19 June 2018
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.1791 Xerox Security Bulletin XRX18-025 19 June 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Xerox FreeFlow Print Server Publisher: Xerox Operating System: Solaris Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Modify Arbitrary Files -- Remote with User Interaction Delete Arbitrary Files -- Remote with User Interaction Denial of Service -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-2815 CVE-2018-2814 CVE-2018-2800 CVE-2018-2799 CVE-2018-2798 CVE-2018-2797 CVE-2018-2796 CVE-2018-2795 CVE-2018-2794 CVE-2018-2790 CVE-2018-2783 CVE-2018-2764 CVE-2018-2718 CVE-2018-2563 CVE-2017-9788 CVE-2017-7679 CVE-2017-7668 CVE-2017-7659 CVE-2017-5664 CVE-2017-3169 CVE-2017-3167 Reference: ASB-2018.0100 ASB-2018.0090 ASB-2017.0181 ASB-2017.0177 ASB-2017.0175 Original Bulletin: https://security.business.xerox.com/wp-content/uploads/2018/06/cert_XR18-025_FFPSv8_UM-Bulletin_Jun2018.pdf - --------------------------BEGIN INCLUDED TEXT-------------------- Xerox Security Bulletin XRX18-025 Xerox FreeFlow Print Server 8 Update Manager Delivery of: April 2018 Security Patch Cluster Includes: Java 6 Update 191 Bulletin Date: June 18, 2018 1.0 Background Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements for the Solaris Operating System platform . Oracle does not provide these patches to the public , but authorize vendors like Xerox to deliver them to Customers with an active FreeFlow Print Server Support Contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FreeFlow Print Server/Solaris Servers should not install patches not prepared/delivered by Xerox. Installing non-authorized patches for the FreeFlow Print Server software violates Oracle agreements, can render the platform inoperable, and result in downtime and/or a lengthy re-installation service call. This bulletin announces the availability of the following: 1. April 2018 Security Patch Cluster o Supersedes the January 2018 Security Patch Cluster 2. Java 6 Update 191 Software o Supersedes Java 6 Update 181 Software CAVEAT: We have a caveat with the April 2018 Security Patch Cluster for the FreeFlow Print Server 8.2 software releases. The FreeFlow Print Server application is not able to access remote SMB shares after installing the April 2018 Security Patch Cluster. This does not affect the SMB shares used for Hot Folder workflow. The affected capabilities are SMB access of remote job files by the 'Print From File' client, and storing PDF/TIFF files to a remote location over SMB from a hardcopy scan (E.g., commonly done on a Nuvera printer). It is not common for a Security conscience customer to use SMB workflows, so this should not affect many customers. See US-CERT Common Vulnerability Exposures (CVE) the April 2018 Security Patch Cluster remediate in table below: April 2018 Security Patch Cluster Remediated US-CERT CVEÃ¢Â€Â™s CVE-2017-3167 CVE-2017-5664 CVE-2017-7668 CVE-2017-9788 CVE-2018-2718 CVE-2017-3169 CVE-2017-7659 CVE-2017-7679 CVE-2018-2563 CVE-2018-2764 See the US-CERT Common Vulnerability Exposures (CVE) the Java 6 Update 191 Software remediate in table below: Java 6 Update 191 Software Remediated US-CERT CVEÃ¢Â€Â™s CVE-2018-2783 CVE-2018-2794 CVE-2018-2796 CVE-2018-2798 CVE-2018-2800 CVE-2018-2815 CVE-2018-2790 CVE-2018-2795 CVE-2018-2797 CVE-2018-2799 CVE-2018-2814 Note: Xerox recommends that customers evaluate their security needs periodically and if they need Security patches to address the above CVE issues, schedule an activity with their Xerox Service team to install this announced Security Patch Cluster. Alternatively,the customer can install the Security Patch Cluster using the Update Manager UI from the Xerox FreeFlow Print Server Platform. 2.0 Applicability Xerox offers the Security Patch Update delivery available over the network from a Xerox server using an application called FreeFlow Print Server Update Manager. The use of FreeFlow Print Server Update Manager (GUI - based application) makes it simple for a customer to install Security patch updates. The FreeFlow Print Server Update Manager delivery of the Security Patch Cluster provides the ability to install Security patches on top of a pre-installed FreeFlow Print Server software release. The advantage of this network install method is the ease of deliver and install of this network delivery from a Xerox patch server over the Internet. This easy install method provides a FreeFlow Print Server customer the option to manage the quarterly Security Patch Cluster instal l without need for support from Xerox service. This empowers the customer to have the option of installing these patch updates as soon as they become available, and not need to rely on the Xerox Service team. Many customers do not want the responsibility of installing the quarterly Security Patch Update or they are not comfortable providing a network tunnel to the Xerox or Microsoft server s that store the Security Patch