We have identified the following versions of CARTO^® 3 as running versions of Windows with the vulnerable Print Spool service enabled:

• CARTO^® 3, running software Versions 6 and Version 7.1
• Statement on "PrintNightmare" Vulnerability

Recently, Blackberry announced a vulnerability affecting versions of QNX real-time operating system that has a calloc() library function. This has been formalized in Blackberry’s security update guidance CVE-2021-22156, commonly referred to as badAlloc vulnerability. We have identified the following Johnson & Johnson Surgical Vision products as running versions of QNX with the badAlloc vulnerability:

• IFS^® ADVANCED FEMTOSECOND LASER
• COMPACT INTUITIV™ System
• SOVEREIGN^® COMPACT
• WHITESTAR SIGNATURE^® PRO System
• VERITAS™ Vision System

Additional details can be found in the advisory here:

• Statement on Blackberry's QNX BadAlloc Vulnerability

• Biosense Webster: CARTO3 Version 6 + Version 7
• NeuWave: Neuwave Microwave Ablation System + Ablation Confirmation Software
• Johnson & Johnson Surgical Vision: LipiScan, LipiView, and LipiFlow product lines

Recently Microsoft announced a critical vulnerability affecting versions of Windows with the Print Spool service enabled. This has been formalized in Microsoft’s security update guidance CVE-2021-34527, commonly referred to as PrintNightmare. We have identified the following Johnson & Johnson Medical Device subsidiary products as running versions of Windows with the vulnerable Print Spool service enabled: CARTO3 Version 6 + Version 7, NeuWave - Neuwave Microwave Ablation System + Ablation Confirmation Software, and Johnson & Johnson Surgical Vision - LipiScan, LipiView, and LipiFlow product lines. Additional details can be found in the advisory here:

• Statement on "PrintNightmare" Vulnerability

Recently Microsoft announced a critical vulnerability affecting versions of Windows with the Print Spool service enabled. This has been formalized in Microsoft’s security update guidance CVE-2021-34527, commonly referred to as PrintNightmare. We have identified the following Johnson & Johnson Surgical Vision products as running versions of Windows with the vulnerable Print Spool service enabled: iDESIGN^® Refractive Studio and CATALYS™ Precision Laser System. Additional details can be found in the advisory here:

• Statement on "PrintNightmare" Vulnerability

Biosense Webster, Inc. (BWI) has produced a software update that applies both operating system patches and anti-virus signature updates to increase security protection and close known vulnerabilities in the Microsoft Windows based operating system of the CARTO^® 3 System. This update will be applied to CARTO^® 3 Systems starting in December 2020, as part of the free-of-charge CARTO^® 3 Version 6 SP3 base software version, which is designed to upgrade compatible CARTO^® 3 Systems running Version 6 (V6). Additional details can be found in the advisory here:

• Biosense Webster CARTO^® 3 V6 SP3 Security Updates

Johnson & Johnson is currently monitoring several vulnerabilities collectively called AMNESIA:33 that impact multiple open source TCP/IP stacks (uIP-Contiki-OS, uIP-Contiki-NG, uIP, open-iscsi, picoTCP-NG, picoTCP, FNET, Nut/Net), that are commonly used in Internet-of-Things (IoT) and embedded devices.

These vulnerabilities primarily cause memory corruption, allowing attackers to compromise devices, execute malicious code, perform denial-of-service attacks, and steal sensitive information.

We are currently investigating the impact of these vulnerabilities on our products. If any further action is required, product-specific updates and information will be distributed directly to customers.

If you are concerned that a product of the Johnson & Johnson Family of Companies has been impacted by a Cyber-attack related to this vulnerability, please immediately disconnect the system from your network and contact the Product Security Team at [email protected].

A cybersecurity advisory has been issued jointly by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS).

According to the joint advisory, cybercriminals are targeting the Healthcare and Public Health (HPH) Sector to infect systems with ransomware, notably Ryuk and Conti, for financial gain. The HPH Sector is also being targeted with TrickBot and BazarLoader malware (malicious software), which can lead to ransomware attacks, data theft, and the disruption of healthcare services.

Currently, we are unaware of any risks to our medical device products. If we learn of information requiring action by the HPH Sector, product-specific updates and information will be distributed directly to customers.

As a general recommendation, customers should follow the network and ransomware best practices as outlined in this joint cybersecurity advisory

If you are concerned that a product of the Johnson & Johnson Family of Companies has been impacted by a Cyber-attack related to this advisory, please immediately disconnect the system from your network and contact the Product Security Team at [email protected].

Johnson & Johnson is currently monitoring several vulnerabilities named "SweynTooth", which could impact devices running the Bluetooth Low Energy (BLE) protocol. The BLE protocol is a wireless communication technology specially designed to prolong the battery life of devices with different power consumption and usage capabilities.

SweynTooth allows an attacker in radio range to trigger crashes, deadlocks or completely bypass security controls. The identified vulnerabilities have been found in the BLE implementations of major system-on-a-chip (SoC) vendors. Patches are available from most of the affected BLE SoC vendors.

Below is the list of vulnerabilities:

• Crash: Vulnerabilities (CVE-2019-16336, CVE-2019-17517, CVE-2019-17518,CVE-2019-17519, CVE-2019-17520, CVE-2019-19195, CVE-2019-19196) that remotely trigger hard faults forcing the device to crash.
• Deadlock: Vulnerabilities (CVE-2019-17060, CVE-2019-17061, CVE-2019-19192, CVE-2019-19193) that affect the availability of the BLE connection.
• Security Bypass: Vulnerabilities (CVE-2019-19194) that could be exploited by attackers in radio range to bypass the latest secure pairing mode of BLE.

We are currently investigating the impact of these vulnerabilities on our products. If any further action is required, product-specific updates and information will be distributed directly to customers.

If you are concerned that a product of the Johnson & Johnson Family of Companies has been impacted by a Cyber-attack related to this vulnerability, please immediately disconnect the system from your network and contact the Product Security Team at [email protected].

Johnson & Johnson is currently monitoring several critical vulnerabilities in Microsoft Windows Operating System, which were announced by Microsoft on Jan 14, 2020.

CryptoAPI vulnerability (CVE-2020-0601 also known as “Curveball”) -This is a spoofing vulnerability which exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates on Windows 10, Windows Server 2016 and 2019. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider. Microsoft has issued a security update (Security Advisory for CVE-2020-0601) that addresses this vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.

Windows Remote Desktop (RD) Gateway Server vulnerabilities (CVE-2020-0609, CVE-2020-0610) - These are remote code execution vulnerabilities and could allow a pre-authenticated attacker to connect to a targeted system via RDP (Remote Desktop Protocol) and send crafted requests to trigger the execution of arbitrary code on the target system. These vulnerabilities affect Windows Server 2012 and newer. Microsoft has issued security updates (Security Advisory for CVE-2020-0609) and (Security Advisory for CVE-2020-0610) that address these vulnerabilities.

Windows Remote Desktop Client Vulnerability (CVE-2020-0611) - This vulnerability exists in the Windows Remote Desktop Client on Windows 7 and newer versions when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. Microsoft issued a security update (Security Advisory for CVE-2020-0611) that addresses this vulnerability.

We are currently investigating the impact of these vulnerabilities on our products. If any further action is required, any product-specific updates and information will be distributed directly to customers.

If you are concerned that a product of the Johnson & Johnson Family of Companies has been impacted by a Cyber-attack related to this vulnerability, please immediately disconnect the system from your network and contact the Product Security Team at [email protected].

Johnson & Johnson is aware of the recently published DICOM (Digital Imaging and Communications in Medicine) vulnerability identified as CVE-2019-11687. The DICOM standard is the international standard to transmit, store, retrieve, print, process, and display medical imaging information. This vulnerability is in the preamble defined by the DICOM File format, which could allow DICOM files stored on the media to have executable malware inserted.

We have analyzed our products and determined that the DICOM Vulnerability poses a low risk across products from the Johnson & Johnson Family of Companies. We have security controls in place to prevent exploitation of the vulnerability.

Additional details per product can be found in the advisory below:

• Biosense Webster, Inc Carto^®3

If you are concerned that a product of the Johnson & Johnson Family of Companies has been impacted by a Cyber-attack related to this vulnerability, please immediately disconnect the system from your network and contact the Product Security Team at [email protected].

Johnson & Johnson is currently monitoring the Remote Desktop Services remote code execution vulnerability (CVE-2019-0708), which was announced by Microsoft on May 14, 2019. This vulnerability affects systems that use remote desktop services on Windows XP, Windows 7, Windows 2003 and Windows 2008.

The vulnerability could allow an unauthenticated remote attacker to connect and run arbitrary code on the targeted system. This vulnerability is pre-authentication and requires no user interaction making it a "wormable" vulnerability, meaning an exploit could potentially spread quickly to other systems.

