BD Vulnerabilities in Synapsys
Becton, Dickinson and Company (BD) have reported an insufficient session expiration vulnerability in Synapsys, a software application delivering data management and workflow functionality across clinical diagnostic activities in a laboratory
Summary
Becton, Dickinson and Company (BD) have reported an insufficient session expiration vulnerability in Synapsys, a software application delivering data management and workflow functionality across clinical diagnostic activities in a laboratory
Affected platforms
The following platforms are known to be affected:
Threat details
Introduction
Becton, Dickinson and Company (BD) have reported that there is a vulnerability in Synapsys, their microbiology informatics solution platform. The vulnerability known as CVE-2022-30277 has a CVSSv3 score of 5.7 relates to insufficient session expiration.
BD claim that the probability of an unauthorised physical breach of a BD Synapsys workstation would be negligible due to the sequence of events that must occur in a specific order. However, successful exploitation could lead to modification of electronic protected health information (ePHI), protected health information (PHI), and personally identifiable information (PII). Modification of this information could result in delayed or incorrect treatment.
Remediation advice
Affected organisations should review the CISA Medical Advisory (ICSMA-22-151-02) BD Synapsys and the BD security advisory BD Synapsys – Insufficient Session Expiration and follow the relevant workarounds until updates are released.
BD is expecting to release updates. BD Synapsys v4.20 SR2 will be released in June 2022 and will remediate this vulnerability. Customers receiving BD Synapsys v4.30 will be allowed to upgrade to v5.10, which is expected to be available by August 2022.
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 1 June 2022 4:46 pm