Publication Date: 2021 February 23
Update Date: 2021 March 15
Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
Philips continues to review developments related to recently reported VMware ESXi and vCenter Server critically rated updates (CVE-2021-21972, CVE-2021-21973 and CVE-2021-21974), related to multiple vulnerabilities in VMware ESXi and vSphere Client (HTML5). At this time, VMWare has made software updates available to remediate these vulnerabilities in affected VMware products.
Following evaluation of the reported VMWare vulnerabilities, Philips has identified a limited number of products that contain affected VMWare software. Philips analysis has determined that the majority of these products are not affected by the reported vulnerability.
For products potentially affected by the VMWare vulnerability, Philips has determined that if affected VMWare software is updated the most recent versions containing the security upgrade, the reported vulnerabilities are mitigated. Philips does not provide or maintain VMware for customers using these products and advises customers to assess their VMware environment to determine if a software update/upgrade is necessary.
Affected Philips systems are safe for continued operation consistent with their Instructions for Use. To date, Philips has not received any reports of exploitation of these issues or of incidents from clinical use that we have been able to associate with this issue.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips-approved product specifications.
Begin Update A: 2021 March 15
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products running on VMware ESXi and vCenter that could be vulnerable to CVE-2021-21972, CVE-2021-21973 or CVE-2021-21974. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.