Publication date: December 17, 2021
Last update: March 11, 2022
Varian is aware of the vulnerabilities in the Apache Java library Log4j. While our cybersecurity experts continue to analyze and address potential impact to our products, we are providing this advisory to customers to alert them to products and services that may be affected. The vulnerability details are available at Mitre.org (CVE-2021-44228, CVE-2021-45046) and Apache.org (Apache Log4j 2).
When appropriate, Varian provides specific countermeasures for products where fixes are not yet available. The details of such countermeasures, along with a detailed analysis of the vulnerability for each product will be made available, as appropriate, through Knowledge Articles posted on the MyVarian customer portal.
Please note that this advisory, including the potentially affected products, may be updated based on further analysis.
Potentially Affected Products and Solutions
| Product Group | Product | Version | Status | Varian Remediation/ Mitigation |
Customer Remediation/ Mitigation Options: |
|---|---|---|---|---|---|
| Acuity | Acuity® | All | Not Affected | Not Applicable | Not Applicable |
| 4DITC | 4DITC | All | Not Affected | Not Applicable | Not Applicable |
| ARIA Connect | ARIA Connect (Cloverleaf) | All | Not Affected | Not Applicable | Not Applicable |
| ARIA Medical Oncology | ARIA® oncology information system for Medical Oncology | All | Not Affected | Not Applicable | Not Applicable |
| ARIA Medical Oncology | XMediusFax® for ARIA® oncology information system for Medical Oncology | All | Affected | See Knowledge Articles: 000038891, 000038892, and 000038894 on MyVarian | See Knowledge Articles: 000038891, 000038892, and 000038894 on MyVarian |
| ARIA Radiation Oncology | ARIA® oncology information system for Radiation Oncology | All | Not Affected | Not Applicable | Not Applicable |
| ARIA Radiation Oncology | ARIA eDOC | All | Not Affected | Not Applicable | Not Applicable |
| ARIA Radiation Oncology | XMediusFax® for ARIA® oncology information system for Radiation Oncology | All | Affected | See Knowledge Articles: 000038891, 000038892, and 000038894 on MyVarian | See Knowledge Articles: 000038891, 000038892, and 000038894 on MyVarian |
| ARIA Radiation Therapy Management System (RTM) | ARIA Radiation Therapy Management System (RTM) | All | Not Affected | Not Applicable | Not Applicable |
| Bravos® | Bravos® Console | All | Not Affected | Not Applicable | Not Applicable |
| Calypso® | Calypso® | All | Not Affected | Not Applicable | Not Applicable |
| Clinac® | Clinac® | All | Not Affected | Not Applicable | Not Applicable |
| Cloud Planner | Cloud Planner | All | Not Affected | Not Applicable | Not Applicable |
| D3 Planning Online | D3 Planning Online | All | Not Affected | Not Applicable | Not Applicable |
| DoseLab | DoseLab | All | Not Affected | Not Applicable | Not Applicable |
| Eclipse™ | Eclipse™ treatment planning software | All | Not Affected | Not Applicable | Not Applicable |
| ePeerReview | ePeerReview™ | All | Affected | Patching completed | Not Applicable |
| Ethos® | Ethos | All | Not Affected | Not Applicable | Not Applicable |
| FullScale™ | FullScale™ oncology IT solutions | All | Affected | See Knowledge Article: 000038900 on MyVarian | Not Applicable |
| Halcyon® | Halcyon® system | All | Not Affected | Not Applicable | Not Applicable |
| Identify | Identify | All | Not Affected | Not Applicable | Not Applicable |
| Information Exchange Manager (IEM) | Information Exchange Manager (IEM) | All | Not Affected | Not Applicable | Not Applicable |
| InSightive™ analytics | InSightive™ analytics | v.1.6-1.8 MR2 | Affected | Vulnerability addressed in InSightive v.1.8 MR3, now available. | See Knowledge Articles: 000038873, 000038879, and 000038881 on MyVarian Vulnerability addressed in InSightive v.1.8 MR3, now available. |
| Large Integrated Oncology Network (LION) | Large Integrated Oncology Network (LION) | All | Not Affected | Not Applicable | Not Applicable |
| MICAP | MICAP | All | Not Affected | Not Applicable | Not Applicable |
| Mobius | Mobius3D® platform | All | Not Affected | Not Applicable | Not Applicable |
| Noona® | Noona® | All | Affected | Patching Completed | Not Applicable |
| On-Board Imager® | On-Board Imager® | All | Not Affected | Not Applicable | Not Applicable |
| PortalVision Avanced Imaging (PVAI) | PortalVision Avanced Imaging (PVAI) | All | Not Affected | Not Applicable | Not Applicable |
| ProBeam® | ProBeam® | All | Not Affected | Not Applicable | Not Applicable |
| Qumulate | Qumulate | All | Not Affected | Not Applicable | Not Applicable |
| Real-time Position Management (RPM) | Real-time Position Management (RPM) | All | Not Affected | Not Applicable | Not Applicable |
| Respiratory Gating for Scanners (RGSC) | Respiratory Gating for Scanners (RGSC) | All | Not Affected | Not Applicable | Not Applicable |
| SmartConnect® | SmartConnect® solution | All | Affected | See Knowledge Article: 000038850 on MyVarian | Not Applicable |
| SmartConnect® | SmartConnect® solution Policy Server | All | Affected | Not Applicable | See Knowledge Articles: 000038831 and 000038832 on MyVarian |
| TPaaS | TPaaS | All | Not Affected | Not Applicable | Not Applicable |
| TrueBeam® | TrueBeam® radiotherapy system | All | Not Affected | Not Applicable | Not Applicable |
| UNIQUE | UNIQUE® system | All | Not Affected | Not Applicable | Not Applicable |
| Varian Authentication and Identity Server (VAIS) | Varian Authentication and Identity Server (VAIS) | All | Not Affected | Not Applicable | Not Applicable |
| Varian Managed Services Cloud | Varian Managed Services Cloud | All | Not Affected | Not Applicable | Not Applicable |
| Varian Mobile | Varian Mobile App | 2.0, 2.5 | Not Affected | Not Applicable | Not Applicable |
| VariSeed | VariSeed | All | Not Affected | Not Applicable | Not Applicable |
| Velocity | Velocity | All | Not Affected | Not Applicable | Not Applicable |
| VitalBeam | VitalBeam® radiotherapy system | All | Not Affected | Not Applicable | Not Applicable |
| Vitesse | Vitesse | All | Not Affected | Not Applicable | Not Applicable |
Note: Not all features or products are available in all markets and are subject to change.