2023 - 06 MYLA V4 - 9 Cyber Security Bulletin

MYLA® Application Software Version 4.
9 Cyber Security Bulletin / 10 JUL 2023
The aim of this information is to :

- provide you the list of known significant cyber security vulnerabilities for the MYLA® application.
- provide you expected security update delivery dates or other information on these vulnerabilities
List of HIGH/CRITICAL known vulnerabilities on the MYLA® application software release 4.9.0
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information
assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to
the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one
applicable tool or technique that can connect to a system weakness.
On a fully up-to-date MYLA V4.9.0 system:

• Microsoft security updates as defined in MYLA user manual
• MYLA V4.9.0 Core (including MYLA V4.9 DWH, Order Entry and all previously released Myla
Cybersecurity patch)
• Log4J patch installed
• Myla 4.9 Cyber Security Patch 1
• Lab Analytics 1.2 installed on the Windows 2016 platform
• VITEK MS – Cyber Security Patch OS-4 (GCS INFO 4380)
• viLink v4 installed
Platforms under scan:

• Windows 2016, software installed: Myla, VitekMS, VitekMS Plus, Lab Analytics, Vilink
• Windows 10, software installed: Myla, VitekMS, Vilink
• Windows 2019, software installed: Myla
2023 - 06 MYLA V4_9 Cyber Security Bulletin.doc 1/36

The following high or critical security vulnerabilities are known to be still present:
Base
NESSUS CVSS Fixed in
Severity Title Description / Comment
plugin ID 3.1 MAESTRIA
score
NIST has determined that the protocol SSL3.0 is no longer acceptable for secure
communications.
port 3031 is used by vilink only locally. On Windows 10, Windows 2016 and
SSL Version 2 and 3
High 20007 7,5 Windows 2019, this port is blocked by the firewall. No
Protocol Detection
viLink will provide a fix in a future version.
A Java JMX agent running on the remote host is configured without SSL client and
password authentication. An unauthenticated, remote attacker can connect to
the JMX agent and monitor and manage the Java application that has enabled
the agent.
Port 1092, 1099, 15050 and 15051 is used only locally.

Java JMX Agent Insecure
High 118039 7,3 On Windows 10, Windows 2016 and Windows 2016, this port is blocked by the Yes
Configuration
firewall.
The vulnerability is fixed in MAESTRIA 5.0.0 and upper.

* CVE-2020-9488: SMTPAppender is not used on Myla
* CVE-2022-23307: Chainsaw is not used on Myla
* CVE-2022-23305: JDBCAppender is not used on Myla
* CVE-2022-23302: JMSSink is not used on Myla
* CVE-2019-17571: log4j SocketServer is not used on Myla
Apache Log4j 1.x Multiple
Critical 156860 9,8 No
Vulnerabilities In the Myla 4.9 context, with the validated design, these vulnerabilities cannot
happens.
Log4j will be updated in a future version.
NESSUS detect old log4j libraries (version 1.2.x).
In the Myla 4.9 context, log4j is used to perform basic logging on files. There is
currently no vulnerabilities known on log4j 1.2.x for this usage. As a consequence
Apache Log4j Unsupported
Critical 156032 10,0 log4j 1.2.x is not considered as a Critical vulnerability in Myla 4.9 context. No
Version Detection
Log4j will be updated in a future version.
Myla have to be deployed in a secure lab with restricted access and strong
controls on the facility’s network, such as firewalls and endpoint protection in
Oracle Java JRE order to reduce the risk.
Critical Unsupported Version 55958 10,0 Yes
Detection The vulnerability is fixed in MAESTRIA 5.0.0 and upper.

CVE-2013-2470, CVE-2013-2450, CVE-2013-2472, CVE-2013-2471,
CVE-2013-2412, CVE-2013-2456, CVE-2013-3744, CVE-2013-2455,
CVE-2013-2458, CVE-2013-1500, CVE-2013-2457, CVE-2013-3743,
CVE-2013-2452, CVE-2013-2451, CVE-2013-2473, CVE-2013-2454,
CVE-2013-2453, CVE-2013-2437, CVE-2013-2459, CVE-2013-2461,
CVE-2013-2460, CVE-2013-2445, CVE-2013-2467, CVE-2013-2400,
CVE-2013-2444, CVE-2013-2466, CVE-2013-2447, CVE-2013-2469,
CVE-2013-2446, CVE-2013-2468, CVE-2013-2463, CVE-2013-2462,
CVE-2013-2443, CVE-2013-2465, CVE-2013-2442, CVE-2013-2464,
CVE-2013-2449, CVE-2013-2448, CVE-2013-2407 : No Java Web Start applications
nor Java applets used with JRE 1.6
CVE-2013-1571 : Javadoc not available on Myla server.
Oracle Java SE Multiple In the Myla 4.9 context, with the validated design, these vulnerabilities cannot
Critical Vulnerabilities (June 2013 66932 9,8 happens. Yes
CPU)

Myla may be impacted by this vulnerability.
Oracle Java SE Multiple controls on the facility’s network, such as firewalls and endpoint protection in
Critical Vulnerabilities (October 70472 9,8 order to reduce the risk. Yes
2013 CPU)
Critical Vulnerabilities (January 71966 9,8 order to reduce the risk. Yes
2014 CPU)
Critical Vulnerabilities (April 2014 73570 9,8 order to reduce the risk. Yes
CPU)
Critical Vulnerabilities (July 2014 76532 9,8 order to reduce the risk. Yes
CPU)

2014 CPU)
2015 CPU) (POODLE)
CPU) (FREAK)
CPU) (Bar Mitzvah)

2015 CPU)
2016 CPU) (SLOTH)
CPU)
CPU)

2016 CPU)
2017 CPU)
Oracle Java SE 1.7.0_241 / Myla have to be deployed in a secure lab with restricted access and strong
1.8.0_231 / 1.11.0_5 / controls on the facility’s network, such as firewalls and endpoint protection in
Critical 1.13.0_1 Multiple 130011 9,8 order to reduce the risk. Yes
Vulnerabilities (Oct 2019
CPU) (Windows) The vulnerability is fixed in MAESTRIA 5.0.0 and upper.
CPU)

2017 CPU) (SWEET32)
CPU)
2018 CPU)
Critical 1.12.0_1 Multiple 124198 9,0 order to reduce the risk. Yes
Vulnerabilities (Apr 2019
CPU) The vulnerability is fixed in MAESTRIA 5.0.0 and upper.

Oracle Java SE Hotspot JSR controls on the facility’s network, such as firewalls and endpoint protection in
High 90828 8,1 order to reduce the risk. Yes
292 Method Handles RCE
High 1.17.0_1 Multiple 154344 8,6 order to reduce the risk. Yes
Vulnerabilities (October
2021 CPU) The vulnerability is fixed in MAESTRIA 5.0.0 and upper.
Azul Zulu Java Multiple controls on the facility’s network, such as firewalls and endpoint protection in
High Vulnerabilities (2021-10- 154381 8,6 order to reduce the risk. Yes
19)
High Vulnerabilities (January 106190 8,3 order to reduce the risk. Yes
2018 CPU)

Vulnerabilities (Jan 2020
High Vulnerabilities (April 2018 109202 7,4 order to reduce the risk. Yes
CPU)
CPU)
Vulnerabilities (July 2021

20)
* CVE-2019-17569 : Tomcat is behind a well configured reverse proxy, not

applicable
* CVE-2020-1935 : Tomcat is behind a well configured reverse proxy, not
applicable
* CVE-2020-1938 : Windows Firewall does not allow connection on the AJP port.
The AJP port used is not the default one.
* CVSS 3.x score: 9.8
Environmental CVSS 3.x score: 8.8
Apache Tomcat 7.0.x < AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/CR:X/IR:X/AR:X
7.0.100 / 8.5.x < 8.5.51 /
Critical 133845 9,8 /MAV:A/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X Yes
9.0.x < 9.0.31 Multiple
Vulnerabilities Myla have to be deployed in a secure lab with restricted access and strong
order to reduce the risk.
* CVE-2018-1270 : WebSocket are not used in this context on Myla, not

applicable.
Spring Framework 4.3.x <
4.3.16 / 5.0.x < 5.0.5 In the Myla 4.9 context, with the validated design, this vulnerability cannot
Critical Remote Code Execution 129500 9,8 happens. Yes
with spring-messaging
(CVE-2018-1270) The vulnerability is fixed in MAESTRIA 5.0.0 and upper.

* CVE-2020-11996: http2 not configured on Myla
In the Myla 4.9 context, with the validated design, this vulnerability cannot
Apache Tomcat 9.0.0.M1 <
High 138098 7,5 happens. Yes
9.0.36 DoS
* CVE-2020-13934 : http2 not configured on Myla

* CVE-2020-13935 : WebSocket are not used in this context on Myla, not
applicable.
High 9.0.37 Multiple 138591 7,5 In the Myla 4.9 context, with the validated design, this vulnerability cannot Yes
Vulnerabilities happens.

* CVE-2021-24122: Myla is impacted by this vulnerability.
* CVSS 3.x score: 5.9
Apache Tomcat 9.x < Myla have to be deployed in a secure lab with restricted access and strong
High 9.0.40 Information 144050 7,5 controls on the facility’s network, such as firewalls and endpoint protection in Yes
Disclosure order to reduce the risk.

* CVE-2021-25329: No PersistenceManager configured on Myla
Apache Tomcat 9.0.0.M1 < In the Myla 4.9 context, with the validated design, theses vulnerabilities cannot
High 9.0.43 Multiple 147164 7,5 happens. Yes
Vulnerabilities
* CVE-2020-9484: No PersistenceManager configured on Myla
Apache Tomcat 9.0.0 < happens.
High 9.0.35 Remote Code 136806 7,0 Yes
Execution The vulnerability is fixed in MAESTRIA 5.0.0 and upper.
* CVE-2017-12626: The POI library is used in BCI Link for a feature that export
Excel files. This feature is not enabled in the Myla context.
Apache POI < 3.17 In the Myla 4.9 context, with the validated design, this vulnerability cannot
High Multiple DoS 106717 7,5 happens. Yes
Vulnerabilities
* CVE-2021-4104: JMSAppender is not used on Myla
Apache Log4j 1.2 In the Myla 4.9 context, with the validated design, these vulnerabilities cannot
JMSAppender Remote
High 156103 7,5 happens. No
Code Execution (CVE-
2021-4104) Log4j will be updated in a future version.

CPU) deprecated
* CVE-2022-29885: Myla does not use Tomcat clustering.
In the Myla 4.9 context, with the validated design, these vulnerabilities cannot
Apache Tomcat 9.0.13 <
High 160894 7,5 happens. Yes
9.0.63 vulnerability
The service “Agentless Management Service” from HP contains space in the path
and this patch is not enclosed in quotes.
On the Myla installed on HP servers are impacted by this vulnerability.

Microsoft Windows
High Unquoted Service Path 63155 7,8 Myla have to be deployed in a secure lab with restricted access and strong No
Enumeration controls on the facility’s network, such as firewalls and endpoint protection in
Oracle Java JDK / JRE 6 < controls on the facility’s network, such as firewalls and endpoint protection in
Critical Update 43 Remote Code 65050 N/A order to reduce the risk. Yes
Execution (Windows)

Critical Vulnerabilities (February 64790 N/A order to reduce the risk. Yes
2013 CPU Update 1)
Vulnerabilities (Apr 2020
SSL Medium Strength controls on the facility’s network, such as firewalls and endpoint protection in
High Cipher Suites Supported 42873 7,5 order to reduce the risk. Yes
(SWEET32)
The vulnerability is fixed in MAESTRIA 5.0.0 and upper with the default
configuration.

Microsoft's support explanations:
- Windows Defender is automatically disabled when another antivirus software is
installed and can't be updated when disabled.
- The vulnerability can't be exploited as long as Defender is disabled.
- The C:\Windows\System32\MpSigStub.exe file can be deleted on demand to
avoid false positive detection. This file will be restored automatically by Windows
Microsoft Defender
in case Windows Defender would be enabled again.
Elevation of Privilege
High 127910 7,1 No
Vulnerability (CVE-2019-
This vulnerability is a false positive due to the fact that another antivirus is
1161)
installed.
Vulnerabilities (Jul 2020
Apache Shiro < 1.8.0

Critical 161731 9,8 Myla have to be deployed in a secure lab with restricted access and strong No
Authentication Bypass controls on the facility’s network, such as firewalls and endpoint protection in

Apache Shiro < 1.4.2 controls on the facility’s network, such as firewalls and endpoint protection in
Padding Attack
Authentication Bypass
Critical 161732 9,8 order to reduce the risk. Yes

High Default Cipher Key (CVE- 159764 8,1 order to reduce the risk. Yes
2016-4437)
Apache Tomcat 9.0.0.M1 < controls on the facility’s network, such as firewalls and endpoint protection in
High 9.0.30 Privilege Escalation 132419 7,5 order to reduce the risk. Yes
Vulnerability

High Vulnerabilities (July 2022 163304 7,5 order to reduce the risk. Yes
CPU)
19)
CPU)
False positive, SQL injection tested and is not exploitable
CGI Generic SQL Injection
High 42424 N/A happens. Yes
(blind)

* Port not exposed in system firewall
* Only local and technical non-sensitive data involved on port 3031
SSL Certificate Signed CVSS 3.1 environmental score: 4.1

High Using Weak Hashing 35291 7,5 CVSS 3.1 environmental vector: No
Algorithm AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/CR:X/IR:X/AR:X
/MAV:L/MAC:H/MPR:H/MUI:X/MS:X/MC:X/MI:X/MA:X
19)
Apache Tomcat 9.0.0-M1 < controls on the facility’s network, such as firewalls and endpoint protection in
High 9.0.68 Request Smuggling 166906 7,5 order to reduce the risk. Yes
Vulnerability
bioMérieux components does not use the vulnerable feature of the common text
library.
Apache Commons Text
1.5.x < 1.10.0 Remote In the Myla 4.9 context, with the validated design, this vulnerability cannot
Critical 166250 9,8 happens. Yes
Code Execution (CVE-
2022-42889)

