In late July, a possible VistA security vulnerability was discovered as part of an academic exercise at a major university. The VISTA Expertise Network validated the vulnerability for some VistA configurations, and contacted OSEHRA to coordinate a community response. A special open-source project group was formed. Operating under non-disclosure agreements (industry best practice in handling zero-day exploits), OSEHRA members and collaborating partners (including VA and IHS) worked jointly to create and test an applicable patch.
As of this morning, a patch is being disseminated to VA facilities, and IHS distribution should commence in a day or two. To provide an opportunity for additional installations to protect their systems within this window, OSEHRA is offering this patch in advance of its general release to the community. For access, contact firstname.lastname@example.org; a simple non-disclosure agreement (NDA) will be required, which will expire when the patch is publicly available on the OSEHRA site. This early distribution is limited in scope, and a non-disclosure agreement is required. Executors may also distribute this patch to their direct customers and partners, but only if a similar non-disclosure is executed. While the patch has been tested to the best of our ability, system administrators are cautioned to conduct appropriate offline testing before production installation.
If you do not wish to execute a NDA, the patch will be generally available for download from the OSEHRA Web site as soon as we have confirmation of deployment throughout VA and IHS (approximately 1 week). If you are a corporate member and have already executed a NDA, the patch is currently available to you and you may disregard this message.