Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.0581
HPSBPI03546 rev.1 - HP LaserJet Printers and MFPs, HP OfficeJet Enterprise
Printers, Remote Disclosure of Information
4 March 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: HP LaserJet Printers
HP LaserJet MFP
HP OfficeJet Enterprise Printers
Publisher: Hewlett-Packard
Operating System: Network Appliance
Impact/Access: Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-2244
Original Bulletin:
https://h20565.www2.hp.com/hpsc/doc/public/display?docId=3Demr_na-c05030353
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Note: the current version of the following document is available here:
https://h20565.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c05030353
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c05030353
Version: 1
HPSBPI03546 rev.1 - HP LaserJet Printers and MFPs, HP OfficeJet Enterprise
Printers, Remote Disclosure of Information
NOTICE: The information in this Security Bulletin should be acted upon as soon
as possible.
Release Date: 2016-03-02
Last Updated: 2016-03-02
Potential Security Impact: Remote disclosure of information
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with certain HP LaserJet
Printers and MFPs, and certain HP OfficeJet Enterprise printers and MFPs, which
could be exploited remotely to allow disclosure of information.
References:
* CVE-2016-2244 (PSR-2016-0021)
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
Please refer to the RESOLUTION below for a list of impacted products.
BACKGROUND
For a PGP signed version of this security bulletin please write to:
security-alert@hp.com
CVSS 2.0 Base Metrics
================================================================================
Reference Base Vector Base Score
CVE-2016-2244 (PSR-2016-0021) (AV:N/AC:L/Au:N/C:N/I:C/A:N) 7.8
================================================================================
RESOLUTION
HP has provided firmware updates for impacted printers as listed in the table
below. To obtain the updated firmware, go to www.hp.com and follow these steps:
1. Under support, select "Download Drivers".
2. Enter the appropriate product name listed in the table below into the
search field.
3. Click on "Find my product".
4. Click on the appropriate product.
5. Under "Operating Systems" select the applicable operating system from the
list.
6. Select the appropriate firmware update under "Firmware", click "Download".
Firmware Updates Table
Affect Product (Model Affected Affected Resolution Firmware
Numbers) Firmware Firmware Version (Bundle)
Bundle Version
HP Color LaserJet 3.6.3 2307497_543950
Enterprise M651 3.6.4 2307619_547160 2307851_000048
(CZ255A, CZ256A, CZ257A, 3.7 2307781_551200 (3.7.01)
CZ258A) 3.7.1 2307884_553037
3.7.2 2307939_554654
3.6.3 2307497_543953
HP Color LaserJet 3.6.4 2307619_547145 2307851_000051
Enterprise M750 3.7 2307781_551203 (3.7.01)
(D3L08A, D3L09A, D3L10A) 3.7.1 2307884_553040
3.7.2 2307939_554657
3.6.3 2307497_543947
HP Color LaserJet M680 3.6.4 2307619_547157 2307851_000059
(CZ249A, CZ250A, CA251A) 3.7 2307781_551196 (3.7.01)
3.7.1 2307884_553034
3.7.2 2307939_554651
3.6.3 2307497_543957
HP LaserJet Enterprise 500 3.6.4 2307619_547167 2307851_000056
color MFP M575dn 3.7 2307781_551207 (3.7.01)
(CD644A, CD645A) 3.7.1 2307884_553044
3.7.2 2307939_554662
3.6.3 2307497_543945
HP LaserJet Enterprise 500 3.6.4 2307619_547155 2307851_000043
MFP M525f 3.7 2307781_551195 (3.7.01)
(CF116A, CF117A) 3.7.1 2307884_553032
3.7.2 2307939_554649
3.6.3 2307497_543961
HP LaserJet Enterprise 600 3.6.4 2307619_547168 2307851_000040
M601 3.7 2307781_551208 (3.7.01)
(CE989A, CE990A) 3.7.1 2307884_553045
3.7.2 2307939_554664
3.6.3 2307497_543961
HP LaserJet Enterprise 600 3.6.4 2307619_547168 2307851_000040
M602 3.7 2307781_551208 (3.7.01)
(CE991A, CE992A, CE993A) 3.7.1 2307884_553045
3.7.2 2307939_554664
3.6.3 2307497_543961
HP LaserJet Enterprise 600 3.6.4 2307619_547168 2307851_000040
M603xh 3.7 2307781_551208 (3.7.01)
(CE994A, CE995A, CE996A) 3.7.1 2307884_553045
3.7.2 2307939_554664
3.6.3 2307497_543958
HP LaserJet Enterprise 700 3.6.4 2307619_547166 2307851_000055
color MFP M775 series 3.7 2307781_551206 (3.7.01)
(CC522A, CC523A, CC524A) 3.7.1 2307884_553043
3.7.2 2307939_554660
3.6.3 2307497_543955
HP LaserJet Enterprise 700 3.6.4 2307619_547165 2307851_000053
M712xh 3.7 2307781_551205 (3.7.01)
(CF235A, CF236A, CF238A) 3.7.1 2307884_553042
3.7.2 2307939_554659
3.6.3 2307497_543951
HP LaserJet Enterprise 800 3.6.4 2307619_547161 2307851_000049
color M855 3.7 2307781_551201 (3.7.01)
(A2W77A, A2W78A, A2W79A) 3.7.1 2307884_553038
3.7.2 2307939_554655
HP LaserJet Enterprise 800 3.6.3 2307497_543946
color MFP M880 3.6.4 2307619_547156 2307851_000058
(A2W76A, A2W75A, D7P70A, 3.7 2307781_551196 (3.7.01)
D7P71A) 3.7.1 2307884_553033
3.7.2 2307939_554650
3.6.3 2307497_543964
HP LaserJet Enterprise 3.6.4 2307619_547169 2307851_000057
Color 500 M551 Series 3.7 2307781_551209 (3.7.01)
(CF081A,CF082A,CF083A) 3.7.1 2307884_553046
3.7.2 2307939_554665
3.6.3 2307497_543957
HP LaserJet Enterprise 3.6.4 2307619_547167 2307851_000056
Color flow MFP M575c 3.7 2307781_551207 (3.7.01)
(CD646A) 3.7.1 2307884_553044
3.7.2 2307939_554662
3.6.3 2307497_543948
HP LaserJet Enterprise 3.6.4 2307619_547158 2307851_000046
flow M830z MFP 3.7 2307781_551198 (3.7.01)
(CF367A) 3.7.1 2307884_553035
3.7.2 2307939_554652
3.6.3 2307497_543945
HP LaserJet Enterprise 3.6.4 2307619_547155 2307851_000043
flow MFP M525c 3.7 2307781_551195 (3.7.01)
(CF118A) 3.7.1 2307884_553032
3.7.2 2307939_554649
3.6.3 2307497_543943
HP LaserJet Enterprise 3.6.4 2307619_547153 2307851_000041
Flow MFP M630z 3.7 2307781_551193 (3.7.01)
(B3G85A) 3.7.1 2307884_553030
3.7.2 2307939_554647
3.6.3 2307497_543952
HP LaserJet Enterprise 3.6.4 2307619_547163 2307851_000035
M806 3.7 2307781_551202 (3.7.01)
(CZ244A, CZ245A) 3.7.1 2307884_553039
3.7.2 2307939_554656
3.6.3 2307497_543943
HP LaserJet Enterprise MFP 3.6.4 2307619_547153 2307851_000041
M630 3.7 2307781_551193 (3.7.01)
(J7X28A) 3.7.1 2307884_553030
3.7.2 2307939_554647
HP LaserJet Enterprise MFP 3.6.3 2307497_543954
M725 3.6.4 2307619_547164 2307851_000054
(CF066A, CF067A, CF068A, 3.7 2307781_551204 (3.7.01)
CF069A) 3.7.1 2307884_553041
3.7.2 2307939_554658
3.6.3 2307497_543944
HP OfficeJet Enterprise 3.6.4 2307619_547154 2307851_000039
Color MFP X585 3.7 2307781_551194 (3.7.01)
(B5L04A, B5L05A, B5L07A) 3.7.1 2307884_553031
3.7.2 2307939_554648
3.6.3 2307497_543949
HP OfficeJet Enterprise 3.6.4 2307619_547159 2307851_000047
Color X555 3.7 2307781_551199 (3.7.01)
(C2S11A, C2S12A) 3.7.1 2307884_553036
3.7.2 2307939_554653
System management and security procedures must be reviewed frequently to
maintain system integrity. HP is continually reviewing and enhancing the
security features of software products to provide customers with current secure
solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the
attention of users of the affected HP products the important security
information contained in this Bulletin. HP recommends that all users determine
the applicability of this information to their individual situations and take
appropriate action. HP does not warrant that this information is necessarily
accurate or complete for all user situations and, consequently, HP will not be
responsible for any damages resulting from user's use or disregard of the
information provided in this Bulletin. To the extent permitted by law, HP
disclaims all warranties, either express or implied, including the warranties
of merchantability and fitness for a particular purpose, title and
non-infringement."
