Non-Connect Key
WC_3655_6655_Security_Target_April2015.pdf
Security Bulletins for Xerox Products
Xerox Security Mini Bulletin XRX15N V1.0 (PDF 105.6K)
Xerox Security Mini Bulletin XRX15M V1.0 (PDF 174.2K)
Xerox Security Mini Bulletin XRX15K V1.0 (PDF 104.7K)
Xerox Security Mini Bulletin XRX15J V1.1 (PDF 188.2K)
This is a SPAR release.
Note: Version 1.1 was created to correct an error in model number.
Xerox Security Mini Bulletin XRX15I (PDF 179.5K)
V1.0
Xerox Security Mini Bulletin XRX15H V1.0 (PDF 187.7K)
Xerox Security Mini Bulletin XRX15G V1.0 (PDF 170.2K)
Xerox Security Mini Bulletin XRX15F V1.0 (PDF 183.8K)
Xerox Security Mini Bulletin XRX15E V1.0 (PDF 168.5K)
Xerox Security Mini Bulletin XRX15D V1.0 (PDF 105K)
Xerox Security Mini Bulletin XRX15B V1.0 (PDF 163.8K)
Xerox Mini Bulletin XRX15C V1.0 (PDF 108.9K)
Xerox Security Mini Bulletin XRX14H V1.0 (PDF 105.9K)
Xerox Security Bulletin XRX15-002 V1.0 (PDF 130.8K)
glibc “Ghost†Vulnerability
v1.0
02/09/15
Background
A vulnerability has been discovered in the glibc library software that interacts with the Domain Name System (DNS). This vulnerability can allow attackers to remotely execute malicious code on a target system. A patch was issued two years ago but most Linux versions used in production systems remained unprotected. Patching requires a system restart so some servers may remain vulnerable for some time to come.
A document has been created to show Xerox product vulnerability which can be veiwed at the Xerox Security Site.
Xerox Security Mini Bulletin XRX14G V1.1 (PDF 166.6K)
NOTE: This version of the bulletin was released due to an incorrect link to the WorkCentre 7755/7765/7775 SPAR software.
Xerox Mini Bulletin XRX15A V1.0 (PDF 183.7K)
Xerox Security Bulletin XRX15-001 V1.1 (PDF 267.7K)
Xerox Security Bulletin XRX15-001 V1.1
1/20/2015 Re-Issued this date to remove “draft” from file title.
Cumulative update for Common Criteria Certification
NOTE: Version 1.1 was published to fix a URL typo.
The System Software Versions for the WorkCentre 5845/5855/5865/5875/5890, WorkCentre 7220/7225, WorkCentre 7830/7835/7845/7855, ColorQube 8700/8900 and ColorQube 9301/9302/9303 models are cumulative updates that incorporate security vulnerability fixes up through 06 June 2014 as well as other non-security related defect fixes. These releases are Common Criteria certified.
The system software releases for the products are designed to be installed by the customer. Please follow the links and procedures contained in the bulletin to install the solution. The system software versions are full system releases so the patch criticality rating is not applicable.
Xerox Security Bulletin XRX14-008 V1.0 (PDF 1M)
Xerox Security Bulletin XRX14-008
Bash Shellshock Command Line Interpreter Vulnerability
v1.0
11/10/2014
Background
A vulnerability has been discovered in the Bash command shell that can allow attackers to remotely execute commands on a target system. Even systems that don’t allow remote command shell connections may still use Bash to execute commands in the Apache web server and other network-facing applications. Unix and Unix-derived systems like Linux and Mac OS X are vulnerable to these attacks since they use Bash as the default command shell.
A Bash Shellshock document addressing this vulnerability has been posted to the Xerox Security Site.
NOTE: Review the bulletin for a more complete list of devices.
Xerox Security Bulletin XRX14-006 V1.1 (PDF 1M)
Xerox Security Bulletin XRX14-006
Bash Shellshock Command Line Interpreter Vulnerability
v1.1
11/07/2014
Background
A vulnerability has been discovered in the Bash command shell that can allow attackers to remotely execute commands on a target system. Even systems that don’t allow remote command shell connections may still use Bash to execute commands in the Apache web server and other network-facing applications. Unix and Unix-derived systems like Linux and Mac OS X are vulnerable to these attacks since they use Bash as the default command shell.
A Bash Shellshock document addressing this vulnerability has been posted to the Xerox Security Site.
