address this vulnerability.
At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.
Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.
Publication Date: 2022 November 18 Update Date: 2022 November 22 Philips is currently monitoring developments and updates related to the recent security advisory released by F5, a cloud application services and security company, concerning two critical vulnerabilities (CVE-2022-41622) and (CVE-2022-41800) within their BIG-IP and BIG-IQ product line. F5 is currently working on introducing a fix for these vulnerabilities. Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips’s product-specific, verified & validated, authorized, and communicated customer procedures or field actions. Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products. Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by the above mentioned F5 vulnerabilities. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.
If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips’s product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.
837507 – IntelliSpace PACS 1 | | |
For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below: 1 Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure. Please note that ISPACS is only impacted by CVE-2022-41622. Note: For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect
Publication Date: 2022 November 3 Update Date: 2022 November 22 Philips is currently monitoring developments and updates related to the recently released list of 19 security vulnerabilities for F5 products. These vulnerabilities affect numerous BIG-IP, F5OS, and NGINX versions and modules.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.
Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.
Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by the above mentioned F5 vulnerabilities. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified..
837507 – IntelliSpace PACS 1 | | |
For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below: 1 Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure" Note: For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect
Publication Date: 2022 November 2 Update Date: 2022 November 2 Philips is currently monitoring developments and updates related to the recently released OpenSSL security update concerning two high risk vulnerabilities (CVE-2022-3602 & CVE-2022-3786) that could be triggered within the X.509 certificate verification process. OpenSSL has released an updated version (V3.07) that fixes both vulnerabilities.
At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.
Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.
Publication Date: 2022 October 20 Update Date: 2022 October 31 Philips is currently monitoring developments and updates related to the recently released Microsoft security update concerning a zero-day vulnerability (CVE-2022-37969) pertaining to Windows Common Log File System Driver Elevation of Privilege. Microsoft states that an attacker who successfully exploited this vulnerability could gain SYSTEM privileges. However, an attacker must already have access and the ability to run code on the target system. This technique does not allow for remote code execution in cases where the attacker does not already have that ability on the target system.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.
Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.
Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by Microsoft’s vulnerability. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.
867113 - Focal Point 1,2 | 860292 - Holter SW 1,2 | 860343 - ST80i 2 |
For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below: 1 Software only products. 2 Information or patch available in Incenter. Please contact your local service support team. Note: For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.
Publication Date: 2022 October 6 Update Date: 2022 October 6 Philips is currently monitoring developments and updates related to the recently released Microsoft security update concerning two zero-day vulnerabilities (CVE-2022-41040 & CVE-2022-41082) within Microsoft Exchange Server. Microsoft continues to investigate the two reported vulnerabilities but, in the interim, has provided mitigation guidance.
At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.
Publication Date: 2022 September 19 Update Date: 2022 September 19 Philips is aware of the recent FBI Private Industry Notification warning healthcare facilities of the risks associated with unpatched and outdated medical devices. This warning highlights the fact that the FBI has seen an increase in the number of vulnerabilities posed by unpatched medical devices that are running on outdated software and devices that are not adequately protected. Philips follows these recommendations and encourages our customers to do the same. For more information, see: https://www.ic3.gov/media/news/2022/220912.pdf Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips’s product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips’s product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products. For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.
Note:
Publication Date: 2022 September 2 Update Date: 2022 September 2 Philips is currently monitoring developments and updates related to the recently released Oracle security update concerning a vulnerability (CVE-2022-21500) within the E-Business Suite (V12.2) product. Oracle has released a patch and recommends that it be applied as soon as possible.
At this point of time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.
Publication Date: 2022 August 25 Update Date: 2022 August 25 Philips is currently monitoring developments and updates related to the Realtek AP-Router SDK Advisory (CVE-2022-27255). Realtek has confirmed that their eCos SDK-based routers, the ‘SIP ALG’ module is vulnerable to buffer overflow.
Successful execution of this vulnerability could allow a crash or achieve the remote execution code. Realtek has released a patch that remediate this vulnerability.
At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate. Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips’s product-specific, verified & validated, authorized, and communicated customer procedures or field actions. If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips’s product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.
Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.
Publication Date: 2022 August 18 Update Date: 2022 August 18 Philips is currently monitoring developments and updates related to the recently released Cisco advisory. Cisco has confirmed a critical vulnerability (CVE-2022-20866) exists in the handling of RSA keys on devices running Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software. At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.
Successful execution of this vulnerability could allow an unauthenticated, remote attacker to retrieve an RSA private key. Cisco has released software updates that help remediate this vulnerability.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips’s product-specific, verified & validated, authorized, and communicated customer procedures or field actions. Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.
If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips’s product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.
Publication Date: 2022 August 17 Update Date: 2022 August 17 Philips is currently monitoring developments and updates related to the recently released Microsoft security update concerning a Security Feature Bypass vulnerability (CVE-2021-26414) within the DCOM sever protocol. Microsoft is addressing this vulnerability in a phased rollout with the final update scheduled for Q1 2023.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.
Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by Microsoft’s vulnerability. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.
779030/779011 - Capsule Neuron (V2 & V3) | 881001 - IntelliSpace Portal Server 10/11/12 1,2 | 881050 - IntelliSpace Enterprise Concerto 1,2 |
For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below: 1 Software only products. 2 Information or patch available in Incenter. Please contact your local service support team. Note: For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.
Publication Date: 2022 August 17 Update Date: 2022 August 17 Philips is currently monitoring developments and updates related to the recently released Cisco advisory. Cisco has confirmed that a critical vulnerability (CVE-2022-20715) exists in their Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software. Successful execution of this vulnerability could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. Cisco has released software updates that help remediate this vulnerability.
At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate. Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips’s product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips’s product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.
Publication Date: 2022 August 11 Update Date: 2022 August 11 Philips is currently monitoring developments and updates related to the recently disclosed Twilio security breach. A Short Message Service (SMS) phishing campaign was used to compromise employee credentials and gain access to Twilio internal systems, where attackers were able to access certain customer data.
Twilio has since then revoked access to the compromised employee accounts to mitigate the attack and is awaiting results from an ongoing forensic investigation. Please visit the Twilio security alert page for future updates.
At this point of time, no Philips products are known to be impacted by this breach. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate. If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
Publication Date: 2022 August 9 Update Date: 2022 November 21 Philips is currently monitoring developments and updates related to the recently released F5 security alert concerning several critical vulnerabilities within the BIG-IP product line. F5 has already released mitigations to help eliminate the vulnerabilities.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions. If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products. Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by these vulnerabilities. To the best of our knowledge, the list is complete and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.
837507 - IS PACS 1 | 836240 - Universal Data Manager 1 (UDM) | |
For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below: 1 Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure" Note: For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.
Publication Date: 2022 August 4 Update Date: 2022 August 4 Philips is currently monitoring developments and updates related to the recently released VMware Security (VMSA-2022-0021) advisory concerning multiple critical vulnerabilities within several VMware products.
Successful execution could allow a remote attacker to exploit these vulnerabilities and take control of the system.
At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips’s product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips’s product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.
Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.
Publication Date: 2022 June 30 Update Date: 2022 November 18 Philips is currently monitoring developments and updates related to the recently released Microsoft advisory concerning a critical Remote Code Execution vulnerability (CVE-2022-30190) within the Windows Support Diagnostic Tool (MSDT) and known as “Follina”. If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips’s product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.
Successful execution of this vulnerability could allow an attacker to run arbitrary code with privileges and take control of the system.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips’s product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by this vulnerability. To the best of our knowledge, the list is complete, and products & solutions not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified
722458 - Flex Cardio 2 | 830230 - XperIM 1,2 | 784005 - SensaVue 2 |
For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below: 1 Software only products with customer owned operating systems. 2 Information or patch available on Incenter. Please contact your local service support team. Note: For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.
