Publication Date: 2021 March 10
Update Date: 2021 March 12
Philips is currently monitoring developments and updates related to the recent F5 alert concerning four critical CVEs, along with three related CVEs (two highs and one medium).
As part of the company’s product security policy and protocols, Philips’ teams are evaluating Philips’ products and solutions utilizing F5 for potential impacts from these reported vulnerabilities and validating actions. F5 has released a patch to help remediate this vulnerability. Philips is currently in the process of validating the F5 patch and vendor recommended mitigation options. Once the F5 patch has been tested and validated by Philips with the impacted products, the patch will either be installed by Philips or made available for installation by customers, depending on contract details.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
When a product does require security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation will be produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.
Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.
Begin Update A: March 12, 2020
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products vulnerable to CVE-2021-22986, CVE-2021-22987, CVE-2021-22991, CVE-2021-22992. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.
Clinical Collaboration Platform ***
(formally called Vue PACS)
IS PACS (versions 3.6, 4.1, 4.4, 4.4.551, and 4.4.553***
Universal Data Manager (UDM) (versions 1.1, 2.1, and 3.1) ***
*Software only products with customer owned Operating Systems
**Information or patch available in Incenter
***Philips hosting business is in the process of validating and deploying the patch to the managed infrastructure
End Update A