Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4085 Xerox Mini Bulletin XRX19E for Xerox AltaLink 4 November 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Xerox Altalink Publisher: Xerox Operating System: Printer Impact/Access: Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-1559 CVE-2018-5391 Reference: ASB-2019.0289 ASB-2019.0221 ASB-2019.0220 ASB-2019.0208 ASB-2019.0207 ASB-2019.0202 Original Bulletin: https://security.business.xerox.com/wp-content/uploads/2019/11/cert_Security_Mini_Bulletin_XRX19AK_for_AltaLinkB80xx-C80xx.pdf - --------------------------BEGIN INCLUDED TEXT-------------------- Mini Bulletin XRX19AK Xerox AltaLink B8045/B8055/B8065/B8075/B8090 Xerox AltaLink C8030/C8035/C8045/C8055/C8070 General Release 101.00X.019.20200 Bulletin Date: October 31, 2019 Purpose This Bulletin is intended ONLY for the specific security problems identified below. The problems identified have been rated a criticality level of IMPORTANT. This SPAR release uses OpenSSL version 1.0.2s. This is a general release that includes fixes for the following: - - Updates to comply with the 2020 California Password law (SB-327) - - Datamangement page is impacted by reflected cross-site scripting attack - - CVE-2018-5391: IP Fragment Reassembly DoS - - A customer vulnerability scan finding that Port 51333 which is used for the Fleet Orchestrator Feature was found open even though the Fleet Orchestrator Feature was disabled - - Role Analyzer.php and RoleServices.php are vulnerable to cross-site scripting - - Reflective cross-site scripting Vulnerability found in many web pages - - An authentication web page is vulnerable to session hijacking - - A data management web page is vulnerable to cross-site scripting - - OpenSSL Information Disclosure Vulnerability CVE-2019-1559 Important Notes: 1. These system software releases are based on the content and features that were present in system software version 101.xxx.008.27400 released Nov 2018. If your device is currently on a version greater than 101.xxx.008.27400, do not install system software version 101.xxx.019.20200. 2. The system software releases documented in this security mini-bulletin do not include any of the security vulnerability fixes documented in Security Mini-Bulletins XRX18AL, XRX19E, XRX19V and XRX19AI because the fixes made in those security bulletins were made to a different software baseline than the software baseline this general release was created from Software Release Details If your software is higher or equal to the versions listed below no action is needed. Otherwise, please review this bulletin and consider installation of this version. Model | AltaLink B80xx1 | AltaLink C8030/C8035 | AltaLink C8045/C8055 | AltaLink C8070 | System SW version | 101.008.019.20200 | 101.001.019.20200 | 101.002.019.20200 | 101.003.019.20200 | Link to SW update | [1] | [2] | [3] | [4] | and Install Instr | | | | | Unzip the file to a known location on your workstation/computer. [1] https://www.support.xerox.com/support/altalink-b8000-series/file-download/enus.html?&contentId=145899 [2] https://www.support.xerox.com/support/altalink-c8000-series/file-download/enus.html?&contentId=145900 [3] https://www.support.xerox.com/support/altalink-c8000-series/file-download/enus.html?&contentId=145901 [4] https://www.support.xerox.com/support/altalink-c8000-series/file-download/enus.html?&contentId=145902 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXb+S62aOgq3Tt24GAQgxrBAA1fPh612nlJhNBE/yIyUF9LAXy+zAzpNm UIWu16WEAiHmNSqpuV5OqrH21d6M0GDyInsyGVJilNrqZEaZc8sGMG+OMl61Flol smwf4XE9ZX14dBO+1KI0d+uph65F93sVfdeY1fmsU0IGp87bAQJEMu1S7LKQpmZV a0dvk4qbrDcaJwfLzjZo7VIGFFEYd4tV1OXy3Ln2LdvOVgbyeA+yAXFSLS+ZyoWC kcKb6yydxViqgtEsh5sCExf2UfJHleqa3a7AunV2hZsj7dOs8MznTjIF830qM7Il 4T1XHXoEkInY8YkVF3A7Tnr4x6nQhhb+tIomrOnz/78iedxiF5x7OeYnpGcWSAL/ QWv97udWofLqjIRrPQAFCC4mrjbSndfFjLFabJ//vvB824WuhHu4p8C1NHLWBpug INv0pC4npR/Gl4d7XbFKVxoL2q0rlkHT0FQW9FLvY27zj4mk8L2hnPKsit4dK5jw U/7RXmVSNn8aHSUWmr2sqTtNnNIEPjfFoR2N12l3AiJhJCj474NtVRw1lkcmzPO7 1hdEQ0rqb90shgQTrWTbUiPP0d2i0y7lUiIFanisHCZHeJfHZBN4VqU28Jnzzz1/ 2Agg7uTUVDU+u52ksHnSSzvPIsNYk60+WMde0Su1t7pyzrpZhxQWDbKBGcEcgOWi wg5p4bfJJ4U= =A2iS -----END PGP SIGNATURE-----