Publication Date: 2022 June 29 Update Date: 2022 June 29 Philips is currently monitoring developments and updates related to the recently released OFFIS advisory concerning multiple vulnerabilities (CVE-2022-2119), (CVE-2022-2120), (CVE-2022-2121) within several versions (All prior to 3.6.7) of the DCMTK libraries and software.
Successful execution of these vulnerabilities could allow an attacker to cause a denial-of-service condition, write malformed DICOM files into arbitrary directories, and gain remote code execution.
At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips’s product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips’s product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal.
Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.
Publication Date: 2022 May 20 Update Date: 2023 January 31 Philips is currently monitoring developments and updates related to the recently released CISA directive 22-03 concerning multiple vulnerabilities in several VMware products. The emergency directive is in response to observed or expected active exploitation of a series of vulnerabilities (CVE 2022-22954, CVE 2022-22960, CVE-2022-22972, CVE-2022-22973) in the following VMware products: At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate. Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions. If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.
Publication Date: 2022 May 13 Update Date: 2022 November 21 Philips is currently monitoring developments and updates related to the recently released F5 security alert concerning a critical vulnerability (CVE-2022-1388) within the iControl REST component of their BIG-IP product line. F5 has already released recommended actions and mitigations to help eliminate the vulnerability. If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products. Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by this vulnerability. To the best of our knowledge, the list is complete and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
837507 - IS PACS 1 | 836240 - Universal Data Manager 1 (UDM) | |
For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below: 1 Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure" Note: For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.
Publication Date: 2022 April 27 Update Date: 2022 June 8 Philips is currently monitoring developments and updates related to the recently released update for Microsoft Denial of Service vulnerability on Cluster Shared Volumes (CSV) advisory. (CVE-2022-26784) If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products. Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by this vulnerability. To the best of our knowledge, the list is complete and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.
Microsoft has already released a patch for this vulnerability as part of their April security update.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
860322 - Holter Recorder DigiTrak XT (DTXT) - v3.0.4 1,2 | 860426 - IntelliSpace ECG - TMV C.03.06 1 | 860343 - ST80i - A.03.01.00 1,2 |
For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below: 1 Software only products with customer owned Operating Systems. 2 Information or patch available in Incenter. Please contact your local service support team.
Note: For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.
Publication Date: 2022 April 26 Update Date: 2023 January 2 Philips is currently monitoring developments and updates related to a critical Remote Code Execution vulnerability (CVE-2022-26809) within the Remote Procedure Call Runtime library of Microsoft Windows Operating System. Successful exploitation of the vulnerability could allow a remote, unauthenticated attacker to take control of the system. Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by Microsoft’s vulnerability. To the best of our knowledge, the list is complete, and products not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.
Microsoft has already released a patch for this vulnerability as part of their April security update.
As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from this reported vulnerability and validating actions.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.
866435/867369 - CareEvent (B.x/C.x)2 | 881001 - IntelliSpace Portal Server (12.0) 1,2 | 836240 - Universal Data Manager 3 |
Data Warehouse Connect 1,2 | 881050 - ISP Enterprise Concerto (11.0) 1,2 | 784026 - UroNav 2 |
837507 - IntelliSpace PACS 3 | 866389/867141 - PICix (All Versions) 1,2 | 839001 - VUE PACS (12.1.5, 12.2.1, 12.2.5, 12.2.8) 3 |
881001 - IntelliSpace Portal Server (10.0/11.0) 1,2 | 784005 - SensaVue 2 | 839007 - VUE RIS (11.3, 11.5) 3 |
For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below: 1 Software only products with customer owned Operating Systems. 2 Information or patch available in Incenter. Please contact your local service support team. 3 Information or patch available in Incenter. Please contact your local service support team.
Note: For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.
Publication Date: 2022 April 15 Update Date: 2022 May 26 Philips is currently monitoring developments and updates related to a critical Remote Code Execution vulnerability (CVE-2022-24491) within Microsoft’s Network File System protocol. Successful exploitation of the vulnerability could allow an attacker to enable a remote code execution. Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by Microsoft’s vulnerability. To the best of our knowledge, the list is complete, and products & solutions not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.
Microsoft has already released a patch for this vulnerability as part of their April security update.
As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from this reported vulnerability and validating actions.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.
866183 - IntelliBridge Enterprise (B.6-B.16) 1,2 | 867061 - IntelliSpace Perinatal 1 | 866009 - IntelliVue Guardian Software 1 |
881050 - IntelliSpace Concerto (10,11,12)1,2 | 881001 - IntelliSpace Portal (10,11,12)1,2 | 867019 - IntelliVue XDS 1 |
For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below: 2 Information or patch available in Incenter. Please contact your local service support team. For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.
1 Software only products with customer owned Operating Systems.
Note:
Publication Date: 2022 April 6 Update Date: 2022 July 8 Philips is currently monitoring developments and updates related to the recently released VMWare Spring Cloud Function advisory concerning a critical vulnerability impacting Spring Cloud Function versions 3.1.6, 3.2.2 and earlier versions (CVE-2022-22963) If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products. At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.
The vulnerability affects spring expression language (SpEL) injection impacting Spring Cloud Function. An exploit was observed in open source. Security researchers allegedly observed a significant amount of activity regarding CVE-2022-22963.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
Publication Date: 2022 April 5 Update Date: 2022 July 8 Philips is currently monitoring developments and updates related to the recently released VMware Spring advisory concerning a critical Remote Code Execution vulnerability (CVE-2022-22965) within the Spring Core Java framework and known as “Spring4Shell”. The vulnerability impacts the Spring MVC and Spring WebFlux applications. Successful execution of this vulnerability could allow a remote attacker to take control of the affected system. If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips’s product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products. Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by this vulnerability. To the best of our knowledge, the list is complete, and products & solutions not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips’s product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
830265 - CardioVascular Scheduler 4.0 1 | | |
1 Information or patch available on Incenter. Please contact your local service support team.
For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching
Publication Date: 2022 March 29 Update Date: 2022 March 29 Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities. In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding the Philips e-Alert hardware solution, versions 2.7 and prior. Regarding the Philips e-Alert hardware solution, versions 2.7 and prior, the company has identified one potential vulnerability that may allow an attacker within the same subnet to impact system availability. The vulnerability may allow attackers of low skill to issue an unauthenticated remote shutdown command, leading to a denial of service of the e-Alert hardware solution. To restore system operation, the e-Alert hardware solution needs to be manually powered on again. At this time, Philips has received no reports of exploitation of this vulnerability. Philips e-Alert hardware solution is not a medical device, therefore there is no risk to patient safety. Philips has reported this vulnerability publicly and to the appropriate government agencies, including the U.S. Cybersecurity Infrastructure and Security Agency (CISA), which is issuing an advisory. Users with questions regarding their specific Philips e-Alert hardware solution are advised by Philips to contact their Customer Success Manager (CSM), local Philips service support team, or regional service support. Philips contact information is available at the following location: https://www.usa.philips.com/healthcare/solutions/customer-service-solutions .
Cybersecurity & Infrastructure Security Agency (CISA) Advisory: https://www.cisa.gov/uscert/ics/advisories/icsma-22-088-01
Publication Date: 2022 March 29 Update Date: 2022 March 29 Philips is currently monitoring developments and updates related to the recently released Apache APISIX advisory concerning a critical vulnerability impacting Apache APISIX versions 2.10.3 and earlier and APISIX versions 2.11.0 through 2.12.0. (CVE-2022-24112) If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.
Publication Date: 2022 March 28 Update Date: 2023 January 2 Philips is currently monitoring developments and updates related to multiple vulnerabilities found within Apache’s Log4J 1.x. Since Log4J 1.x is End of Life and no longer supported, Apache’s recommendation is to upgrade to the latest version of the utility, Log4j 2.x. As part of the company’s product security policy and protocols, Philips teams are evaluating Philips’s products and solutions utilizing Apache’s Log4j utility for potential impacts from these reported vulnerabilities and validating actions. Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products. https://incenter.medical.philips.com Philips is providing the list below in order to better assist our customers in identifying any Philips’ products that could be vulnerable to these vulnerabilities. To the best of our knowledge, the list is complete, and products & solutions not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.
867019 - IntelliVue XDS 1 | 839001 - VuePACS (12.1.5, 12.2.x) 2 |
For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below: 1 Software only products with customer owned Operating Systems. For products solutions where the server was provided it is customer responsibility to validate and deploy patches. 2 Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure Note: For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.
Publication Date: 2022 March 23 Update Date: 2022 May 10 Philips is currently monitoring developments and updates related to a critical Remote Code Execution vulnerability (CVE-2022-21849) within the IKE Extension component of Microsoft Windows Operating System. Microsoft has already released a patch for this vulnerability as part of their January security update. As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing Microsoft Operating Systems for potential impacts from this reported vulnerability and validating actions. At this time, Philips has identified a limited number of products that may be affected by this vulnerability. However, these products currently have validated software updates available that will prevent this issue from occurring. Philips is also monitoring for OS updates related to this vulnerability and evaluating further possible actions as needed.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be impacted by Microsoft’s vulnerability. To the best of our knowledge, the list is complete, and products & solutions not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.
866435 - CareEvent (C.0x)1,2 | 867061 - IntelliSpace Perinatal (K.x) 1,2 | 866009 - IntelliVue Guardian Software (E.0x)1,2 |
Data Warehouse Connect2 | 881001 - IntelliSpace Portal Server (11.0/12.0)1,2 | 866389 - PICiX (C.0x)2 |
867113 - FocalPoint (A.0/A.01)1,2 | 881050 - IntelliSpace Portal Enterprise (12.0)1,2 | |
866183 - IntelliBridge Enterprise (B.09-B.15)1,2 | 881050 - ISP Enterprise Concerto (12.0)1,2 | |
For all above products Philips is evaluating the best possible mitigations. Specific mitigations are listed below: 1 Software only products with customer owned Operating Systems. 2 Information or patch available in Incenter. Please contact your local service support team. Note: For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips’s service teams from providing any required immediate and proactive support such as remote patching.
Publication Date: 2022 March 11 Update Date: 2022 March 22 Philips is currently monitoring developments and updates related to the recently released Armis Advisory concerning three critical 0-day vulnerabilities and referred to as “TLStorm”. (CVE-2022-22805, CVE-2022-2806, CVE-2022-0715) The vulnerabilities affect APC’s Smart-UPS devices that provide emergency backup power to mission critical assets. Successful exploitation to these vulnerabilities could allow remote attackers to take over the Smart-UPS devices and execute a remote code execution attack. Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions. If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products. At this time, no Philips products are known to be impacted. In accordance with Philips’ Global Security Policy, Philips continues to analyze the matter, and further information will be posted on the Philips Product Security Advisory page as appropriate.
Publication Date: 2022 March 8 Update Date: 2023 January 2 Philips is currently monitoring developments and updates related to a recently published CISA Advisory concerning multiple vulnerabilities affecting all versions of PTC’s Axeda Agent and Axeda Desktop Sever for Windows. Axeda Agent and Axeda Desktop Server are a remote access connectivity software used as part of a cloud based IoT platform. Successful exploitation of the vulnerabilities could lead to remote code execution, log information access, file system read access and a denial-of-service condition. As part of the company’s product security policy and protocols, Philips teams are evaluating Philips’s products and solutions utilizing PTC’s vulnerable Axeda products for potential impacts from these reported vulnerabilities and validating actions. Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions. Philips is providing the list below to better assist our customers in identifying any Philips’ products that could be vulnerable to PTC’s Axeda vulnerabilities. To the best of our knowledge, the list is complete, and products & solutions not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.
Capsule Support Access Tool 1 | Respilink | |
1 Philips has taken the necessary steps to remediate the Axeda vulnerabilities. A security notice was also sent to all customers via email. Note: Capsule products are not impacted by these vulnerabilities. Customers who have not used the Capsule Support Access Tool are not impacted. For Philips Capsule customers who opted for remote support through Capsule Support Access Tool, Philips is in the decommissioning process and will be sending out security notices that would include remediation and mitigation steps. For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are not affected by this vulnerability
Publication Date: 2022 February 25 Update Date: 2022 March 2 Philips is currently monitoring developments and updates related to the recently released Shields Up Advisory by the Cybersecurity and Infrastructure Security Agency (CISA), which is related to recent cyber-attacks on the Ukrainian government and critical infrastructure organizations. The advisory recommends organizations to adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets. Philips strongly recommends that customers follow CISA’s guidance and recommendations to make near-term progress towards improving cybersecurity and resilience. Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions. If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up-to-date information specific to their Philips’ products. For customers who utilize the Philips Remote Services Network (RSN, PRS), all customers are advised against geo-blocking or disconnecting the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.
Publication Date: 2022 January 28 Update Date: 2022 May 2 Philips is currently monitoring developments and updates related to the recently published Red Hat advisory (CVE-2021-4034) concerning a local privilege escalation vulnerability and referred to as “Pwnkit”. This vulnerability is found on polkit's pkexec utility which is installed by default on all major Linux distributions. According to Red Hat, successful exploitation of this vulnerability could allow an unprivileged local attacker to escalate privileges, bypassing any authentication and policies due to incorrect handling of the process’s argument vector. Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips’s policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions. Philips is providing the list below in order to better assist our customers in identifying any Philips’ products that could be vulnerable to CVE-2021-4034. To the best of our knowledge, the list is complete, and products & solutions not listed should be considered not impacted. Philips reserves the right to update the list as necessary if additional products are identified.
452220709192 - Philips IntelliSite Pathology Solution - Ultra Fast Scanner | | |
Note: For customers who utilize the Philips Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.
Publication Date: 2022 January 6 Update Date: 2022 January 6 Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities. In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory regarding the Philips Engage Software (Version 6.2.1 and prior). Philips has already released and deployed to all customers an updated version (6.2.2) on September 28, 2021 in which the vulnerability was fixed. The current version of this software is version 6.2.3. which was released November 25, 2021. The identified issue that has been corrected is a low-severity vulnerability (CVSS v3 score of 2.6 on a scale of 10) regarding improper access control (CWE-284). If exploited, this issue may allow an authenticated user to potentially view business contact information. This issue requires a medium skill level and authenticated user login credentials to exploit. At this time, Philips has received no reports of exploitation of this vulnerability or incidents from clinical use that we have been able to associate with this problem. Engage is a patient portal and medical device software under regulations in the markets where it is offered. Engage is used solely to support the self-management of patients and their care network and is not meant to be used for therapeutic or diagnostic purposes. Philips has reported this potential vulnerability and its resolution to customers and the appropriate government agencies, including the U.S. Cybersecurity Infrastructure and Security Agency (CISA), which is issuing an advisory. Users with questions regarding their specific Philips Engage software are advised by Philips to contact their Customer Success Manager (CSM), local Philips service support team, or regional service support. Philips contact information is available at the following location: https://www.usa.philips.com/healthcare/solutions/customer-service-solutions Cybersecurity & Infrastructure Security Agency (CISA) Advisory:
Philips manufactures, sells and helps you maintain highly complex medical devices and systems. Per policy, only Philips authorized changes are allowed to be made to these systems, either by Philips personnel or under Philips explicit published direction.
Please contact your Philips service representative for specific information about potential vulnerabilities and the availability of patches for your equipment configuration.
You are about to visit a Philips global content page
Continue