Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.1195 Xerox Security Bulletin XRX13-007 2 September 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: FreeFlox Print Server Publisher: Xerox Operating System: Windows Solaris Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-3813 CVE-2013-3799 CVE-2013-3757 CVE-2013-3745 CVE-2013-2474 CVE-2013-2473 CVE-2013-2472 CVE-2013-2471 CVE-2013-2470 CVE-2013-2469 CVE-2013-2468 CVE-2013-2467 CVE-2013-2466 CVE-2013-2465 CVE-2013-2464 CVE-2013-2463 CVE-2013-2462 CVE-2013-2461 CVE-2013-2459 CVE-2013-2457 CVE-2013-2456 CVE-2013-2455 CVE-2013-2454 CVE-2013-2453 CVE-2013-2452 CVE-2013-2451 CVE-2013-2450 CVE-2013-2448 CVE-2013-2447 CVE-2013-2446 CVE-2013-2445 CVE-2013-2444 CVE-2013-2443 CVE-2013-2442 CVE-2013-2437 CVE-2013-2412 CVE-2013-2407 CVE-2013-1667 CVE-2013-1571 CVE-2013-1500 CVE-2013-0398 CVE-2013-0338 CVE-2013-0214 CVE-2013-0213 CVE-2013-0169 CVE-2013-0166 CVE-2012-6329 CVE-2012-5667 CVE-2012-5134 CVE-2012-3817 CVE-2012-3374 CVE-2012-2845 CVE-2012-2841 CVE-2012-2840 CVE-2012-2837 CVE-2012-2836 CVE-2012-2814 CVE-2012-2813 CVE-2012-2812 CVE-2012-1150 CVE-2012-0876 CVE-2012-0845 CVE-2012-0814 CVE-2011-4317 CVE-2011-3389 CVE-2011-3368 CVE-2011-0465 CVE-2011-0419 CVE-2010-5107 Reference: ASB-2013.0093 ASB-2013.0086 ASB-2013.0075 ASB-2013.0069 ASB-2013.0025 ASB-2012.0177 ASB-2012.0164 ASB-2012.0103 ASB-2012.0102 ASB-2012.0021 ASB-2012.0016 ASB-2012.0003 Original Bulletin: http://www.xerox.com/download/security/security-bulletin/12047-4e4eed8d42ca6/cert_XRX13-007_v1.0.pdf - --------------------------BEGIN INCLUDED TEXT-------------------- Xerox Security Bulletin XRX13-007 FreeFlow Print Server v7, v8 and v9 July 2013 Security Patch Cluster (includes Java 6 Update 51 Software) v1.0 08/27/2013 Background Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow PrintServer (FFPS) Support Contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call. This bulletin announces the availability of the following: 1. July 2013 Security Patch Cluster This supersedes the April 2013 Security Patch Cluster 2. Java 6 Update 51 Software This supersedes Java 6 Update 45 Software The Security vulnerabilities that are remediated with this FFPS Security patch delivery are as follows: CVE-2010-5107 CVE-2012-2814 CVE-2013-0169 CVE-2013-2407 CVE-2013-2451 CVE-2013-2465 CVE-2011-0419 CVE-2012-2836 CVE-2013-0213 CVE-2013-2412 CVE-2013-2452 CVE-2013-2466 CVE-2011-0465 CVE-2012-2837 CVE-2013-0214 CVE-2013-2437 CVE-2013-2453 CVE-2013-2467 CVE-2011-3368 CVE-2012-2840 CVE-2013-0338 CVE-2013-2442 CVE-2013-2454 CVE-2013-2468 CVE-2011-3389 CVE-2012-2841 CVE-2013-0398 CVE-2013-2443 CVE-2013-2455 CVE-2013-2469 CVE-2011-4317 CVE-2012-2845 CVE-2013-1667 CVE-2013-2444 CVE-2013-2456 CVE-2013-2470 CVE-2012-0814 CVE-2012-3374 CVE-2013-3745 CVE-2013-2445 CVE-2013-2457 CVE-2013-2471 CVE-2012-0845 CVE-2012-3817 CVE-2013-3757 CVE-2013-2446 CVE-2013-2459 CVE-2013-2472 CVE-2012-0876 CVE-2012-5134 CVE-2013-3799 CVE-2013-2447 CVE-2013-2461 CVE-2013-2473 CVE-2012-1150 CVE-2012-5667 CVE-2013-3813 CVE-2013-2448 CVE-2013-2462 CVE-2013-2474 CVE-2012-2812 CVE-2012-6329 CVE-2013-1500 CVE-2013-2450 CVE-2013-2463 CVE-2012-2813 CVE-2013-0166 CVE-2013-1571 CVE-2013-2451 CVE-2013-2464 Note: Xerox recommends that customers evaluate their security needs periodically and if they need Security patches to address the above CVE issues, schedule an activity with their Xerox Service team to install this announced Security Patch Cluster. Applicability FFPS v7 These FFPS v7 Security updates are intended for Xerox printer products running the FFPS 73.D2.33 and 73.C5.11 software releases. The July 2013 Security Patch Cluster has not been tested with the FFPS 73.C3.51, 73.C0.41, 73.B3.6 and, 73.B0.73 software releases, but there should not be any problems on these releases. FFPS v8 These FFPS v8 Security updates are intended for Xerox printer products running the FFPS 82.D1.44 (for EPC, 770 / 700i DCP, XC 550/560 and XC 800/1000) and 81.D0.73 (for iGen4) software releases. It is also supported on the FFPS 82.C5.24 / 82.C3.31 SPAR software releases (for EPC, XC 550/560 and XC 800/1000) and FFPS 81.C4.01 (for iGen4). The July 2013 Security Patch Cluster has not been tested with the FFPS 81.B0.34A and 82.C1.41 software releases, but there should not be any problems on these releases. FFPS v9 These FFPS v9 Security updates are intended for Xerox printer products running the FFPS 91.D2..32 (for XC 800/1000, iGen4 and iGen 150 Printers), FFPS 91.C4. 71 (for XC 800/1000 printers) and FFPS 90.D0.46 (for D95/110/125 printers) SPAR software releases. The July 2013 Security Patch Cluster has not been tested with the FFPS 91.C4.71 software and 90.B4.22A (for D95/110/125 printers) launch software release, but there should not be any problems on these releases. The Xerox Customer Service Engineer (CSE)/Analyst is provided a tool (accessible from CFO Web site) that enables the analyst to confirm the currently installed FFPS software release, Security Patch Cluster, and Java Software version. When this Security update has been installed on the FFPS system, example output from this script for the FFPS v8 software release is as following: FFPS Release Version: 8.0_SP-3 (82.D1.44) FFPS Patch Cluster: July 2013 Java Version: Java 6 Update 51 Patch Install The install of these Security patches must be performed by a Xerox CSE or Analyst. The customer process to obtain this Security update is to call the Xerox support number to request the service. Xerox strives to deliver these critical Security patch updates in a timely manner. The method available for delivery is an FTP transfer to the FFPS system or writing the patch cluster to DVD/USB media. Once the Security patch updates are ready for customer delivery they are made available on the CFO Web site. The Xerox CSE/Analyst can download and prepare for the install by writing the Security patch updateinto a known directory on the FFPS system, or on DVD/USB media. The FFPS Security Patch Cluster is delivered as an ISO image and ZIP archive file to provide the Xerox CSE/Analyst options to choose an install method. Once the patch cluster has been prepared on media an install script can be run to perform the install. The install script accepts an argument that identifies the media that contains a copy of the FFPS Security Patch Cluster. (e.g., # installSecPatches.sh [ disk | dvd | usb ]). Important: The install of this Security patch update can fail if the archive file containing the patches is corrupted from file transfer or writing to DVD media. There have been reported install failures when the archive file written on DVD media was corrupt. The Security patch update could be corrupted when writing to media by particular DVD burn applications writing on some DVD media types. It is very important that the Security patch archive written onto the