Overview

On or about December 10, 2021, a vulnerability was disclosed in the Apache Log4J software, which is a common logging system used by many applications built on Java. The vulnerability is commonly known as “Log4Shell.” More information on this vulnerability is available at https://logging.apache.org/log4j/2.x/security.html.

Leica Biosystems is evaluating our products to determine whether they are impacted by this vulnerability.

Product Status

What Customers Should Do?

Customers are encouraged to follow updates on the Apache Website https://logging.apache.org/log4j/2.x/security.html and continue to monitor this notice for further updates as they become available.

In addition, Mirth Connect is a product of NextGen: Customers can inquire directly with NextGen.

As always, Leica Biosystems strongly recommends that all customer protect network access to devices with appropriate safeguards.

Leica Biosystems will continue to seek and monitor additional information related to this vulnerability. Customers are recommended to monitor this site for updates.

Obtaining Support on this Issue

If you require further clarification with this issue, please contact Leica Biosystems Support. Contact details for support are available at https://www.leicabiosystems.com/contact-us/contact-us-online/.

Reporting Security Vulnerabilities to Leica Biosystems

Leica Biosystems welcomes input regarding the security of its products and considers potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Leica Biosystems, please see the following website: https://www.leicabiosystems.com/about/product-security/#reportasecurityvulnerability

Disclaimer

The information on this site is based on information Leica Biosystems has been able to gather as of the date of this update. The information is intended to help customers address the situation described herein. Leica Biosystems evaluates risk based on common use of our devices or systems, and our evaluation may not represent the actual risk to your local installation and individual environment. It is recommended that all users determine the applicability of this information to their individual environments and take appropriate actions.

This information is provided "as is" and does not offer or imply any kind of guarantee or warranty. Leica Biosystems expressly disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Leica Biosystems or its affiliates be liable for any damages whatsoever arising from or related to the information contained herein or actions that you decide to take based thereon, including any direct, indirect, incidental, consequential, loss of business profits or special damages, even if Leica Biosystems or its affiliates have been advised of the possibility of such damages.

Your use of the information on the document is at your own risk. Leica Biosystems reserves the right to change or update this document at any time.

We appreciate your support during this process.

Kind Regards,

Brad Hawkes

Brad Hawkes CISSP, CSSLP | Principal Product Cyber Security Leader | Leica Biosystems

Network Security Vulnerability in LMS Imaging Products

Scope

This CVD process applies to the reporting of potential cybersecurity vulnerabilities in Leica Biosystems products and services.

Contact information and CVD submission process

Triage

Web application and Potential security vulnerabilities or privacy issues with a Leica Biosystems product should be reported to:

lbs.productsecurity@leicabiosystems.com

Please use email encrypted with our public PGP key.

We ask that you please refrain from including sensitive information (e.g., sample information, PHI, PII, etc.) as a part of any submissions to Leica Biosystems. Please provide the following information in your submission:

• Your contact information (e.g., name, address, phone number)
• Date and method of discovery
• Description of potential vulnerability
  • Product name
  • Version number
  • Configuration details

• Steps to reproduce
  • Tools and methods
  • Exploitation code
  • Privileges required

• Results or impact

What happens next

Upon receipt of a potential product vulnerability submission, Leica Biosystems will:

• Acknowledge receipt of the submission within five (5) business days
• Work with specialized product teams to evaluate and validate reported findings
• Contact the submitter to request additional information, if needed
• Take appropriate action

Disclaimer

Leica Biosystems considers it a top priority to protect the health and safety, as well as the personal information, of our customers' patients.

When conducting your security research, please avoid actions that could cause harm to patients or products. Note that vulnerability testing could negatively impact a product. As such, testing should not be conducted on active products in a clinical setting, and products subjected to security testing should not subsequently be used in a clinical setting. If there is any doubt, please contact a Leica Biosystems representative. 
Leica Biosystems reserves the right to modify its coordinated vulnerability disclosure process at any time, without notice, and to make exceptions to it on a case-by-case basis. No level of response is guaranteed.

CAUTION: Do not include sensitive information (e.g., sample information, PHI, PII, etc.) in any documents submitted to Leica Biosystems. Comply with all laws and regulations during your testing activities.

By contacting Leica Biosystems, you agree that the information you provide will be governed by our site's Privacy Policy and Online Terms of Use.

Note: When sharing any information with Leica Biosystems, you agree that the information you submit will be considered non-proprietary and non-confidential and that Leica Biosystems can use such information in any manner, in whole or in part, without any restriction.