Xerox Security Bulletin XRX14-007 V1.0 (PDF 316.3K)
FreeFlow Print Server v6, v7, v8 and v9
DocuSP Print Server v5
Bash/Shellshock Security Patch
v1.0
Background
This bulletin announces the availability of the following:
1.Bash Security Patch
The Bash/Shellshock patch for FFPS is now available on the Xerox Download Server (aka DMS). The patch is available on the DMS server for all FFPS Releases v7, v8, and v9. (For FFPS v6 and DocuSP 5, refer to the section below). The patch is not mandatory but will be included in future Security Patch Cluster releases. This patch has no dependency on prior-released Security Patch Clusters.
Security vulnerabilities that are remediated with this FFPS Security patch are:
CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278
2.Guide to Using the FFPS Software Update Manager
Customers can download this patch from the Xerox Download Server and install on FFPS using the FFPS Software Update Manager. This feature is included in the FFPS v7, v8, and v9 software releases. Use of the Update Manager requires that the System Administrator has some Unix/Linux/Solaris skills, and experience starting the Command Line (terminal window) tool on the FFPS UI.
The announcement is on the Articles and White Papers page.
The User Guide document is available for download at this URL:
http://www.xerox.com/download/security/white-paper/eb628-5070df5f278f6/UserGuideForFFPS_SoftwareUpdateManager_Oct2014_v1.0.pdf
If a customer has difficulty performing these procedures, they should contact their local Xerox Service representative for further guidance.
Patch Installation for FFPS v6 and DocuSP v5
Because the FFPS Software Update tool is not available for the FFPS v6 and DocuSP v5 products, the patch must be provided by a Xerox CSE or Analyst. Please contact your local Xerox Service representative to request the patch file and if appropriate, schedule an action to have the patch installed. Because this patch is not mandatory and there is very little risk of vulnerability with FFPS, the action should be scheduled at a mutually-convenient time
Xerox Security Bulletin XRX14-005 V1.2 (PDF 1M)
Xerox Security Bulletin XRX14-005
Bash Shellshock Command Line Interpreter Vulnerability
v1.2
10/28/14
Background
A vulnerability has been discovered in the Bash command shell that can allow attackers to remotely execute commands on a target system. Even systems that don’t allow remote command shell connections may still use Bash to execute commands in the Apache web server and other network-facing applications. Unix and Unix-derived systems like Linux and Mac OS X are vulnerable to these attacks since they use Bash as the default command shell.
A Bash Shellshock document addressing this vulnerability has been posted to the Xerox Security Site.
Xerox Mini Security Bulletin XRX14F v1.0 (PDF 251.9K)
NOTE: This Bulletin is ONLY intended for the specific security problem(s) rated as IMPORTANT for the following products.
WorkCentre 5736
WorkCentre 5740
WorkCentre 5745
WorkCentre 5755
WorkCentre 5765
WorkCentre 5775
WorkCentre 5790
Xerox Mini Security Bulletin XRX14E v1.0 (PDF 100.3K)
Xerox Mini Security Bulletin XRX14C v1.0 (PDF 101.3K)
Xerox Security Bulletin XRX14-004 v1.0 (PDF 715.7K)
FreeFlow Print Server v7, v8 and v9
April 2014 Security Patch Cluster
Background
Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support Contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.
This bulletin announces the availability of the following:
1. April 2014 Security Patch Cluster
This supersedes the January 2014 Security Patch Cluster
2. Java 6 Update 75 Software
This supersedes Java 6 Update 71 Software
Xerox Mini Security Bulletin XRX14B v1.1 (PDF 249K)
NOTE: This Bulletin was re-released to correct an error. No Service Call is needed for installation of this software.
ColorQube 8700/8900
ColorQube 9301/9302/9303
WorkCentre 5845/5855/5865/5875/5890
WorkCentre 7220/7225
WorkCentre 7830/7835/7845/7855
Xerox Mini Security Bulletin XRX14D v1.0 (PDF 196.2K)
Purpose
Inform our Xerox Customers of an issue that has minor security implications.
Xerox Mini Security Bulletin XRX14A v1.0 (PDF 453.1K)
NOTE: This Bulletin is ONLY intended for the specific security problem(s) rated as critical for the following products.