DVD install media be verified with the original archive file that was written to DVD. The Security patch cluster is delivered as a ZIP and an ISO file. The file size and check sum of these files on Windows and Solaris are as follows: FFPS v7 Security Patch File Windows Size (Kb) Solaris Size (bytes) Solaris Checksum Jul2013AndJava6U51Patches_v7.zip 1,729,673 1,771,184,717 9464 3459346 Jul2013AndJava6U51Patches_v7.iso 1,730,024 1,772,544,576 34754 3460048 The Jul2013AndJava6U51Patches_v7.zip listed on the DVD media can be verified by comparing it to the original archive file size and checksum. Copy this archive to a location on the FFPS system and type sum Jul2013AndJava6U51Patches_v7.zip from a terminal window. The checksum value should be 9464 3450346, and this validates the correct July 2013 Security Patch Cluster is written on the DVD. FFPS v8 Security Patch File Windows Size (Kb) Solaris Size (bytes) Solaris Checksum Jul2013AndJava6U51Patches_v8.zip 1,745,371 1,787,258,894 13298 3490741 Jul2013AndJava6U51Patches_v8.iso 1,745,722 1,787,619,328 38068 3491444 The Jul2013AndJava6U51Patches_v8.zip listed on the DVD media can be verified by comparing it to the original archive file size and checksum. Copy this archive to a location on the FFPS system and type sum Jul2013AndJava6U51Patches_v8.zip from a terminal window. The checksum value should be 13298 3490741, and this validates the correct July 2013 Security Patch Cluster is written on the DVD. FFPS v9 Security Patch File Windows Size (Kb) Solaris Size (bytes) Solaris Checksum Jul2013AndJava6U51Patches_v9.zip 1,624,296 1,663,278,667 22691 3248592 Jul2013AndJava6U51Patches_v9.iso 1,624,646 1,663,637,504 47464 3249292 The Jul2013AndJava6U51Patches_v9.zip listed on the DVD media can be verified by comparing it to the original archive file size and checksum. Copy this archive to a location on the FFPS system and type sum Jul2013AndJava6U51Patches_v9.zip from a terminal window. The checksum value should be 22691 3248592, and this validates the correct July 2013 Security Patch Cluster is written on the DVD. Disclaimer The information provided in this Xerox Product Response is provided "as is" without warranty of any kind. Xerox Corporation disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Xerox Corporation be liable for any damages whatsoever resulting from user's use or disregard of the information provided in this Xerox Product Response including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Xerox Corporation has been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential damages so the foregoing limitation may not apply. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUiQOuRLndAQH1ShLAQIhORAAsyBAinoxnGLmfCUhMmlVT93ZgMcoCyYt BpIF00HbwIzq4oaLJQWjoO91BEgn/m0gckxH89o3Zp4ytRtqf1nsX67IhQNuCpmt sEBwaIyoglJ45di0DFVCes1J0Iy21siKT1lae28JV0k7q5cjpH5XEPA3ko6DlbLd PqkDEGfj/rxHP9igc8TnP+g31A1Xk7Ct9CdwHzNj55fGJ+vgkcVYva0ezBTttfD8 gzRUvfCAB9mhqpYqpsmlDMUIo1VMXJ8H940U3ebh4R9M6JataD5aulgqobso3tlu wzR4lxZ/nLlDmZa29fnzi5NZ1vmlKiqbO12tevC99eE2Wjy0ebk2Pv5j1yPEvoIn 1q7ydGBRNRCvzQRSoJqyNsXj9D1fDroobhhGJNInDhb3Gs5iRybmOMbcS2JvNR48 97s1zvBvfMilIWoSSGGamMgIDtGZIHseNhajz5yRbvS9cX2YtZVZGESRbBaBCkt5 YufWB0zyfi/s0zuIxFZHQVRudh9GJJcncj92IkLUw4Ue810XQJ15wjV6fmCHtGK0 mCWfaqX8NvIJTFxoRQ1AFWtMY6zzeEgik09tWo1/d4f6RLcFUF3C/u/h5F0+3UCN /1xXiNG1mrEWdXCEGaiBDLXOulf8ovfhW9BUShzhR08gJ+juLP1qtv8HmWireBcz gW65QDB03nA= =fP4Z -----END PGP SIGNATURE-----