Apache Shiro < 1.10.0

Authentication Bypass controls on the facility’s network, such as firewalls and endpoint protection in
WinVerifyTrust Signature
Validation CVE-2013-3900
High 166555 7,4 Myla have to be deployed in a secure lab with restricted access and strong No
Mitigation controls on the facility’s network, such as firewalls and endpoint protection in
(EnableCertPaddingCheck) order to reduce the risk.
* CVE-2022-37436: Myla is impacted by this vulnerability. CVSS 3.x score: 5.3
* CVE-2022-36760: mod_proxy_ajp is not used on Myla
* CVE-2006-20001: Myla is impacted by this vulnerability. CVSS 3.x score: 7.5
Apache 2.4.x < 2.4.55

Multiple Vulnerabilities controls on the facility’s network, such as firewalls and endpoint protection in
High 171657 7,5 controls on the facility’s network, such as firewalls and endpoint protection in Yes
9.0.71 order to reduce the risk.

Apache 2.4.x < 2.4.56
Critical 172186 9,1 order to reduce the risk. No
Multiple Vulnerabilities
The vulnerability will be fixed in a future version.

Mozilla Firefox Portable Edition version 21 binary
This binary can be safely removed

(D:\biomerieux\programs\apache\2.4\htdocs\static\common\programs\browser
and subfolders).
This browser may not be used in production. An up to date browser must be
used in order to connect to Myla.
Critical mozilla:Firefox N/A 10,0 Yes
List of CVE: CVE-2017-6542, CVE-2019-17067, CVE-2019-9895, CVE-2019-9898,

CVE-2021-36367, CVE-2019-9896, CVE-2019-17068, CVE-2019-17069, CVE-2019-
9894, CVE-2019-9897, CVE-2021-33500
In the Myla context PuTTY is used for some troubleshooting operation.
Critical PuTTY suite N/A 9,8 In the Myla 4.9 context, with the validated design, these vulnerabilities cannot Yes
happens in routine usage.

* CVE-2016-1000027: Under investigation. - CVSS3: 9.8
* CVE-2018-11040: Under investigation - CVSS3: 7.5
Critical vmware:spring_framework N/A 9,8 * CVE-2018-1272: Under investigation - CVSS3: 7.5 No
* CVE-2018-15756: Under investigation - CVSS3: 7.5
List of CVE: CVE-2018-10172, CVE-2016-2334, CVE-2016-7804, CVE-2017-17969,

CVE-2018-10115, CVE-2018-5996, CVE-2022-29072
7zip cannot be used remotely. There is no routine users connected to the Myla
server. bioMérieux support team already have the Administrator privilege and
High 7-Zip N/A 8,8 customer IT (if needed) also have this privilege. No
In the Myla context, this vulnerability does not add any risk.

List of CVE: CVE-2021-32027, CVE-2022-1552, CVE-2021-23214, CVE-2022-2625
In Myla context postgreSQL is configured to be only locally accessible.

Design and pen-tests have been done in order to prevent from SQL injections.
=> these vulnerabilities are only exploitable from a local user. In routine, no local
user are connected to the Myla server.
High postgresql:PostgreSQL 12 N/A 8,8 No
* CVE-2019-16294
In the Myla context Notepad++ is used for some troubleshooting operation.
High Notepad++ (32-bit x86) N/A 7,8 In the Myla 4.9 context, with the validated design, these vulnerabilities cannot Yes
happens in routine usage.
Critical VLC media player N/A 9,8 viLink will provide a fix in a future version. No
viLink will provide a fix in a future version.
teamviewer:TeamViewer,
teamviewer:TeamViewer
Critical 11 Host, N/A 9,8 No
teamviewer:TeamViewer
11 Host (MSI Wrapper)

* CVE-2023-25690: May be vulnerable (CVSS3: 9.8)
* CVE-2022-36760: mod_proxy_ajp not used
* CVE-2006-20001: May be vulnerable (CVSS3: 7.5)
* CVE-2023-27522: mod_proxy_uwsgi not used
Critical Apache HTTP Server N/A
9,8 The vulnerability will be fixed in a future version. Yes

List of HIGH/CRITICAL vulnerabilities already corrected on the MYLA® application software release 4.9.0 and Lab Analytics 1.2.0
ID Severity Title and description Operating system

WS W 10 WS WS
2008 2016 2019
A Critical Apache Tomcat / JBoss EJBInvokerServlet / JMXInvokerServlet Marshalled Object Remote Code Execution Yes -(1) -(1) -(1)
This vulnerability is present only on Myla systems connected to Vitek MS.
FIX IS AVAILABLE (via VILINK) : VITEK MS - Cyber Security Patch-OS 01 - See GCS INFO 3080
B Critical HP System Management Homepage < 7.4.1 Single Sign On Buffer Overflow RCE Yes -(1) -(1) -(1)
FIX IS AVAILABLE (via VILINK) : MYLA V4.1 - Cyber Security Patch-OS 02 - See GCS INFO 2795
C Critical Microsoft Internet Explorer Unsupported Version Detection Yes -(1) -(1) -(1)
D Critical Microsoft .NET Framework Unsupported Yes -(1) -(1) -(1)
FIX IS AVAILABLE SINCE APRIL 2016 WITH FCA 2853 regarding MYLA Patch Core Version 4.3.
E Critical Microsoft SQL Server Unsupported Version Detection Yes -(1) -(1) -(1)
FIX IS AVAILABLE SINCE JANUARY 2017: VITEK MS - Cyber Security Patch OS-3 – See GCS INFO 3268
F High Foxit Reader < 7.2 Multiple Vulnerabilities Yes -(1) -(1) -(1)
FIX IS AVAILABLE (via VILINK) : MYLA V4.4 - Cyber Security Patch-OS 04 – See GCS INFO 3248
G High 7-Zip < 16.00 Multiple Vulnerabilities Yes -(1) -(1) -(1)
FIX IS AVAILABLE (via VILINK) : MYLA V4.4 - Cyber Security Patch-OS 04 – See GCS INFO 3248

WS W 10 WS WS
2008 2016 2019
H High HP System Management Homepage < 7.5.0 Multiple Vulnerabilities (FREAK) Yes -(1) -(1) -(1)
I High MS13-081: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2870008) Yes -(1) -(1) -(1)
Some security scanners erroneously report this vulnerability even after installation of the relevant
Microsoft Security Update MS13-081: the vulnerable driver in system32/drivers will be seen as updated
only after a relevant USB/Serial device (e.g. USB GPRS Modem) is plugged.
No fix needed on Myla V4.x
J High MS15-124: Cumulative Security Update for Internet Explorer (3116180) Yes -(1) -(1) -(1)
K High OpenSSL 1.0.1 < 1.0.1s Multiple Vulnerabilities (DROWN) Yes -(1) -(1) -(1)
L Critical KB4022722: Windows 7 and Windows 2008 R2 June 2017 Cumulative Update Yes -(1) -(1) -(1)
FIX IS AVAILABLE (via VILINK) : MYLA V4.5.1 - Launch with Smart Updater Installation - See MAR 3738
M High MS11-025 on Windows 10 PC only: Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Not Yes Not -(1)
Remote Code Execution (2500212). present present
FIX IS AVAILABLE (via VILINK) : MYLA 4.6.1 – Launched with Smart Updater Installation – See MAR 4071
N Critical Critical “7-Zip < 18.05 Memory Corruption Arbitrary Code Execution” Yes Yes Yes -(1)
FIX IS AVAILABLE (via VILINK) : MYLA 4.7.0 – Launched with Smart Updater Installation – GCS INFO 4236
and MAR 4438 (Myla 4.7.1)

WS W 10 WS WS
2008 2016 2019
O Critical KB4022715: Windows 10 Version 1607 and Windows Server 2016 June 2017 Cumulative Update Already Already Yes -(1)
fixed fixed
FIX IS AVAILABLE (via VILINK) : MYLA 4.7.0 – Launched with Smart Updater Installation – GCS INFO 4236 (see L)
and MAR 4438 (Myla 4.7.1)
P Critical Some vulnerability linked to apache 2.4.23 were not reported by NESSUS: See Yes Yes Yes -(1)
High https://nvd.nist.gov/vuln/search/results?form_type=Advanced
&cves=on&cpe_version=cpe%3a%2fa%3aapache%3ahttp_server%3a2.4.23 for more details.
FIX IS AVAILABLE (via VILINK): MYLA 4.7.1 – Launched with Smart Updater Installation – GCS INFO 4236
and MAR 4438
Q High MS16-136: Security Update for SQL Server (3199641): This vulnerability is on VitekMS+ Saramis. Yes No(2) Yes -(1)
FIX IS AVAILABLE: See VITEK MS – Cyber Security Patch OS-4 (GCS INFO 4380)
R High MS11-025: Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code No(3) No(2) Yes -(1)
Execution (2500212): This vulnerability is on VitekMS+ Saramis.
S High Java JMX Agent Insecure Configuration: This vulnerability is on VitekMS and can allow a remote attacker Yes Yes Yes -(1)
to monitor and manage (start/stop/modify) the VitekMS application running on the Myla server.

