oviva epa4all-client Unauthenticated Document Injection Vulnerability in Electronic Health Records

A vulnerability in the oviva epa4all-client Java application, specifically in versions through 1.2.4, allows any network-reachable caller to write arbitrary documents to patients' electronic health records. This issue is accessible via the institution's SMC-B card. In misconfigured deployments, such as those following the production Docker example, the vulnerability can be exploited from the local network without credentials.

Impact

Exploitation of this vulnerability allows for unauthorized writing of documents to electronic health records, potentially leading to manipulation or falsification of patient data.

Remediation

No patched version is available. As a workaround, network policies or proxies can be used to enforce service-to-service authentication, such as mutual TLS. The service can also be run in an isolated network namespace, for example as a Kubernetes sidecar, or within a service mesh that applies the appropriate policies.