Publication Date: 2021 May 26
Update Date: 2021 May 28
Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive, ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
Philips continues to review developments related to recently reported VMware vCenter Server and VMware Cloud Foundation critical and medium rated vulnerabilities (CVE-2021-21985 & CVE-2021-21986). According to VMware advisory VMSA-2021-0010 these VMware vCenter Server updates address remote code execution and authentication vulnerabilities.
Following evaluation of the reported VMWare vulnerabilities, Philips has identified a limited number of products that contain affected VMWare software. Philips analysis has determined that the majority of these products are not affected by the reported vulnerability.
For products potentially affected by the VMWare vulnerability, Philips has determined that if affected VMWare software is updated the most recent versions containing the security upgrade, the reported vulnerabilities are mitigated. Philips does not provide or maintain VMware for customers using these products and advises customers to assess their VMware environment to determine if a software update/upgrade is necessary.
Affected Philips systems are safe for continued operation consistent with their Instructions for Use. To date, Philips has not received any reports of exploitation of these issues or of incidents from clinical use that we have been able to associate with this issue.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips-approved product specifications.
Begin Update A: 2021 May 28
Philips is providing the list below in order to better assist our customers in identifying any Philips’ products running on VMware vCenter Server and VMware Cloud Foundation that could be vulnerable to CVE-2021-21985 or CVE-2021-21986. However, the list below is not comprehensive and may be updated as necessary if more products are identified. It does not indicate the patch or device status.