February 7, 2020 - Product Security Notification for Microsoft Windows CryptoAPI, Windows RD Gateway and Windows Remote Desktop Client vulnerabilities
Johnson & Johnson is currently monitoring several critical vulnerabilities in Microsoft Windows Operating System, which were announced by Microsoft on Jan 14, 2020.
CryptoAPI vulnerability (CVE-2020-0601 also known as “Curveball”) -This is a spoofing vulnerability which exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates on Windows 10, Windows Server 2016 and 2019. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider. Microsoft has issued a security update (Security Advisory for CVE-2020-0601) that addresses this vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.
Windows Remote Desktop (RD) Gateway Server vulnerabilities (CVE-2020-0609, CVE-2020-0610) - These are remote code execution vulnerabilities and could allow a pre-authenticated attacker to connect to a targeted system via RDP (Remote Desktop Protocol) and send crafted requests to trigger the execution of arbitrary code on the target system. These vulnerabilities affect Windows Server 2012 and newer. Microsoft has issued security updates (Security Advisory for CVE-2020-0609) and (Security Advisory for CVE-2020-0610) that address these vulnerabilities.
Windows Remote Desktop Client Vulnerability (CVE-2020-0611) - This vulnerability exists in the Windows Remote Desktop Client on Windows 7 and newer versions when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. Microsoft issued a security update (Security Advisory for CVE-2020-0611) that addresses this vulnerability.
We are currently investigating the impact of these vulnerabilities on our products. If any further action is required, any product-specific updates and information will be distributed directly to customers.
If you are concerned that a product of the Johnson & Johnson Family of Companies has been impacted by a Cyber-attack related to this vulnerability, please immediately disconnect the system from your network and contact the Product Security Team at email@example.com.
April 9, 2018 - Product Security Notification for Biosense Webster CARTO® 3
Biosense Webster, Inc. (BWI) reported controlled risk in the CARTO® 3 System related to operating system security patches and anti-virus signatures. BWI has produced a software update that applies operating system patches and anti-virus signature updates to close known vulnerabilities in the operating system of the affected product. This update will be applied to CARTO® 3 Systems starting in April 2018, as part of the free-of-charge CARTO® 3 Version 6 (V6) base software version, which is designed to upgrade compatible CARTO® 3 Systems running Version 4 (V4) and above. Additional details can be found in the advisory here:
January 12, 2018 - Product Security Notification for Meltdown and Spectre
(Updated April 12th, 2018)
Meltdown and Spectre vulnerabilities (https://www.us-cert.gov/ncas/alerts/TA18-004A) are two techniques that circumvent security in Windows, Mac, and Linux operating systems and have the capability to access passwords, proprietary and personal information, and/or encrypted communications that have been processed by computers, cloud servers, embedded devices, medical devices and smartphones.
We have determined that Meltdown and Spectre vulnerabilities pose a low risk across products from the Johnson & Johnson Family of Companies due to the required access to the underlying Operating System and additional security controls that must be defeated to exploit these vulnerabilities. There have been no reports of active exploitation to date involving our products.
As patches are provided by CPU and Operating System manufacturers, we are committed to investigating, testing, and applying necessary updates where appropriate. Customers with additional product or site-specific concerns should contact their sales or service representative. Any product-specific updates and information will be distributed directly to customers.
If you are concerned that a product of the Johnson & Johnson Family of Companies has been compromised, please immediately disconnect the system from your network and contact your service representative and/or firstname.lastname@example.org.
January 9, 2018 - Product Security Notification for Ethicon Generator Gen11
Ethicon Endo-Surgery, Inc. (Ethicon) is issuing a field cybersecurity routine update and patch to address a cybersecurity software vulnerability of the Gen11 when used with non-OEM devices. The identified risk associated with the Gen11 cybersecurity software vulnerability is considered a controlled risk. Additional details can be found at the DHS ICS-CERT website: Ethicon Generator Gen11
June 29, 2017 - Product Security Notification for Nyetya
Johnson & Johnson is currently monitoring the Nyetya threat (also referred to as Petya, NotPetya) that has been reported to affect companies worldwide. The Nyetya ransomware uses the same EternalBlue exploit on Windows SMBv1 vulnerabilities as the recent Wannacry ransomware attacks. Customers should refer to the below bulletins on Wannacry for additional information related to products and services provided by the Johnson & Johnson Family of Companies. This information will be updated if necessary. If you are concerned a product of the Johnson & Johnson Family of Companies has been impacted by this Cyber-attack, please immediately disconnect the system from your network and contact your service representative and/or email@example.com. June 2, 2017 - Product Security Notification for WannaCry Ransomware
(Updated August 7th, 2017)
On May 12, 2017, a Ransomware Cyber-attack took place impacting institutions, including hospitals and utility companies, across the world. The WannaCry Ransomware takes advantage of a vulnerability within the Microsoft operating system to essentially “lock” access to the system and/or its data, demanding payment of a fee to unlock the device/data. A security patch is available from Microsoft for this specific vulnerability, MS17-010.
J&J recognizes that cybersecurity threats are constantly evolving. We have robust processes and systems in place to safeguard our networks, our products and our data which we regularly and consistently update. We believe in the strategy we have in place for protecting Johnson & Johnson. There has been no business impact to our internal networks or safety risk to our products as a result of the recent ransomware attacks.
Additional details per product can be found in the advisories below: