Xerox Security Bulletin XRX14-003 v1.0 (PDF 668.7K)

Software Release to Eliminate SQL Injection Vulnerability

An SQL injection vulnerability exists that, if exploited, could allow remote attackers to insert arbitrary code into the applicable software application. If successful, an attacker could make unauthorized changes to, damage or delete database tables and values.

A set of software “hotfixes” for the software application listed below have been provided that removes this vulnerability. These “hotfixes” are designed to be installed by the customer. The software “hotfixes” are contained in .tar files for Linux and Solaris or .exe/. jar files for Windows and can be accessed via the link to the DocuShare Support & Software Page (http://www.support.xerox.com/support/xerox-docushare/software/enus.htm) or via the links in this bulletin.

Affected Products:
Windows Server 2003 & Windows Server 2008:
DocuShare 6.5.3 Patch 6 — DocuShare 6.5.3 Patch 6 Hotfix 2 for Windows Server

Windows Server 2008 x64 & Windows Server 2008 x64:
DocuShare 6.5.3 Patch 6 — DocuShare 6.5.3 Patch 6 Hotfix 2 for Windows Server
DocuShare 6.6.1 Update 1– DocuShare 6.6.1 Update 1 Hotfix 24 for Windows Server
DocuShare 6.6.1 Update 2 — DocuShare 6.6.1 Update 2 Hotfix 3 for Windows Server

Windows Server 2012 R2 & Windows Server 2012 x64:
DocuShare 6.6.1 Update 1– DocuShare 6.6.1 Update 1 Hotfix 24 for Windows Server
DocuShare 6.6.1 Update 2 — DocuShare 6.6.1 Update 2 Hotfix 3 for Windows Server

Linux:
DocuShare 6.5.3 Patch 6 — DocuShare 6.5.3 Patch 6 Hotfix 2 for Linux
DocuShare 6.6.1 Update 2 — DocuShare 6.6.1 Update 2 Hotfix 3 for Linux

Unix & Solaris:

DocuShare 6.5.3 Patch 6 — DocuShare 6.5.3 Patch 6 Hotfix 2 for Solaris UNIX
DocuShare 6.6.1 Update 2 — DocuShare 6.6.1 Update 2 Hotfix 3 for Solaris UNIX