To address this vulnerability, Microsoft has released a patch along with security guidance on mitigations/workarounds. They recommend that the patch be installed, or mitigation be completed, as soon as possible.               
Security Guidance and downloads Link

We are currently investigating the impact of this vulnerability on our products. If any further action is required, any product-specific updates and information will be distributed directly to customers.

Additional details per product can be found in the advisories below:

• Biosense Webster, Inc Carto^®3
• Brainlab KICK^® and Curve^® System

If you are concerned that a product of the Johnson & Johnson Family of Companies has been impacted by a Cyber-attack related to this vulnerability, please immediately disconnect the system from your network and contact the Product Security Team at [email protected].

Biosense Webster, Inc. (BWI) reported controlled risk in the CARTO^® 3 System related to operating system security patches and anti-virus signatures. BWI has produced a software update that applies operating system patches and anti-virus signature updates to close known vulnerabilities in the operating system of the affected product. This update will be applied to CARTO^® 3 Systems starting in April 2018, as part of the free-of-charge CARTO^® 3 Version 6 (V6) base software version, which is designed to upgrade compatible CARTO^® 3 Systems running Version 4 (V4) and above. Additional details can be found in the advisory here:

• Biosense Webster CARTO^® 3

Meltdown and Spectre vulnerabilities (https://www.us-cert.gov/ncas/alerts/TA18-004A) are two techniques that circumvent security in Windows, Mac, and Linux operating systems and have the capability to access passwords, proprietary and personal information, and/or encrypted communications that have been processed by computers, cloud servers, embedded devices, medical devices and smartphones.

We have determined that Meltdown and Spectre vulnerabilities pose a low risk across products from the Johnson & Johnson Family of Companies due to the required access to the underlying Operating System and additional security controls that must be defeated to exploit these vulnerabilities. There have been no reports of active exploitation to date involving our products.

As patches are provided by CPU and Operating System manufacturers, we are committed to investigating, testing, and applying necessary updates where appropriate. Customers with additional product or site-specific concerns should contact their sales or service representative. Any product-specific updates and information will be distributed directly to customers.

If you are concerned that a product of the Johnson & Johnson Family of Companies has been compromised, please immediately disconnect the system from your network and contact your service representative and/or [email protected].

Ethicon Endo-Surgery, Inc. (Ethicon) is issuing a field cybersecurity routine update and patch to address a cybersecurity software vulnerability of the Gen11 when used with non-OEM devices. The identified risk associated with the Gen11 cybersecurity software vulnerability is considered a controlled risk. Additional details can be found at the DHS ICS-CERT website: Ethicon Generator Gen11

Johnson & Johnson is currently monitoring the Nyetya threat (also referred to as Petya, NotPetya) that has been reported to affect companies worldwide. The Nyetya ransomware uses the same EternalBlue exploit on Windows SMBv1 vulnerabilities as the recent Wannacry ransomware attacks. Customers should refer to the below bulletins on Wannacry for additional information related to products and services provided by the Johnson & Johnson Family of Companies. This information will be updated if necessary. If you are concerned a product of the Johnson & Johnson Family of Companies has been impacted by this Cyber-attack, please immediately disconnect the system from your network and contact your service representative and/or [email protected].

On May 12, 2017, a Ransomware Cyber-attack took place impacting institutions, including hospitals and utility companies, across the world. The WannaCry Ransomware takes advantage of a vulnerability within the Microsoft operating system to essentially “lock” access to the system and/or its data, demanding payment of a fee to unlock the device/data. A security patch is available from Microsoft for this specific vulnerability, MS17-010.

J&J recognizes that cybersecurity threats are constantly evolving. We have robust processes and systems in place to safeguard our networks, our products and our data which we regularly and consistently update. We believe in the strategy we have in place for protecting Johnson & Johnson. There has been no business impact to our internal networks or safety risk to our products as a result of the recent ransomware attacks.

Additional details per product can be found in the advisories below:

• NeuWave Medical, Inc Certus^®140
• Biosense Webster, Inc Carto^®3
• Brainlab KICK^® System
• J&J Vision Catalys^® Laser System

At Johnson & Johnson, we are continuing to monitor the situation and the potential impact it may have on products and services provided by the Johnson & Johnson Family of Companies. If you are concerned a product of the Johnson & Johnson Family of Companies has been impacted by this Cyber-attack, please immediately disconnect the system from your network and contact your service technician and/or [email protected]