WS W 10 WS WS
2008 2016 2019
T High PuTTY < 0.71 Multiple Vulnerabilities Yes Yes Yes -(1)
- A remotely triggerable buffer overflow in any kind of server-to-client forwarding. (CVE-2019-9895)

- Potential recycling of random numbers used in cryptography. (CVE-2019-9898)
- A remotely triggerable memory overwrite in RSA key exchange can occur before host key verification.
(CVE-2019-9894)
FIX IS AVAILABLE (via VILINK): MYLA 4.8.0 – Installed with Smart Updater Installation – GCS-INFO 4687
U High “Insecure Windows Service Permissions”: Windows service are now launched by using specific service No Yes No -(1)
account with limited ACL.
FIX IS AVAILABLE (via VILINK): MYLA 4.8.0 – Installed with Smart Updater Installation – GCS-INFO 4687
V Critical Adobe Flash Player Unsupported Version Detection: Adobe Flash Player is no more supported, so no new N/A(4) Yes No -(1)
security patches for the product will be released by the vendor. As a result, it is likely to contain security
vulnerabilities.
FIXED by WINDOWS 10 monthly security update (February and/or March 2021)
W Critical Microsoft Windows 7 / Server 2008 R2 Unsupported Version Detection Yes No No -(1)
FIXED by Myla 4.9 -> Installation/update not allowed on Windows 2008
X High “SSL Version 2 and 3 Protocol Detection” on port 9200 N/A(4) Yes Yes -(1)
FIXED by Lab Analytics 1.2.0
Y High PostgreSQL 9.6.x < 9.6.20 Multiple Vulnerabilities N/A(4) Yes Yes -(1)
FIXED by Myla 4.9 (PostgreSQL updated to 12.5)

WS W 10 WS WS
2008 2016 2019
Z High Apache Log4j < 2.15.0 Remote Code Execution (Windows) N/A(4) Yes Yes -(1)
FIXED by log4j patch (see last revision of CSN 5493)
Vulnerable version of Log4j are used by Myla:

• Log4j 2.X:
o Versions impacted: Myla 4.6.1 and upper
o A patch has been released (see last revision of CSN 5493)
▪ The patch is applicable by the FSE/FAS to:
• Myla 4.7.1 (without order-entry)
• Myla 4.8.2 (without order-entry)
• Myla 4.9 (with or without order-entry)
▪ The patch is applicable by the customer on Myla 4.9 only.
• Log4j 1.X:
o Version impacted: Myla 4.1 and upper
o In the Myla context the JMSAppender is not used, so the vulnerability is not applicable.
AA Critical Apache 2.4.x < 2.4.46 Multiple Vulnerabilities (NESSUS plugin 139574) N/A(4) Yes Yes Yes
FIXED by Myla 4.9 Cybersecurity patch 1
AB Critical Apache 2.4.x >= 2.4.7 / < 2.4.52 Forward Proxy DoS / SSRF (NESSUS plugin 156255) N/A(4) Yes Yes Yes
AC High Apache >= 2.4.17 < 2.4.49 mod_http2 (NESSUS plugin 153585) N/A(4) Yes Yes Yes
AD High Apache >= 2.4.30 < 2.4.49 mod_proxy_uwsgi (NESSUS plugin 153586) N/A(4) Yes Yes Yes

WS W 10 WS WS
2008 2016 2019
AE Critical Apache 2.4.x < 2.4.52 mod_lua Buffer Overflow (NESSUS plugin 161454) N/A(4) Yes Yes Yes
AF High Apache 2.4.x < 2.4.48 Vulnerability (NESSUS plugin 150244) N/A(4) Yes Yes Yes
AG Critical Apache 2.4.x < 2.4.47 Multiple Vulnerabilities (NESSUS plugin 150280) N/A(4) Yes Yes Yes
AH Critical Apache < 2.4.49 Multiple Vulnerabilities (NESSUS plugin 153584) N/A(4) Yes Yes Yes
AI Critical Apache < 2.4.49 Multiple Vulnerabilities (NESSUS plugin 153583) N/A(4) Yes Yes Yes
AJ Critical Apache 2.4.x < 2.4.41 Multiple Vulnerabilities (NESSUS plugin 128033) N/A(4) Yes Yes Yes
AK Critical Apache 2.4.x < 2.4.54 Multiple Vulnerabilities (NESSUS plugin 161948) N/A(4) Yes Yes Yes
AL Critical Apache 2.4.x < 2.4.53 Multiple Vulnerabilities (NESSUS plugin 158900) N/A(4) Yes Yes Yes
(1): Myla was available not available on this Operating System when the vulnerability was found.
(2): VitekMS+ Saramis is not supported on Myla PC
(3): Not reported by Nessus on our platform
(4): Windows 2008 not monitored anymore since May 2020
As specified in the User Manual, bioMérieux highly recommends to perform qualification procedure after any security updates.
Yours Sincerely,
System Development
La Balme

Appendix A
Cybersecurity patches
Cybersecurity patch 1 to 4
Refer to corresponding GCS information.
Cybersecurity patch 5 (Myla 4.5.1)
Not available as a standalone package. Included in Myla 4.5.1 Smart Updater and following.
List of vulnerability fixed:

• L: KB4022722: Windows 7 and Windows 2008 R2 June 2017 Cumulative Update

• M: MS11-025 on Windows 10 PC only: Vulnerability in Microsoft Foundation Class (MFC) Library Could
Allow Remote Code Execution (2500212)
Not available as a standalone package. Included in Myla 4.7 Smart Updater and following.

• N: Critical “7-Zip < 18.05 Memory Corruption Arbitrary Code Execution”
• O: KB4022715: Windows 10 Version 1607 and Windows Server 2016 June 2017 Cumulative Update
Note: Since Myla 4.7.0 all the communication between the browser and the Myla server are done in https (that is
to say, the communication are encrypted).

• P: Vulnerabilities in apache 2.4.23
• Disable SSLv3.0

• T: PuTTY < 0.71 Multiple Vulnerabilities
• U: ACL are implemented with Myla 4.8 (service account for Windows services and ACL on files/folders)

Cybersecurity improvement in Myla 4.9.0
List of vulnerabilities fixed:

• W: “Microsoft Windows 7 / Server 2008 R2 Unsupported Version Detection”
Windows 2008 no more supported by Myla 4.9
• X: “SSL Version 2 and 3 Protocol Detection” on port 9200
Fixed by Lab Analytics 1.2.0
• Y: “PostgreSQL 9.6.x < 9.6.20 Multiple Vulnerabilities”
PostgreSQL updated to version 12.5
Other improvements:
• Several component update including:
o apache http server updated to version 2.4.39
o postgreSQL updated to version 12.5
• More secure management of the bmx_admin account password
Log4shell patch (applicable on Myla 4.7.1, 4.8.2 and 4.9)

• Z: Apache Log4j < 2.15.0 Remote Code Execution (Windows)
Myla 4.9 Cybersecurity patch 1 (applicable on Myla 4.9)

Cf. 2022-062-0 – MYLA® 4.9 CYBERSECURITY PATCH
This Cybersecurity patch includes the following features :

• Update Apache to 2.4.54
• Installation of the log4j patch (if for some reason it wasn’t installed or forgotten after a MYLA update)
even if already installed
• Disable Tomcat Apache JServer Protocol (AJP)
• Remove the folder %BIOMERIEUX_PROGRAMS%\sso\archive
• Block the access to some directories through a web browser without authentication

• AA: Apache 2.4.x < 2.4.46 Multiple Vulnerabilities (NESSUS plugin 139574)
• AB: Apache 2.4.x >= 2.4.7 / < 2.4.52 Forward Proxy DoS / SSRF (NESSUS plugin 156255)
• AC: Apache >= 2.4.17 < 2.4.49 mod_http2 (NESSUS plugin 153585)
• AD: Apache >= 2.4.30 < 2.4.49 mod_proxy_uwsgi (NESSUS plugin 153586)
• AE: Apache 2.4.x < 2.4.52 mod_lua Buffer Overflow (NESSUS plugin 161454)
• AF: Apache 2.4.x < 2.4.48 Vulnerability (NESSUS plugin 150244)
• AG : Apache 2.4.x < 2.4.47 Multiple Vulnerabilities (NESSUS plugin 150280)
• AH: Apache < 2.4.49 Multiple Vulnerabilities (NESSUS plugin 153584)
• AI: Apache < 2.4.49 Multiple Vulnerabilities (NESSUS plugin 153583)
• AJ: Apache 2.4.x < 2.4.41 Multiple Vulnerabilities (NESSUS plugin 128033)
• AK: Apache 2.4.x < 2.4.54 Multiple Vulnerabilities (NESSUS plugin 161948)
• AL: Apache 2.4.x < 2.4.53 Multiple Vulnerabilities (NESSUS plugin 158900)

Appendix B
Myla communication over the network
Communication flow Encryption status