WorkCentre 5736
WorkCentre 5740
WorkCentre 5745
WorkCentre 5755
WorkCentre 5765
WorkCentre 5775
WorkCentre 5790
Xerox Security Bulletin XRX14-003 v1.0 (PDF 668.7K)
Software Release to Eliminate SQL Injection Vulnerability
An SQL injection vulnerability exists that, if exploited, could allow remote attackers to insert arbitrary code into the applicable software application. If successful, an attacker could make unauthorized changes to, damage or delete database tables and values.
A set of software “hotfixes†for the software application listed below have been provided that removes this vulnerability. These “hotfixes†are designed to be installed by the customer. The software “hotfixes†are contained in .tar files for Linux and Solaris or .exe/. jar files for Windows and can be accessed via the link to the DocuShare Support & Software Page (http://www.support.xerox.com/support/xerox-docushare/software/enus.htm) or via the links in this bulletin.
Affected Products:
Windows Server 2003 & Windows Server 2008:
DocuShare 6.5.3 Patch 6 — DocuShare 6.5.3 Patch 6 Hotfix 2 for Windows Server
Windows Server 2008 x64 & Windows Server 2008 x64:
DocuShare 6.5.3 Patch 6 — DocuShare 6.5.3 Patch 6 Hotfix 2 for Windows Server
DocuShare 6.6.1 Update 1– DocuShare 6.6.1 Update 1 Hotfix 24 for Windows Server
DocuShare 6.6.1 Update 2 — DocuShare 6.6.1 Update 2 Hotfix 3 for Windows Server
Windows Server 2012 R2 & Windows Server 2012 x64:
DocuShare 6.6.1 Update 1– DocuShare 6.6.1 Update 1 Hotfix 24 for Windows Server
DocuShare 6.6.1 Update 2 — DocuShare 6.6.1 Update 2 Hotfix 3 for Windows Server
Linux:
DocuShare 6.5.3 Patch 6 — DocuShare 6.5.3 Patch 6 Hotfix 2 for Linux
DocuShare 6.6.1 Update 2 — DocuShare 6.6.1 Update 2 Hotfix 3 for Linux
Unix & Solaris:
DocuShare 6.5.3 Patch 6 — DocuShare 6.5.3 Patch 6 Hotfix 2 for Solaris UNIX
DocuShare 6.6.1 Update 2 — DocuShare 6.6.1 Update 2 Hotfix 3 for Solaris UNIX
Xerox Security Bulletin XRX14-002 v1.0 (PDF 66.9K)
FreeFlow Print Server v7, v8 and v9
January 2014 Security Patch Cluster (includes Java 6 Update 71 Software)
Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support Contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.
This bulletin announces the availability of the following:
1. Jan 2014 Security Patch Cluster
This supersedes the October 2013 Security Patch Cluster
2. Java 6 Update 71 Software
This supersedes Java 6 Update 65 Software
Xerox Security Bulletin XRX13-002 v1.1 (PDF 61.4K)
Cumulative update for Common Criteria Certification
System Software Version 061.080.221.36200 for the ColorQube 9201/9202/9203 Single Board Controller models is a cumulative update that incorporates security vulnerability fixes up through 06 Jan 2012 as well as other non-security related defect fixes. This release is Common Criteria certified.
This system software release for the products listed below is designed to be installed by the customer. Please follow the procedures in the bulletin to install the solution. This system software version is a full system release so the patch criticality rating is not applicable.
The software release is compressed into a 441.3 MB zip file and can be accessed via the link in this bulletin document.
Xerox Security Bulletin XRX14-001 v1.1 (PDF 61.4K)
Cumulative update for Common Criteria Certification
System Software Version 071.161.203.15600 for the ColorQube 8700/8900 Xerox ConnectKey Controller models is a cumulative update that incorporates security vulnerability fixes up through 10 Jun 2013 as well as other non-security related defect fixes. This release is Common Criteria certified.
This system software release for the products listed below is designed to be installed by the customer. Please follow the procedures below to install the solution. This system software version is a full system release so the patch criticality rating is not applicable.
The software release is compressed into a 378.1 MB zip file and can be accessed via the link in this bulletin.
Xerox Security Bulletin XRX13-006 v1.3 (PDF 101.3K)
NOTE: This bulletin has been updated to correct software procedure error in the ColorQube 93XX devices. Contact Xerox Technical Support to obtain system software release 071.180.203.06400 and the instructions for installing this release; if your current system software release is 061.180.223.11601 or less there are interim steps that have to be followed before you can upgrade your device to system software release 071.180.203.06400. A new version of the bulletin will be published once the new information becomes available.
Cumulative update for Common Criteria Certification
System Software Versions listed below for the WorkCentre 5845/5855/5865/5875/5890, WorkCentre 7220/7225, WorkCentre 7830/7835/7845/7855 and ColorQube 9301/9302/9303 models are cumulative updates that incorporate security vulnerability fixes up through 06 March 2013 as well as other non-security related defect fixes. These four releases are Common Criteria certified.
These system software releases for the products listed are designed to be installed by the customer. Please follow the procedures in the bulletin document to install the solution. The system software versions are full system releases so the patch criticality rating is not applicable.
These software releases are compressed into zip files and can be accessed via the links in the bulletin document.
.
Xerox Security Bulletin XRX13-008 v1.0 (PDF 82.3K)
Software Release to Eliminate Unauthorized Access
Note: This bulletin has been re-issued to correct a typographical error in the URL string for one of the product ZIP files.
The Xerox products ColorQube 9201/9202/9203, WorkCentre 6400, WorkCentre 7525/7530/7535/7545/7556, and WorkCentre 7755/7765/7775 contain code for implementing a remote protocol that could be exploited to gain unauthorized access to the device.
The software release indicated in the bulletin will perform the following action:
Remove the affected code that unintentionally created the unauthorized access potential.
A software release for the products listed has been provided. This release is designed to be installed by the customer. The software release is contained in a zip file and can be accessed via the links in this bulletin announcement or on the Security Bulletins page.
Xerox Security Bulletin XRX13-007 v1.0 (PDF 72K)
FreeFlow Print Server v7, v8 and v9
July 2013 Security Patch Cluster (includes Java 6 Update 51 Software)
Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support Contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.
This bulletin announces the availability of the following:
1. July 2013 Security Patch Cluster
This supersedes the April 2013 Security Patch Cluster
2. Java 6 Update 51 Software
This supersedes Java 6 Update 45 Software
Consult the bulletin to see all the CVE vulnerabilities this bulletin fixes.
Xerox Security Bulletin XRX13-006 v1.2 (PDF 96.8K)
NOTE: The new version 1.2 of this bulletin has been updated to detail a software procedure error in the ColorQube 93XX devices. The process to update a ColorQube 93XX device to the Common Criteria Certified version of software may require an extra step depending on the current software version. The details are contained in the bulletin along with an updated link to the CCC version of software.
Cumulative update for Common Criteria Certification
System Software Versions listed below for the WorkCentre 5845/5855/5865/5875/5890, WorkCentre 7220/7225, WorkCentre 7830/7835/7845/7855 and ColorQube 9301/9302/9303 models are cumulative updates that incorporate security vulnerability fixes up through 06 March 2013 as well as other non-security related defect fixes. These four releases are Common Criteria certified.
These system software releases for the products listed are designed to be installed by the customer. Please follow the procedures in the bulletin document to install the solution. The system software versions are full system releases so the patch criticality rating is not applicable.
These software releases are compressed into zip files and can be accessed via the links in the bulletin document(Xerox Security Bulletin XRX13-006 v1.2) above.
.
Xerox Security Bulletin XRX13-005 v1.0 (PDF 63.4K)
Cumulative update for Common Criteria Certification
System Software Version 061.090.221.36202 for the WorkCentre 7755/7765/7775 models is a cumulative update that incorporates security vulnerability fixes up through 19 Oct 2012 as well as other non-security related defect fixes. This release is Common Criteria certified.
This system software release for the products listed is designed to be installed by the customer. Please follow the procedures in the bulletin document to install the solution. This system software version is a full system release so the patch criticality rating is not applicable.
The software release is compressed into a 237.9 MB zip file and can be accessed via the link below or via the link contained in the bulletin announcement on the Xerox Security Site.
http://www.xerox.com/downloads/usa/en/c/cert_061_090_221_36202.zip
Xerox Security Bulletin XRX13-004 v1.0 (PDF 90K)
FreeFlow Print Server v7
January 2013 Security Patch Cluster (includes Java 6 Update 39 Software)
Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.
This bulletin announces the availability of the following:
1. January 2013 Security Patch Cluster
This supersedes the October 2012 Security Patch Cluster
2. Java 6 Update 39 Software
This supersedes Java 6 Update 37 Software
Consult the bulletin to see all the CVE vulnerabilities this bulletin fixes.
