January 12, 2017 - Product Security Notification for Meltdown and Spectre
While there have been no reports of a breach to date involving our products, be advised that the Johnson & Johnson Family of Companies is proactively investigating the potential impact the Meltdown and Spectre vulnerabilities (https://www.us-cert.gov/ncas/alerts/TA18-004A) could pose to its products that run on Intel, AMD, ARM, and other chipsets. Meltdown and Spectre are two techniques that circumvent security in Windows, Mac, and Linux operating systems and have the capability to access passwords, proprietary and personal information, and/or encrypted communications that have been processed by computers, cloud servers, embedded devices, medical devices and smartphones. This preemptive measure is being taken to ensure the safety and protection of our products and our customers.
This advisory will be updated with additional information about the impact, if any, to specific products from the Johnson & Johnson Family of Companies once our internal investigation is complete. If you are concerned that a product of the Johnson & Johnson Family of Companies has been compromised, please immediately disconnect the system from your network and contact your service representative and/or firstname.lastname@example.org.
January 9, 2017 - Product Security Notification for Ethicon Generator Gen11
Ethicon Endo-Surgery, Inc. (Ethicon) is issuing a field cybersecurity routine update and patch to address a cybersecurity software vulnerability of the Gen11 when used with non-OEM devices. The identified risk associated with the Gen11 cybersecurity software vulnerability is considered a controlled risk. Additional details can be found at the DHS ICS-CERT website: Ethicon Generator Gen11
June 29, 2017 - Product Security Notification for Nyetya
Johnson & Johnson is currently monitoring the Nyetya threat (also referred to as Petya, NotPetya) that has been reported to affect companies worldwide. The Nyetya ransomware uses the same EternalBlue exploit on Windows SMBv1 vulnerabilities as the recent Wannacry ransomware attacks. Customers should refer to the below bulletins on Wannacry for additional information related to products and services provided by the Johnson & Johnson Family of Companies. This information will be updated if necessary. If you are concerned a product of the Johnson & Johnson Family of Companies has been impacted by this Cyber-attack, please immediately disconnect the system from your network and contact your service representative and/or email@example.com. June 2, 2017 - Product Security Notification for WannaCry Ransomware
(Updated August 7th, 2017)
On May 12, 2017, a Ransomware Cyber-attack took place impacting institutions, including hospitals and utility companies, across the world. The WannaCry Ransomware takes advantage of a vulnerability within the Microsoft operating system to essentially “lock” access to the system and/or its data, demanding payment of a fee to unlock the device/data. A security patch is available from Microsoft for this specific vulnerability, MS17-010.
J&J recognizes that cybersecurity threats are constantly evolving. We have robust processes and systems in place to safeguard our networks, our products and our data which we regularly and consistently update. We believe in the strategy we have in place for protecting Johnson & Johnson. There has been no business impact to our internal networks or safety risk to our products as a result of the recent ransomware attacks.
Additional details per product can be found in the advisories below: