November 23, 2022 - Product Security Notification for Biosense Webster CARTO® 3
We have identified the following versions of CARTO® 3 as running versions of Windows with the vulnerable Print Spool service enabled:
Recently, Blackberry announced a vulnerability affecting versions of QNX real-time operating system that has a calloc() library function. This has been formalized in Blackberry’s security update guidance CVE-2021-22156, commonly referred to as badAlloc vulnerability. We have identified the following Johnson & Johnson Surgical Vision products as running versions of QNX with the badAlloc vulnerability:
Recently Microsoft announced a critical vulnerability affecting versions of Windows with the Print Spool service enabled. This has been formalized in Microsoft’s security update guidance CVE-2021-34527, commonly referred to as PrintNightmare. We have identified the following Johnson & Johnson Medical Device subsidiary products as running versions of Windows with the vulnerable Print Spool service enabled: CARTO3 Version 6 + Version 7, NeuWave - Neuwave Microwave Ablation System + Ablation Confirmation Software, and Johnson & Johnson Surgical Vision - LipiScan, LipiView, and LipiFlow product lines. Additional details can be found in the advisory here:
Recently Microsoft announced a critical vulnerability affecting versions of Windows with the Print Spool service enabled. This has been formalized in Microsoft’s security update guidance CVE-2021-34527, commonly referred to as PrintNightmare. We have identified the following Johnson & Johnson Surgical Vision products as running versions of Windows with the vulnerable Print Spool service enabled: iDESIGN® Refractive Studio and CATALYS™ Precision Laser System. Additional details can be found in the advisory here:
Biosense Webster, Inc. (BWI) has produced a software update that applies both operating system patches and anti-virus signature updates to increase security protection and close known vulnerabilities in the Microsoft Windows based operating system of the CARTO® 3 System. This update will be applied to CARTO® 3 Systems starting in December 2020, as part of the free-of-charge CARTO® 3 Version 6 SP3 base software version, which is designed to upgrade compatible CARTO® 3 Systems running Version 6 (V6). Additional details can be found in the advisory here:
Johnson & Johnson is currently monitoring several vulnerabilities collectively called AMNESIA:33 that impact multiple open source TCP/IP stacks (uIP-Contiki-OS, uIP-Contiki-NG, uIP, open-iscsi, picoTCP-NG, picoTCP, FNET, Nut/Net), that are commonly used in Internet-of-Things (IoT) and embedded devices.
These vulnerabilities primarily cause memory corruption, allowing attackers to compromise devices, execute malicious code, perform denial-of-service attacks, and steal sensitive information.
We are currently investigating the impact of these vulnerabilities on our products. If any further action is required, product-specific updates and information will be distributed directly to customers.
If you are concerned that a product of the Johnson & Johnson Family of Companies has been impacted by a Cyber-attack related to this vulnerability, please immediately disconnect the system from your network and contact the Product Security Team at productsecurity@its.jnj.com.
A cybersecurity advisory has been issued jointly by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS).
According to the joint advisory, cybercriminals are targeting the Healthcare and Public Health (HPH) Sector to infect systems with ransomware, notably Ryuk and Conti, for financial gain. The HPH Sector is also being targeted with TrickBot and BazarLoader malware (malicious software), which can lead to ransomware attacks, data theft, and the disruption of healthcare services.
Currently, we are unaware of any risks to our medical device products. If we learn of information requiring action by the HPH Sector, product-specific updates and information will be distributed directly to customers.
As a general recommendation, customers should follow the network and ransomware best practices as outlined in this joint cybersecurity advisory
If you are concerned that a product of the Johnson & Johnson Family of Companies has been impacted by a Cyber-attack related to this advisory, please immediately disconnect the system from your network and contact the Product Security Team at productsecurity@its.jnj.com.
SweynTooth
Johnson & Johnson is currently monitoring several vulnerabilities named SweynTooth,
which could impact devices running the Bluetooth Low Energy (BLE) protocol. The BLE protocol is a wireless communication technology specially designed to prolong the battery life of devices with different power consumption and usage capabilities.
SweynTooth
allows an attacker in radio range to trigger crashes, deadlocks or completely bypass security controls. The identified vulnerabilities have been found in the BLE implementations of major system-on-a-chip (SoC) vendors. Patches are available from most of the affected BLE SoC vendors.
We are currently investigating the impact of these vulnerabilities on our products. If any further action is required, product-specific updates and information will be distributed directly to customers.
If you are concerned that a product of the Johnson & Johnson Family of Companies has been impacted by a Cyber-attack related to this vulnerability, please immediately disconnect the system from your network and contact the Product Security Team at productsecurity@its.jnj.com.
April 9, 2018 - Product Security Notification for Biosense Webster CARTO® 3
Biosense Webster, Inc. (BWI) reported controlled risk in the CARTO® 3 System related to operating system security patches and anti-virus signatures. BWI has produced a software update that applies operating system patches and anti-virus signature updates to close known vulnerabilities in the operating system of the affected product. This update will be applied to CARTO® 3 Systems starting in April 2018, as part of the free-of-charge CARTO® 3 Version 6 (V6) base software version, which is designed to upgrade compatible CARTO® 3 Systems running Version 4 (V4) and above. Additional details can be found in the advisory here:
January 12, 2018 - Product Security Notification for Meltdown and Spectre
(Updated April 12th, 2018)
Meltdown and Spectre vulnerabilities (https://www.us-cert.gov/ncas/alerts/TA18-004A) are two techniques that circumvent security in Windows, Mac, and Linux operating systems and have the capability to access passwords, proprietary and personal information, and/or encrypted communications that have been processed by computers, cloud servers, embedded devices, medical devices and smartphones.
We have determined that Meltdown and Spectre vulnerabilities pose a low risk across products from the Johnson & Johnson Family of Companies due to the required access to the underlying Operating System and additional security controls that must be defeated to exploit these vulnerabilities. There have been no reports of active exploitation to date involving our products.
As patches are provided by CPU and Operating System manufacturers, we are committed to investigating, testing, and applying necessary updates where appropriate. Customers with additional product or site-specific concerns should contact their sales or service representative. Any product-specific updates and information will be distributed directly to customers.
If you are concerned that a product of the Johnson & Johnson Family of Companies has been compromised, please immediately disconnect the system from your network and contact your service representative and/or productsecurity@its.jnj.com.
January 9, 2018 - Product Security Notification for Ethicon Generator Gen11
Ethicon Endo-Surgery, Inc. (Ethicon) is issuing a field cybersecurity routine update and patch to address a cybersecurity software vulnerability of the Gen11 when used with non-OEM devices. The identified risk associated with the Gen11 cybersecurity software vulnerability is considered a controlled risk. Additional details can be found at the DHS ICS-CERT website: Ethicon Generator Gen11
June 29, 2017 - Product Security Notification for Nyetya
Johnson & Johnson is currently monitoring the Nyetya threat (also referred to as Petya, NotPetya) that has been reported to affect companies worldwide. The Nyetya ransomware uses the same EternalBlue exploit on Windows SMBv1 vulnerabilities as the recent Wannacry ransomware attacks. Customers should refer to the below bulletins on Wannacry for additional information related to products and services provided by the Johnson & Johnson Family of Companies. This information will be updated if necessary. If you are concerned a product of the Johnson & Johnson Family of Companies has been impacted by this Cyber-attack, please immediately disconnect the system from your network and contact your service representative and/or productsecurity@its.jnj.com.
June 2, 2017 - Product Security Notification for WannaCry Ransomware
(Updated August 7th, 2017)
On May 12, 2017, a Ransomware Cyber-attack took place impacting institutions, including hospitals and utility companies, across the world. The WannaCry Ransomware takes advantage of a vulnerability within the Microsoft operating system to essentially “lock” access to the system and/or its data, demanding payment of a fee to unlock the device/data. A security patch is available from Microsoft for this specific vulnerability, MS17-010.
J&J recognizes that cybersecurity threats are constantly evolving. We have robust processes and systems in place to safeguard our networks, our products and our data which we regularly and consistently update. We believe in the strategy we have in place for protecting Johnson & Johnson. There has been no business impact to our internal networks or safety risk to our products as a result of the recent ransomware attacks.
Additional details per product can be found in the advisories below: