This document contains information about the assessment of log4j software within Nox Medical Products
The summary of the Nox Medical assessment is the following:
Leaders of the Nox Medical Engineering Team have assessed the Nox Medical Systems to identify if the systems are affected by the log4j vulnerability. The assessment is documented in the following records:
- Nox Sleep System BLE - Cybersecurity Management (TF-02653 : REV02)
- Nox Sleep System - Cybersecurity Management (TF-00075 : REV09)
The following products are under scope:
- Noxturnal App
- C1 Access Point
- A1s Recorder
A special consideration was added for possible hazards introduced by the log4j vulnerability (CVE-2021-45046). The only component developed in the java programming language in the systems is the Noxturnal App, which does not include the log4j software package. The Nox C1 Access Point runs a Linux OS with a number of 3rd party packages installed. An assessment shows that the Nox C1 Access Point does not contain any java runtime environment and the log4j software package is not installed on the device.
The Nox Sleep systems are not affected by the Log4j vulnerability.
Guðmundur Hauksson - Director of Engineering