Web browser <-> Myla Server Yes
Full HTTPS since Myla 4.7
LIS <-> BCI on Myla Server Yes
FTPS supported since Myla 4.7 with BCI Connect
Remote BCI GUI <-> BCI on Myla Server BCI Connect: Yes
BCI Connect is available since Myla 4.7
BCI Link: No
Use BCI Connect instead.
Instruments <-> Myla Server Vitek2 <-> Myla: Yes
The communication between Vitek2 9.01 (and above) and Myla can
be encrypted (See service documentation for instructions)
Virtuo <-> Myla: Yes
The communication between Virtuo R3.0 (and above) and Myla can
be encrypted (See service documentation for instructions)
VitekMS <-> Myla: Yes
The communication between Vitek MS 3.1 (and above) and Myla is

encrypted.
BacT <-> Myla: No
Adagio <-> Myla: No
bioTyper <-> Myla: No

2023 - 06 MYLA V4 - 9 Cyber Security Bulletin

Uploaded by

Copyright:

Available Formats

2023 - 06 MYLA V4 - 9 Cyber Security Bulletin

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2023 - 06 MYLA V4 - 9 Cyber Security Bulletin

Uploaded by

Copyright:

Available Formats

MYLA® Application Software Version 4.

9 Cyber Security Bulletin / 10 JUL 2023

The aim of this information is to :

On a fully up-to-date MYLA V4.9.0 system:

Platforms under scan:

2023 - 06 MYLA V4_9 Cyber Security Bulletin.doc 1/36

Port 1092, 1099, 15050 and 15051 is used only locally.

The vulnerability is fixed in MAESTRIA 5.0.0 and upper.

2023 - 06 MYLA V4_9 Cyber Security Bulletin.doc 2/36

Log4j will be updated in a future version.

NESSUS detect old log4j libraries (version 1.2.x).

2023 - 06 MYLA V4_9 Cyber Security Bulletin.doc 3/36

2023 - 06 MYLA V4_9 Cyber Security Bulletin.doc 4/36

Myla may be impacted by this vulnerability.

Myla may be impacted by this vulnerability.

Myla may be impacted by this vulnerability.

2023 - 06 MYLA V4_9 Cyber Security Bulletin.doc 5/36

Myla may be impacted by this vulnerability.

Myla may be impacted by this vulnerability.

Myla may be impacted by this vulnerability.

2023 - 06 MYLA V4_9 Cyber Security Bulletin.doc 6/36

Myla may be impacted by this vulnerability.

Myla may be impacted by this vulnerability.

Myla may be impacted by this vulnerability.

2023 - 06 MYLA V4_9 Cyber Security Bulletin.doc 7/36

Myla may be impacted by this vulnerability.

Myla may be impacted by this vulnerability.

Myla may be impacted by this vulnerability.

2023 - 06 MYLA V4_9 Cyber Security Bulletin.doc 8/36

Myla may be impacted by this vulnerability.

Myla may be impacted by this vulnerability.

Myla may be impacted by this vulnerability.

2023 - 06 MYLA V4_9 Cyber Security Bulletin.doc 9/36

The vulnerability is fixed in MAESTRIA 5.0.0 and upper.

Myla may be impacted by this vulnerability.

Myla may be impacted by this vulnerability.

Myla may be impacted by this vulnerability.

2023 - 06 MYLA V4_9 Cyber Security Bulletin.doc 10/36

Myla may be impacted by this vulnerability.

Myla may be impacted by this vulnerability.

Myla may be impacted by this vulnerability.

2023 - 06 MYLA V4_9 Cyber Security Bulletin.doc 11/36

* CVE-2019-17569 : Tomcat is behind a well configured reverse proxy, not

The vulnerability is fixed in MAESTRIA 5.0.0 and upper.

* CVE-2018-1270 : WebSocket are not used in this context on Myla, not

2023 - 06 MYLA V4_9 Cyber Security Bulletin.doc 12/36

* CVE-2020-13934 : http2 not configured on Myla

The vulnerability is fixed in MAESTRIA 5.0.0 and upper.

* CVE-2020-17527: http2 not configured on Myla

The vulnerability is fixed in MAESTRIA 5.0.0 and upper.

2023 - 06 MYLA V4_9 Cyber Security Bulletin.doc 13/36

* CVE-2020-9484: No PersistenceManager configured on Myla

* CVE-2021-4104: JMSAppender is not used on Myla

2023 - 06 MYLA V4_9 Cyber Security Bulletin.doc 14/36

* CVE-2022-29885: Myla does not use Tomcat clustering.

On the Myla installed on HP servers are impacted by this vulnerability.

Myla may be impacted by this vulnerability.

2023 - 06 MYLA V4_9 Cyber Security Bulletin.doc 15/36

Myla may be impacted by this vulnerability.