August 14, 2019 - Product Security Notification for DICOM Vulnerability
Johnson & Johnson is aware of the recently published DICOM (Digital Imaging and Communications in Medicine) vulnerability identified as CVE-2019-11687. The DICOM standard is the international standard to transmit, store, retrieve, print, process, and display medical imaging information. This vulnerability is in the preamble defined by the DICOM File format, which could allow DICOM files stored on the media to have executable malware inserted.
We have analyzed our products and determined that the DICOM Vulnerability poses a low risk across products from the Johnson & Johnson Family of Companies. We have security controls in place to prevent exploitation of the vulnerability.
Additional details per product can be found in the advisory below:
April 9, 2018 - Product Security Notification for Biosense Webster CARTO® 3
Biosense Webster, Inc. (BWI) reported controlled risk in the CARTO® 3 System related to operating system security patches and anti-virus signatures. BWI has produced a software update that applies operating system patches and anti-virus signature updates to close known vulnerabilities in the operating system of the affected product. This update will be applied to CARTO® 3 Systems starting in April 2018, as part of the free-of-charge CARTO® 3 Version 6 (V6) base software version, which is designed to upgrade compatible CARTO® 3 Systems running Version 4 (V4) and above. Additional details can be found in the advisory here:
January 12, 2018 - Product Security Notification for Meltdown and Spectre
(Updated April 12th, 2018)
Meltdown and Spectre vulnerabilities (https://www.us-cert.gov/ncas/alerts/TA18-004A) are two techniques that circumvent security in Windows, Mac, and Linux operating systems and have the capability to access passwords, proprietary and personal information, and/or encrypted communications that have been processed by computers, cloud servers, embedded devices, medical devices and smartphones.
We have determined that Meltdown and Spectre vulnerabilities pose a low risk across products from the Johnson & Johnson Family of Companies due to the required access to the underlying Operating System and additional security controls that must be defeated to exploit these vulnerabilities. There have been no reports of active exploitation to date involving our products.
As patches are provided by CPU and Operating System manufacturers, we are committed to investigating, testing, and applying necessary updates where appropriate. Customers with additional product or site-specific concerns should contact their sales or service representative. Any product-specific updates and information will be distributed directly to customers.
If you are concerned that a product of the Johnson & Johnson Family of Companies has been compromised, please immediately disconnect the system from your network and contact your service representative and/or email@example.com.
January 9, 2018 - Product Security Notification for Ethicon Generator Gen11
Ethicon Endo-Surgery, Inc. (Ethicon) is issuing a field cybersecurity routine update and patch to address a cybersecurity software vulnerability of the Gen11 when used with non-OEM devices. The identified risk associated with the Gen11 cybersecurity software vulnerability is considered a controlled risk. Additional details can be found at the DHS ICS-CERT website: Ethicon Generator Gen11
June 29, 2017 - Product Security Notification for Nyetya
Johnson & Johnson is currently monitoring the Nyetya threat (also referred to as Petya, NotPetya) that has been reported to affect companies worldwide. The Nyetya ransomware uses the same EternalBlue exploit on Windows SMBv1 vulnerabilities as the recent Wannacry ransomware attacks. Customers should refer to the below bulletins on Wannacry for additional information related to products and services provided by the Johnson & Johnson Family of Companies. This information will be updated if necessary. If you are concerned a product of the Johnson & Johnson Family of Companies has been impacted by this Cyber-attack, please immediately disconnect the system from your network and contact your service representative and/or firstname.lastname@example.org. June 2, 2017 - Product Security Notification for WannaCry Ransomware
(Updated August 7th, 2017)
On May 12, 2017, a Ransomware Cyber-attack took place impacting institutions, including hospitals and utility companies, across the world. The WannaCry Ransomware takes advantage of a vulnerability within the Microsoft operating system to essentially “lock” access to the system and/or its data, demanding payment of a fee to unlock the device/data. A security patch is available from Microsoft for this specific vulnerability, MS17-010.
J&J recognizes that cybersecurity threats are constantly evolving. We have robust processes and systems in place to safeguard our networks, our products and our data which we regularly and consistently update. We believe in the strategy we have in place for protecting Johnson & Johnson. There has been no business impact to our internal networks or safety risk to our products as a result of the recent ransomware attacks.
Additional details per product can be found in the advisories below: