Skip to main content

Coordinated Vulnerability Disclosure (CVD) Process

At Leica Biosystems, we develop technologies to advance and optimize the laboratory. To achieve this, we uphold core values that define our responsibility to those we serve. Among them: an unwavering commitment to the safety and security of patients and laboratory personnel. Therefore, we believe in continuously improving to address the ever-evolving privacy and cybersecurity landscape.

In response to potential threats to cybersecurity, Leica Biosystems is part of a global product security team to assess vulnerabilities and determine responses within a Coordinated Vulnerability Disclosure (CVD) process. These efforts allow the company to continually learn from vulnerability test information submitted to us by customers and security researchers.

For the latest product detail information, please open up the product security updates section below.

PRODUCT SECURITY NEWS

Security Advisory for Axeda Access:7 vulnerabilities

2022 April 6 (last updated 2022 May 6)

CVE-2022-25246, CVE-2022-25247, CVE-2022-25248, CVE-2022-25249, CVE-2022-25250, CVE-2022-25251, CVE-2022-25252

Background
Leica Biosystems has been notified of 7 vulnerabilities associated with a remote access solution produced by Axeda, collectively known as Access:7. In 2014 PTC acquired Axeda and the Axeda software was later phased out by the end of 2020.

Leica Biosystems has reviewed our products and identified a Leica Biosystems service that impacts multiple Leica Biosystems products. The service was called RemoteCare and is no longer distributed or supported. RemoteCare used part of the Axeda software containing some of the vulnerabilities listed in Access:7. When RemoteCare service was discontinued on 31st December 2020, the Axeda software was no longer necessary, however in some circumstances it may not have been removed or disabled completely. Where the software remained, the product could be at risk.

Product Status

Product

Status Regarding Access:7

Recommendations and Comments

Aperio AT2 (DX)

Not Vulnerable

Axeda software is not present.

Aperio CS2

Not Vulnerable

Axeda software is not present.

Aperio eSlide Manager

Not Vulnerable

Axeda software is not present.

Aperio GT 450 (DX)

Not Vulnerable

Axeda software is not present.

Aperio ImageScope (DX)

Not Vulnerable

Axeda software is not present.

Aperio LV1

Not Vulnerable

Axeda software is not present.

Aperio Scanner Administration Manager (SAM) Server for GT 450 (DX)

Not Vulnerable

Axeda software is not present.

Aperio VERSA

Not Vulnerable

Axeda software is not present.

Aperio WebViewer DX

Not Vulnerable

Axeda software is not present.

BOND-ADVANCE, BOND Controller

Potentially Vulnerable

Axeda software used by RemoteCare was not preinstalled by default. Only customers who purchased the RemoteCare service and had the Axeda software installed on the BOND Controller are impacted. If you have not previously purchased the RemoteCare service, then you are not vulnerable, and no further action is necessary.
If you have previously purchased RemoteCare, then there is a possibility that the Axeda software could still be on the system and active. If this is the case, then your BOND instrument could be vulnerable to malicious persons or malware with access to the same network the BOND instrument is connected to.
Customers with firewalls or other network protections in place to limit access to the BOND instrument may have significantly reduced the risk of this vulnerability.
Leica Biosystems will remove the Axeda software and RemoteCare during the next maintenance visit for customers who have the software installed. Customers who have assessed and found their network protections do not sufficiently mitigate the risk are encouraged to contact a local Leica Biosystems representative as a matter of priority. Customers who do not have a Service Agreement with Leica Biosystems should also contact a local Leica Biosystems representative.

BOND-III

Not Vulnerable

Axeda software is not present.

BOND-MAX

Not Vulnerable

Axeda software is not present.

BOND RX, BOND RXm

Not Vulnerable

Axeda software is not present.

CEREBRO

Potentially Vulnerable

Axeda software used by RemoteCare was not preinstalled by default. Only customers who opted to use RemoteCare service instead of using their own remote support solution had the Axeda software installed on the CEREBRO server and workstations. If you have not opted to use the RemoteCare service for remote support, then you are not vulnerable, and no further action is necessary. If you are not sure, you can contact a local Leica Biosystems service center to have a Leica representative check if RemoteCare has been installed or not.
If you have RemoteCare installed, then there is a possibility that the Axeda software could still be active on the system. If this is the case, then your CERBRO system could be vulnerable to malicious persons or malware with access to the same network the CEREBRO system is connected to.
Customers with firewalls or other network protections in place to limit access to the CEREBRO system may have significantly reduced the risk of this vulnerability.
For the customers who have the RemoteCare software installed, Leica Biosystems will remove the software using remote access if available or during the next maintenance visit. Customers who have assessed and found their network protections do not sufficiently mitigate the risk are encouraged to contact a local Leica Biosystems representative as a matter of priority. Customers who do not have a Service Agreement with Leica Biosystems should also contact a local Leica Biosystems representative.