Update. In this case, the media install method (i.e., USB/DVD) is the best option under those circumstances. This Security patch deliverable has been tested on the FreeFlow Print Server 82.H3.64 software release . We have not tested the April 2018 Security Patch Cluster on all earlier FreeFlow Print Server 8.2 releases, but there should not be any problems on these releases. A tool is available that enables identification of the currently installed FreeFlow Print Server software release, Security Patch Cluster, and Java Software version. Run this tool after the Security Patch Cluster install to validate successful install. Example output from this script for the FreeFlow Print Server v8 software release is as following: FFPS Release Version 8.0-2_SP-2_(82.H3.64.86) FFPS Patch Cluster April 201 8 Java Version Java 6 Update 191 The April 2018 Security Patch Cluster is available for the FreeFlow Print Server v8 release running on the Xerox printer products below: 1. Xerox iGen 4 Press 2. Xerox Color 800/1000 Press 3. Xerox Color 560/570 Printer 4. Xerox 700 /700i Digital Color Press 5. Xerox 770 Digital Color Press Xerox strives to deliver Security Patch Clusters in a timely manner. The customer process to obtain Security Patch Cluster updates (delivered on a quarterly basis) is to contact the Xerox hotline support number, or use Update Manager to install as the System Administrator. Update Manager is a GUI tool on the FreeFlow Print Server platform used to check for Security patches, download Security patches, and install Security patches. The customer can install a quarterly Security Patch Cluster using the Update Manager UI, or schedule Xerox Service to perform the install. Once the Security patches are ready for customer delivery, they are available from the Xerox patch server. Procedures are available for the FreeFlow Print Server System Administrator or Xerox Service for using the Update Manager GUI to download and install the Security patches over the Internet. The Update Manager UI has a 'Check for Updates button that can be selected to retrieve and list patch updates available from the Xerox patch server. When this option is selected the latest Security Patch Cluster should be listed (E.g., April 2018 Security Patch Cluster for FFPS v8.2) as available for download and install. The Update Manager UI includes mouse selectable buttons to download and then install the patches. Xerox uploads the Security Patch Cluster to a Xerox patch server that is available on the Internet outside of the Xerox Corporate network once the deliverable has been tested and approved. Once in place on the Xerox server, a CSE/Analyst or the customer can use FreeFlow Print Server Update Manager UI to download and install on the FreeFlow Print Server platform. The customer proxy information is required to be setup on the FreeFlow Print Server platform so it can access to the Security Patch Update over the Internet. The FreeFlow Print Server platform initiates a secure communication session with the Xerox patch server using HTTP over the TSL 1.0 protocol (HTTPS on port 443) using an RSA 2018-bit certificate, SHA2 hash and AES256-bit stream encryption algorithms. This connection ensures authentication of the FreeFlow Print Server platform for the Xerox server, and sets up encrypted communication of the patch data. The Xerox server does not initiate or have access to the FreeFlow Print Server platform behind the customer firewall. The Xerox server and FreeFlow Print Server platform both authenticate each other before making a connection between the two end-points, and patch data transfer. 4.0 Disclaimer The information provided in this Xerox Product Response is provided "as is" without warranty of any kind. Xerox Corporation disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Xerox Corporation be liable for any damages whatsoever resulting from user's use or disregard of the information provided in this Xerox Product Response including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Xerox Corporation has been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential damages so the foregoing limitation may not apply - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWyhzbmaOgq3Tt24GAQiK4g//Zx3uB7r6++yeZV4DskCWWg86Ay10Chjw 2e24D9LWVdz2F/f8q1PvrzH6SZ+5SY63Wvn/tmTNFGzCDYqpkJzeu1Zjo63dnRZh VAxB+YmdoLK/i6MJgtm/mM+lby9uEB8R7f9S5v656HbqTQcsUzryOybSLxF4XnWx GFONiGy+QQrrcwj27pS4o7GGGSpyVv5CtgE5+dioe8NngY4F3kHCDqlKdd6zTpin wmT3xf4dg++srxYliInolYK0Zwnt4IVL1gzQ6bez5pgNZXB9AlP5FJ53+yOn0Ilh sreGU20ZcvH3MUxeFON0lRqAHEEfalcbD5OCWX2mdX+ZdgwIzDLQ1UCVNn9Vttf0 TM/Kt1INSHTCpGzP7FrCBk6FbabtQEAGAzknJkp+Ud5fEaiOlHzziW3k1x5zQVQh 2oXnnXyoBeb90QC59rHjlgczEzjazsGrmpMWKw7X2BQKHqoOdM0dI7+HunhMffpf SbpE1MOxxNjsm91KVwhBeCyVtVPeqFYr8Wf50M2Um+Exm8A5fRHzuJcBHg4ZS4T8 Jkke9rAGOr8+1kCMmYOnd8uwDU3bGN2q/zjGMz2RCiYoi2/b4TzqjggeNgLDmdPJ CZOtrOyeZ2TzANEHPhnjB3LmgBPmzHq4gTNZa5iOONfSGn7Mdt/J4TFsO8WFFrkA udJQcWvKgd0= =0w17 -----END PGP SIGNATURE-----