Xerox Security Bulletin XRX12-005 V1.1 (PDF 103.3K)
The Xerox devices ColorQube® 9201/9202/9203, ColorQube® 9301/9302/9303, WorkCentre® 232/238/245/255/265/275, WorkCentre® 5030/5050, WorkCentre® 5135/5150, WorkCentre® 5632/5638/5645/5655/5665/5675/5687, WorkCentre® 5735/5740/5745/5755/5765/5775/5790, WorkCentre® 6400, WorkCentre® 7525/7530/7535/7545/7556, WorkCentre® 7655/7665/7675, WorkCentre® 7755/7765/7775, WorkCentre® Bookmark 40/55, WorkCentre Pro® 232/238/245/255/265/275 were shipped with certain protocols enabled that, if properly exploited, could be used to gain
unauthorized access to the system. These particular protocols should not have been present in the production configuration and need to be removed from that configuration to minimize the possibility of unauthorized system access.
A software solution (patch P49) is provided for the products listed. This solution will remove from the production configuration the unwanted protocols in question so they can’t be exploited to gain unauthorized access to the system.
This solution is designed to be installed by the customer. The software solution is compressed into a 3 KB zip file and can be accessed via the link below or via the link following this bulletin announcement on the Xerox Security Site.
Software available through this link:
cert_P49v1_Patch2.zip
Xerox Security Bulletin XRX13-003 v1.0 (PDF 88.6K)
FreeFlow Print Server v8
January 2013 Security Patch Cluster (includes Java 6 Update 37 Software)
Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.
This bulletin announces the availability of the following:
1. January 2013 Security Patch Cluster
This supersedes the October 2012 Security Patch Cluster
2. Java 6 Update 37 Software
This supersedes Java 6 Update 33 Software
Consult the bulletin to see all the CVE vulnerabilities this bulletin fixes.
Xerox Security Bulletin XRX13-002 v1.0 (PDF 57.9K)
Cumulative update for Common Criteria Certification
System Software Version 061.050.221.36200 for the ColorQube 9201/9202/9203 models is a cumulative update that incorporates security vulnerability fixes up through 06 Jan 2012 as well as other non-security related defect fixes. This release is Common Criteria certified.
This system software release for the products listed below is designed to be installed by the customer. Please follow the procedures in the bulletin to install the solution. This system software version is a full system release so the patch criticality rating is not applicable.
The software release is compressed into a 441.3 MB zip file and can be accessed via the link below or via the link following this bulletin announcement on the Xerox Security Site.
http://www.xerox.com/downloads/usa/en/c/cert_061_050_221_36200.zip.
Xerox Security Bulletin XRX13-001 v1.0 (PDF 57.3K)
Cumulative update for Common Criteria Certification
System Software Version 071.160.222.23700 for the ColorQube 8700/8900 models is a cumulative update that incorporates security vulnerability fixes up through 29 Aug 2012 as well as other non-security related defect fixes. This release is Common Criteria certified.
This system software release for the products listed is designed to be installed by the customer. Please follow the procedures in the bulletin to install the solution. This system software version is a full system release so the patch criticality rating is not applicable.
The software release is compressed into a 479.3 MB zip file and can be accessed via the link below or via the link inside the bulletin.
http://www.xerox.com/downloads/usa/en/c/cert_071.160.222.23700.zip
Xerox Security Bulletin XRX12-011 v1.1 (PDF 86.6K)
Digital Signature of Software Upgrade Files
v1.1
NOTE: This bulletin was reissued at version 1.1 to remove the Phaser 3635MFP. An issue with the Phaser 3635MFP will be resolved in a future version of this bulletin.
The Xerox products Phaser 3600, Phasers 4600/4620 and the WorkCentre 3550 were shipped without the ability to accept software upgrade files with digital signatures. The ability to accept only software upgrade files with digital signatures has been added for the indicated products. In addition, the indicated products now include the software upgrade setting in the Configuration Report and have added the capability to enable/disable software upgrade via SNMP.
Firmware solutions that will now only accept software upgrades files with digital signatures have been provided. These solutions are designed to be installed by the customer. The firmware solutions can be accessed via the links below or via the links in this bulletin announcement on the Xerox Security Site.