CytoVision

Not Vulnerable

Axeda software is not present.

HistoCore Arcadia C

Not Vulnerable

Axeda software is not present.

HistoCore Arcadia H

Not Vulnerable

Axeda software is not present.

HistoCore PEARL

Potentially Vulnerable

The Axeda software used in RemoteCare is installed but disabled by default.
If you have previously purchased RemoteCare, then the Axeda software will have been enabled, in which case your system could be vulnerable to malicious persons or malware with access to the same network the instrument is connected to.
To protect against this vulnerability Leica Biosystems advises customers to remove and discard the network cable if one is connected to the instrument.

HistoCore PEGASUS (PLUS)

Not Vulnerable

Axeda software is not present.

HistoCore PELORIS 3

Potentially Vulnerable

Axeda software used by RemoteCare was not preinstalled by default. If you have previously purchased RemoteCare, then the Axeda software will have been installed and enabled, in which case your system could be vulnerable to malicious persons or malware with access to the same network the instrument is connected to.
Customers who do not have their instrument connected to a network will not be at risk even if they have purchased RemoteCare previously.
Leica Biosystems will remove the Axeda software and RemoteCare during the next maintenance visit for customers who have the software installed. Customers may protect against this vulnerability in the interim by removing and discarding the network cable if one is connected to the instrument. Customers who do not have a Service Agreement with Leica Biosystems may also contact a local Leica Biosystems representative to have the software removed.

HistoCore SPECTRA CV

Not Vulnerable

Axeda software is not present.

HistoCore SPECTRA ST

Potentially Vulnerable

The Axeda software used in RemoteCare is installed and enabled by default even when RemoteCare was not purchased.
Customers who do not have their instrument connected to a network will not be at risk. Customers who have the instrument connected to a network may be vulnerable to malicious persons or malware with access to the same network the instrument is connected to.
To protect against this vulnerability Leica Biosystems advises customers to remove and discard the network cable if one is connected to the instrument.

HistoCore SPIRIT ST

Not Vulnerable

Axeda software is not present.

HistoCore SPRING ST

Not Vulnerable

Axeda software is not present.

Leica ASP200 (S),
Leica ASP300 (S)

Potentially Vulnerable

The Axeda software used in RemoteCare is installed and enabled by default even when RemoteCare was not purchased.
Customers who do not have their instrument connected to a network will not be at risk. Customers who have the instrument connected to a network may be vulnerable to malicious persons or malware with access to the same network the instrument is connected to.
To protect against this vulnerability Leica Biosystems advises customers to remove and discard the network cable if one is connected to the instrument.

Leica ASP6025 (S)

Potentially Vulnerable

The Axeda software used in RemoteCare is installed and enabled by default even when RemoteCare was not purchased.
Customers who do not have their instrument connected to a network will not be at risk. Customers who have the instrument connected to a network may be vulnerable to malicious persons or malware with access to the same network the instrument is connected to.
To protect against this vulnerability Leica Biosystems advises customers to remove and discard the network cable if one is connected to the instrument.

Leica CV5030

Not Vulnerable

Axeda software is not present.

Leica IP C

Not Vulnerable

Axeda software is not present.

Leica IP S

Not Vulnerable

Axeda software is not present.

Leica ST4020

Not Vulnerable

Axeda software is not present.

Leica ST5010

Not Vulnerable

Axeda software is not present.

Leica ST5020

Not Vulnerable

Axeda software is not present.

Leica TP1020

Not Vulnerable

Axeda software is not present.

PELORIS, PELORIS II

Potentially Vulnerable

The Axeda software used in RemoteCare is installed but disabled by default.

If you have previously purchased RemoteCare, then the Axeda software will have been enabled, in which case your system could be vulnerable to malicious persons or malware with access to the same network the instrument is connected to.

Customers who do not have their instrument connected to a network will not be at risk even if they have purchased RemoteCare previously.

Leica Biosystems will remove the Axeda software and RemoteCare during the next maintenance visit for customers who have the software installed. Customers may protect against this vulnerability in the interim by removing and discarding the network cable if one is connected to the instrument. Customers who do not have a Service Agreement with Leica Biosystems may also contact a local Leica Biosystems representative to have the software removed.

LIS Connect

Not Vulnerable

Axeda software is not present.