REVISION HISTORY
Version:1 (rev.1) ? 01 March 2016 Initial release
Copyright 2016 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or its
affiliates, subcontractors or suppliers will be liable for incidental,special
or consequential damages including downtime cost; lost profits;damages relating
to the procurement of substitute products or services; or damages for loss of
data, or software restoration. The information in this document is subject to
change without notice. Hewlett-Packard Company and the names of Hewlett-Packard
products referenced herein are trademarks of Hewlett-Packard Company in the
United States and other countries. Other product and company names mentioned
herein may be trademarks of their respective owners.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJW2MrgAAoJEPRuzn0I+N3Z+uMQAJ3Z2s5H1BllX7uvcKCeqSfb
Y4Lcbd1rWDJiBPaej2fRR97fxVLBO9QTZKEhghTcehpIBfIjLcSR2PxaT8z0RC5C
y8lTUFkU4IXXgWd58Pk21jUsFAHuQHQSpSYBQx+7/8ekturguwxlMgxjIJkWWnpU
79pUMCzCR1Q9jLaDNv4hmHCGo42L7Qn/4Kr5PQxWZ19OzdBOtNA5Kk2/DsLR6Q6u
tKuBwlh+QMW9rFRenAKrfkZfyA3AeyUy/i4YR2Ghww8GXJzDoyjfFQWzdWJhs9UL
LYzymXnkNe74BhthPAkyCQqbunpXOstNWYpG36uSImrNvOs6sOMWUj5saiAT1Znv
MLiUMCUXZkadGwavXdWtHBUR7aDARyOPxg6F31XzcgV6bqjKzSUAYGI3WYVf6Jk3
pXrmW49no3y1luXHz6MDlTBKL09aZu9kCOpT555kH1hOu+mAMs0UBY72kDUF3839
+Mcb1R71mYGYR93jAmAXvJ51J2axlN0J7FF7o4mxowfrXPFTapqQF8s90IOhDtLk
CQlSCSAD+NV0edzPy0zT77whx8GFIn5+DyEQ9tLfUq9Dl/e4DZWEKya9Q2UfTobJ
tFG8VHUsXmk29rFYWk4gViO8OITq8p5A3mjmQ1R4NbQ4KbJJolHoK1PO/7VLHY5W
UaJxLGryGjM699Yk6htj
=zguU
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVtjnKX6ZAP0PgtI9AQIkjxAAitP4xMeWEQoAgGyCDZDh+t8FcLr91Tyh
AvZZ5C2T3yZSLeud3oeolkFS44HtcyuX3Zpintb9BhntE+djRVDHEhJq26P0O43n
QlUg2qfHVO17vYTBYEZcRZtdBdYHoWKtSzyhyzaeMayQ505G3oJ1JEuU63RHbTqS
dv0PqixBnyAAyniA6LfVKkawRXX7bidfIlHh7WLbXtY5mFSARcqTc903xQqanO/6
k51aaDERDf7iw+R4rgeK4pEH3GuT7ggJMAJEelIQ2mfQJKsYJsrFFXFVSQmNNX2Z
0OTFmeG0fowL6ltsMu5yTEaAuomVd4/T5PMeMCjr0M9sM5kd9hHekG6m63ERMBiR
sKcFyYdNDWuImpnp4J8Mwabk1TtPyN3ZrHcqy79OTGypo+yo21zg7lt1CZgs2pri
6GPTU3qgqlidL213HnXf6VjWbUwg3t3/pCeWTs+wShr3NwdIBNagX4OG9bZoPtLX
wbnfZEIxxUHnIix76pppr3EgXufQqizN0mZueGygYe9dah3XKdl/1JUPyhbPqDt1
hsiLltF7mjZC5I3BNuE7JaxNDvxmb1iXpBLP8GaH5rFZF9pHeBl0qGxl3JOiaa58
Ncc2zNZ4USxn3k4o0buVhpXM0xOHucsCNPK+Q0Aa7MhJ8+oSQK4ccx+uKPdp5GwU
no+YPT2V0uw=
=rNYd
-----END PGP SIGNATURE-----