Phaser 3600: http://www.support.xerox.com/support/_all-products/file-download/enus.html?contentId=122549
Phaser 4600/4620: http://www.support.xerox.com/support/phaser-4600-4620/downloads/enza.html?operatingSystem=win7
WorkCentre 3550: http://www.support.xerox.com/support/workcentre-3550/downloads/enza.html?operatingSystem=win7
Xerox Security Bulletin XRX12-009 v1.1 (PDF 90.7K)
FreeFlow Print Server v7.3
July 2012 Security Patch Cluster (includes Java 6 Update 33 Software)
NOTE: This document has been updated to provide corrected file size and checksum information.
Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.
This bulletin announces the availability of the following:
1. July 2012 Security Patch Cluster
This supersedes the April 2012 Security Patch Cluster
2. Java 6 Update 33 Software
This supersedes Java 6 Update 31 Software
Consult the bulletin to see all the CVE vulnerabilities this bulletin fixes.
Xerox Security Bulletin XRX12-010 v1.1 (PDF 91.2K)
FreeFlow Print Server v8
July 2012 Security Patch Cluster (includes Java 6 Update 33 Software)
v1.1
NOTE: This bulletin has been re-issued to update file size and checksum information.
Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.
This bulletin announces the availability of the following:
1. July 2012 Security Patch Cluster
This supersedes the April 2012 Security Patch Cluster
2. Java 6 Update 33 Software
This supersedes Java 6 Update 31 Software
Consult the bulletin to see all the CVE vulnerabilities this bulletin fixes.
Xerox Security Bulletin XRX12-008 v1.0 (PDF 63.2K)
Cumulative update for Common Criteria Certification
System Software Version 061.132.222.03800 for the WorkCentre 5735/5740/5745/5755/5765/5775/5790 models is a cumulative update that incorporates security vulnerability fixes up through 09 Feb 2012 as well as other non-security related defect fixes. This release is Common Criteria certified.
This system software release for the products listed is designed to be installed by the customer. This system software version is a full system release so the patch criticality rating is not applicable. The software release is compressed into a 295.9 MB zip file and can be accessed via the link below or via the link contained in the bulletin.
http://a400.g.akamai.net/7/400/5566/v0001/xerox.download.akamai.com/5566/cert_061_132_222_03800.zip.
Xerox Security Bulletin XRX12-012 v1.0 (PDF 71.6K)
The Xerox Phaser 7800 product was shipped with software upgrades enabled by default and with network protocols enabled that could be exploited to gain unauthorized access to the system.
NOTE: If Software Upgrade is currently disabled on the desired device. it must be enabled prior to installation of this software patch.
The software release indicated below will perform the following action:
• Change the default state of software upgrade to disabled. After installing this firmware/software, software upgrade will be
disabled. It can be re-enabled at the Web UI when necessary.
• Remove protocols that were not intended to be present in the production configuration.
Details about this bulletin and other Xerox Product Security features can be found at the Xerox Security Site.
The the link to this software needed to upgrade your Phaser 7800 can be found inside the bulletin document or can be downloaded from this link:
http://www.support.xerox.com/go/getfile.asp?objid=122181&EULA=28&Xtype=download&uType=
Xerox Security Bulletin XRX12-007 V1.1 (PDF 1M)
Disable software upgrades by default
NOTE: This bulletin has been re-posted as an additional product, the WorkCentre 6015N/I has been included.
The Xerox Phaser 6010, Phaser 6125, Phaser 6128MFP, Phaser 6130, Phaser 6140, Phaser 6180, Phaser 6180MFP, Phaser 6280, Phaser 6500, WorkCentre 3045NI, WorkCentre 6015N/I and the WorkCentre 6505 were shipped with software upgrades enabled by default. The firmware release which changes this default can be downloaded via the links inside the bulletin document. These firmware solutions are classified as Moderate updates.
NOTE: If software upgrade had previously been disabled, software upgrade must be ENABLED on the device at the Local User Interface before this firmware version can be loaded.
Please follow the instructions starting on page 2 for each affected product to install these firmware solutions.
Xerox Security Bulletin XRX12-006 v1.0 (PDF 89.3K)
FreeFlow Print Server
April 2012 OS and Security Patch Cluster (includes Java 6 Update 31 Software)
Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.
This bulletin announces the availability of the following:
1. April 2012 Security Patch Cluster
This supersedes the January 2012 Security Patch Cluster
2. Java 6 Update 31 Software
This supersedes Java 6 Update 29 Software
Consult the bulletin to see all the CVE vulnerabilities this bulletin fixes.