PathDX

Not Vulnerable

Axeda software is not present.

ThermoBrite Elite

Not Vulnerable

Axeda software is not present.

Disclaimer
The information on this site is based on information Leica Biosystems has been able to gather as of the date of this update. The information is intended to help customers address the situation described herein. Leica Biosystems evaluates risk based on common use of our devices or systems, and our evaluation may not represent the actual risk to your local installation and individual environment. It is recommended that all users determine the applicability of this information to their individual environments and take appropriate actions.

This information is provided "as is" and does not offer or imply any kind of guarantee or warranty. Leica Biosystems expressly disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Leica Biosystems or its affiliates be liable for any damages whatsoever arising from or related to the information contained herein or actions that you decide to take based thereon, including any direct, indirect, incidental, consequential, loss of business profits or special damages, even if Leica Biosystems or its affiliates have been advised of the possibility of such damages.

Your use of the information on the document is at your own risk. Leica Biosystems reserves the right to change or update this document at any time.

 


 

Security Advisory for Log4Shell (CVE-2021-44228)

OverviewOn or about December 10, 2021, a vulnerability was disclosed in the Apache Log4J software, which is a common logging system used by many applications built on Java. The vulnerability is commonly known as “Log4Shell.” More information on this vulnerability is available at https://logging.apache.org/log4j/2.x/security.html.

Leica Biosystems is evaluating our products to determine whether they are impacted by this vulnerability.

Product Status

Product Status regarding Log4Shell Description
Aperio AT2 Not Vulnerable Log4J is not used.
Aperio AT2 DX Not Vulnerable Log4J is not used.
Aperio CS2 Not Vulnerable Log4J is not used.
Aperio eSlide Manager Not Vulnerable Log4J is not used.
Aperio GT 450 Not Vulnerable Log4J is not used.
Aperio GT 450 DX Not Vulnerable Log4J is not used.
Aperio ImageScope DX Not Vulnerable Log4J is not used.
Aperio LV1 Not Vulnerable Log4J is not used.
Aperio SAM DX Server For GT 450 DX Not Vulnerable Uses Mirth Connect. Mirth Connect uses Log4J version 1.2.16. Apache has confirmed that Log4J versions 1.x are not impacted by CVE-2021-44228. Refer to

https://logging.apache.org/log4j/2.x/security.html
Aperio Scanner Administration Manager (SAM) Server for GT 450 Not Vulnerable Uses Mirth Connect. Mirth Connect uses Log4J version 1.2.16. Apache has confirmed that Log4J versions 1.x are not impacted by CVE-2021-44228. Refer to

https://logging.apache.org/log4j/2.x/security.html
Aperio VERSA Not Vulnerable Log4J is not used.
Aperio WebViewer DX Not Vulnerable Log4J is not used.
BOND-ADVANCE Not Vulnerable Log4J is not used.
BOND Controller Not Vulnerable Log4J is not used.
BOND-III Not Vulnerable Log4J is not used.
BOND-MAX Not Vulnerable Log4J is not used.
BOND RX Not Vulnerable Log4J is not used.
BOND RXm Not Vulnerable Log4J is not used.
CEREBRO Not Vulnerable Uses Mirth Connect. Mirth Connect uses Log4J version 1.2.16. Apache has confirmed that Log4J versions 1.x are not impacted by CVE-2021-44228. Refer to

https://logging.apache.org/log4j/2.x/security.html
CytoVision Not Vulnerable Log4J is not used.
HistoCore PEARL Not Vulnerable Log4J is not used.
HistoCore PEGASUS Not Vulnerable Log4J is not used.
HistoCore PELORIS 3 Not Vulnerable Log4J is not used.
HistoCore SPECTRA CV Not Vulnerable Log4J is not used.
HistoCore SPECTRA ST Not Vulnerable Log4J is not used.
HistoCore SPIRIT ST Not Vulnerable Log4J is not used.
HistoCore SPRING ST Not Vulnerable Log4J is not used.
Leica ASP300S Not Vulnerable Log4J is not used.
Leica ASP6025S Not Vulnerable Log4J is not used.
Leica CV5030 Not Vulnerable Log4J is not used.
Leica IP C Not Vulnerable Log4J is not used.
Leica IP S Not Vulnerable Log4J is not used.
Leica ST4020 Not Vulnerable Log4J is not used.
Leica ST5010 Not Vulnerable Log4J is not used.
Leica ST5020 Not Vulnerable Log4J is not used.
Leica TP1020 Not Vulnerable Log4J is not used.
Leica PELORIS Not Vulnerable Log4J is not used.
LISConnect Not Vulnerable Uses Mirth Connect. Mirth Connect uses Log4J version 1.2.16. Apache has confirmed that Log4J versions 1.x are not impacted by CVE-2021-44228. Refer to
https://logging.apache.org/log4j/2.x/security.html
PathDX Not Vulnerable Log4J is not used.
ThermoBrite Elite Not Vulnerable Log4J is not used.

