Publication date: December 17, 2021
Last update: March 11, 2022

Varian is aware of the vulnerabilities in the Apache Java library Log4j. While our cybersecurity experts continue to analyze and address potential impact to our products, we are providing this advisory to customers to alert them to products and services that may be affected. The vulnerability details are available at Mitre.org (CVE-2021-44228, CVE-2021-45046) and Apache.org (Apache Log4j 2).

When appropriate, Varian provides specific countermeasures for products where fixes are not yet available. The details of such countermeasures, along with a detailed analysis of the vulnerability for each product will be made available, as appropriate, through Knowledge Articles posted on the MyVarian customer portal.

Please note that this advisory, including the potentially affected products, may be updated based on further analysis.

Potentially Affected Products and Solutions

Product Group Product Version Status Varian
Remediation/ Mitigation
Customer Remediation/ Mitigation Options:
Acuity Acuity® All Not Affected Not Applicable Not Applicable
4DITC 4DITC All Not Affected Not Applicable Not Applicable
ARIA Connect ARIA Connect (Cloverleaf) All Not Affected Not Applicable Not Applicable
ARIA Medical Oncology ARIA® oncology information system for Medical Oncology All Not Affected Not Applicable Not Applicable
ARIA Medical Oncology XMediusFax® for ARIA® oncology information system for Medical Oncology All Affected See Knowledge Articles: 000038891, 000038892, and 000038894 on MyVarian See Knowledge Articles: 000038891, 000038892, and 000038894 on MyVarian
ARIA Radiation Oncology ARIA® oncology information system for Radiation Oncology All Not Affected Not Applicable Not Applicable
ARIA Radiation Oncology ARIA eDOC All Not Affected Not Applicable Not Applicable
ARIA Radiation Oncology XMediusFax® for ARIA® oncology information system for Radiation Oncology All Affected See Knowledge Articles: 000038891, 000038892, and 000038894 on MyVarian See Knowledge Articles: 000038891, 000038892, and 000038894 on MyVarian
ARIA Radiation Therapy Management System (RTM) ARIA Radiation Therapy Management System (RTM) All Not Affected Not Applicable Not Applicable
Bravos® Bravos® Console All Not Affected Not Applicable Not Applicable
Calypso® Calypso® All Not Affected Not Applicable Not Applicable
Clinac® Clinac® All Not Affected Not Applicable Not Applicable
Cloud Planner Cloud Planner All Not Affected Not Applicable Not Applicable
D3 Planning Online D3 Planning Online All Not Affected Not Applicable Not Applicable
DoseLab DoseLab All Not Affected Not Applicable Not Applicable
Eclipse™ Eclipse™ treatment planning software All Not Affected Not Applicable Not Applicable
ePeerReview ePeerReview™ All Affected Patching completed Not Applicable
Ethos® Ethos All Not Affected Not Applicable Not Applicable
FullScale™ FullScale™ oncology IT solutions All Affected See Knowledge Article: 000038900 on MyVarian Not Applicable
Halcyon® Halcyon® system All Not Affected Not Applicable Not Applicable
Identify Identify All Not Affected Not Applicable Not Applicable
Information Exchange Manager (IEM) Information Exchange Manager (IEM) All Not Affected Not Applicable Not Applicable
InSightive™ analytics InSightive™ analytics v.1.6-1.8 MR2 Affected Vulnerability addressed in InSightive v.1.8 MR3, now available. See Knowledge Articles: 000038873, 000038879, and 000038881 on MyVarian

Vulnerability addressed in InSightive v.1.8 MR3, now available.
Large Integrated Oncology Network (LION) Large Integrated Oncology Network (LION) All Not Affected Not Applicable Not Applicable
MICAP MICAP All Not Affected Not Applicable Not Applicable
Mobius Mobius3D® platform All Not Affected Not Applicable Not Applicable
Noona® Noona® All Affected Patching Completed Not Applicable
On-Board Imager® On-Board Imager® All Not Affected Not Applicable Not Applicable
PortalVision Avanced Imaging (PVAI) PortalVision Avanced Imaging (PVAI) All Not Affected Not Applicable Not Applicable
ProBeam® ProBeam® All Not Affected Not Applicable Not Applicable
Qumulate Qumulate All Not Affected Not Applicable Not Applicable
Real-time Position Management (RPM) Real-time Position Management (RPM) All Not Affected Not Applicable Not Applicable
Respiratory Gating for Scanners (RGSC) Respiratory Gating for Scanners (RGSC) All Not Affected Not Applicable Not Applicable
SmartConnect® SmartConnect® solution All Affected See Knowledge Article: 000038850 on MyVarian Not Applicable
SmartConnect® SmartConnect® solution Policy Server All Affected Not Applicable See Knowledge Articles: 000038831 and 000038832 on MyVarian
TPaaS TPaaS All Not Affected Not Applicable Not Applicable
TrueBeam® TrueBeam® radiotherapy system All Not Affected Not Applicable Not Applicable
UNIQUE UNIQUE® system All Not Affected Not Applicable Not Applicable
Varian Authentication and Identity Server (VAIS) Varian Authentication and Identity Server (VAIS) All Not Affected Not Applicable Not Applicable
Varian Managed Services Cloud Varian Managed Services Cloud All Not Affected Not Applicable Not Applicable
Varian Mobile Varian Mobile App 2.0, 2.5 Not Affected Not Applicable Not Applicable
VariSeed VariSeed All Not Affected Not Applicable Not Applicable
Velocity Velocity All Not Affected Not Applicable Not Applicable
VitalBeam VitalBeam® radiotherapy system All Not Affected Not Applicable Not Applicable
Vitesse Vitesse All Not Affected Not Applicable Not Applicable

Note: Not all features or products are available in all markets and are subject to change.