 

What Customers Should Do?
Customers are encouraged to follow updates on the Apache Website https://logging.apache.org/log4j/2.x/security.html and continue to monitor this notice for further updates as they become available.

In addition, Mirth Connect is a product of NextGen: Customers can inquire directly with NextGen.

As always, Leica Biosystems strongly recommends that all customer protect network access to devices with appropriate safeguards.

Leica Biosystems will continue to seek and monitor additional information related to this vulnerability. Customers are recommended to monitor this site for updates.

Obtaining Support on this Issue
If you require further clarification with this issue, please contact Leica Biosystems Support. Contact details for support are available at Contact Us

Reporting Security Vulnerabilities to Leica Biosystems
Leica Biosystems welcomes input regarding the security of its products and considers potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Leica Biosystems, please see the following website: https://www.leicabiosystems.com/about/product-security/#reportasecurityvulnerability

Disclaimer
The information on this site is based on information Leica Biosystems has been able to gather as of the date of this update. The information is intended to help customers address the situation described herein. Leica Biosystems evaluates risk based on common use of our devices or systems, and our evaluation may not represent the actual risk to your local installation and individual environment. It is recommended that all users determine the applicability of this information to their individual environments and take appropriate actions.

This information is provided "as is" and does not offer or imply any kind of guarantee or warranty. Leica Biosystems expressly disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Leica Biosystems or its affiliates be liable for any damages whatsoever arising from or related to the information contained herein or actions that you decide to take based thereon, including any direct, indirect, incidental, consequential, loss of business profits or special damages, even if Leica Biosystems or its affiliates have been advised of the possibility of such damages.

Your use of the information on the document is at your own risk. Leica Biosystems reserves the right to change or update this document at any time.

We appreciate your support during this process.

Kind Regards,
Brad Hawkes

Brad Hawkes CISSP, CSSLP | Principal Product Cyber Security Leader | Leica Biosystems

REPORT A SECURITY VULNERABILITY

Scope

This CVD process applies to the reporting of potential cybersecurity vulnerabilities in Leica Biosystems products and services.

Contact Information and CVD Submission Process

Triage

Web application vulnerabilities should be reported to:

lbs.productsecurity@leicabiosystems.com

Potential security vulnerabilities or privacy issues with a Leica Biosystems product should be reported to:

lbs.productsecurity@leicabiosystems.com

Please use email encrypted with our public PGP key.

We ask that you please refrain from including sensitive information (e.g., sample information, PHI, PII, etc.) as a part of any submissions to Leica Biosystems. Please provide the following information in your submission:

  • Your contact information (e.g., name, address, phone number)
  • Date and method of discovery
  • Description of potential vulnerability
    • Product name
    • Version number
    • Configuration details
  • Steps to reproduce
    • Tools and methods
    • Exploitation code
    • Privileges required
  • Results or impact

What Happens Next

Upon receipt of a potential product vulnerability submission, Leica Biosystems will:

  • Acknowledge receipt of the submission within five (5) business days
  • Work with specialized product teams to evaluate and validate reported findings
  • Contact the submitter to request additional information, if needed
  • Take appropriate action

Disclaimer

Leica Biosystems considers it a top priority to protect the health and safety, as well as the personal information, of our customers' patients.

When conducting your security research, please avoid actions that could cause harm to patients or products. Note that vulnerability testing could negatively impact a product. As such, testing should not be conducted on active products in a clinical setting, and products subjected to security testing should not subsequently be used in a clinical setting. If there is any doubt, please contact a Leica Biosystems representative.

Leica Biosystems reserves the right to modify its coordinated vulnerability disclosure process at any time, without notice, and to make exceptions to it on a case-by-case basis. No level of response is guaranteed.

CAUTION: Do not include sensitive information (e.g., sample information, PHI, PII, etc.) in any documents submitted to Leica Biosystems. Comply with all laws and regulations during your testing activities.

By contacting Leica Biosystems, you agree that the information you provide will be governed by our site's Privacy Policy and Online Terms of Use.

Note: When sharing any information with Leica Biosystems, you agree that the information you submit will be considered non-proprietary and non-confidential and that Leica Biosystems can use such information in any manner, in whole or in part, without any restriction.