Xerox Security Bulletin XRX15-004 V1.0 (PDF 143.4K)

Cumulative update for Common Criteria Certification
v1.0
06/08/15

Background
The System Software Version in this bulletin for the WorkCentre 5945/5955 contains cumulative updates that incorporate security vulnerability fixes up through 01 December 2014 as well as other non-security related defect fixes. This release is Common Criteria certified (see https://www.xerox.com/information-security/common-criteria-certified/enus.html).

The system software release for the product is designed to be installed by the customer. Please follow the procedures contained in the bulletin to install the solution. The system software version is a full system release so the patch criticality rating is not applicable.

Xerox Security Bulletin XRX15-002 V1.0 (PDF 130.8K)

glibc “Ghost” Vulnerability
v1.0
02/09/15

Background
A vulnerability has been discovered in the glibc library software that interacts with the Domain Name System (DNS). This vulnerability can allow attackers to remotely execute malicious code on a target system. A patch was issued two years ago but most Linux versions used in production systems remained unprotected. Patching requires a system restart so some servers may remain vulnerable for some time to come.

A document has been created to show Xerox product vulnerability which can be veiwed at the Xerox Security Site.

Xerox Security Bulletin XRX15-001 V1.1 (PDF 267.7K)

Xerox Security Bulletin XRX15-001 V1.1
1/20/2015 Re-Issued this date to remove “draft” from file title.
Cumulative update for Common Criteria Certification

NOTE: Version 1.1 was published to fix a URL typo.

The System Software Versions for the WorkCentre 5845/5855/5865/5875/5890, WorkCentre 7220/7225, WorkCentre 7830/7835/7845/7855, ColorQube 8700/8900 and ColorQube 9301/9302/9303 models are cumulative updates that incorporate security vulnerability fixes up through 06 June 2014 as well as other non-security related defect fixes. These releases are Common Criteria certified.

The system software releases for the products are designed to be installed by the customer. Please follow the links and procedures contained in the bulletin to install the solution. The system software versions are full system releases so the patch criticality rating is not applicable.

Xerox Security Bulletin XRX14-008 V1.0 (PDF 1M)

Xerox Security Bulletin XRX14-008
Bash Shellshock Command Line Interpreter Vulnerability
v1.0
11/10/2014

Background
A vulnerability has been discovered in the Bash command shell that can allow attackers to remotely execute commands on a target system. Even systems that don’t allow remote command shell connections may still use Bash to execute commands in the Apache web server and other network-facing applications. Unix and Unix-derived systems like Linux and Mac OS X are vulnerable to these attacks since they use Bash as the default command shell.

A Bash Shellshock document addressing this vulnerability has been posted to the Xerox Security Site.

NOTE: Review the bulletin for a more complete list of devices.

Xerox Security Bulletin XRX14-006 V1.1 (PDF 1M)

Xerox Security Bulletin XRX14-006
Bash Shellshock Command Line Interpreter Vulnerability
v1.1
11/07/2014

Background
A vulnerability has been discovered in the Bash command shell that can allow attackers to remotely execute commands on a target system. Even systems that don’t allow remote command shell connections may still use Bash to execute commands in the Apache web server and other network-facing applications. Unix and Unix-derived systems like Linux and Mac OS X are vulnerable to these attacks since they use Bash as the default command shell.

A Bash Shellshock document addressing this vulnerability has been posted to the Xerox Security Site.

Xerox Security Bulletin XRX14-007 V1.0 (PDF 316.3K)

FreeFlow Print Server v6, v7, v8 and v9
DocuSP Print Server v5
Bash/Shellshock Security Patch
v1.0

Background
This bulletin announces the availability of the following:
1.Bash Security Patch
The Bash/Shellshock patch for FFPS is now available on the Xerox Download Server (aka DMS). The patch is available on the DMS server for all FFPS Releases v7, v8, and v9. (For FFPS v6 and DocuSP 5, refer to the section below). The patch is not mandatory but will be included in future Security Patch Cluster releases. This patch has no dependency on prior-released Security Patch Clusters.

Security vulnerabilities that are remediated with this FFPS Security patch are:
CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278

2.Guide to Using the FFPS Software Update Manager
Customers can download this patch from the Xerox Download Server and install on FFPS using the FFPS Software Update Manager. This feature is included in the FFPS v7, v8, and v9 software releases. Use of the Update Manager requires that the System Administrator has some Unix/Linux/Solaris skills, and experience starting the Command Line (terminal window) tool on the FFPS UI.
The announcement is on the Articles and White Papers page.

The User Guide document is available for download at this URL:
http://www.xerox.com/download/security/white-paper/eb628-5070df5f278f6/UserGuideForFFPS_SoftwareUpdateManager_Oct2014_v1.0.pdf
If a customer has difficulty performing these procedures, they should contact their local Xerox Service representative for further guidance.

Patch Installation for FFPS v6 and DocuSP v5
Because the FFPS Software Update tool is not available for the FFPS v6 and DocuSP v5 products, the patch must be provided by a Xerox CSE or Analyst. Please contact your local Xerox Service representative to request the patch file and if appropriate, schedule an action to have the patch installed. Because this patch is not mandatory and there is very little risk of vulnerability with FFPS, the action should be scheduled at a mutually-convenient time

Xerox Security Bulletin XRX14-005 V1.2 (PDF 1M)

Xerox Security Bulletin XRX14-005
Bash Shellshock Command Line Interpreter Vulnerability
v1.2
10/28/14

Background
A vulnerability has been discovered in the Bash command shell that can allow attackers to remotely execute commands on a target system. Even systems that don’t allow remote command shell connections may still use Bash to execute commands in the Apache web server and other network-facing applications. Unix and Unix-derived systems like Linux and Mac OS X are vulnerable to these attacks since they use Bash as the default command shell.

A Bash Shellshock document addressing this vulnerability has been posted to the Xerox Security Site.

Xerox Mini Security Bulletin XRX14F v1.0 (PDF 251.9K)

NOTE: This Bulletin is ONLY intended for the specific security problem(s) rated as IMPORTANT for the following products.

WorkCentre 5736
WorkCentre 5740
WorkCentre 5745
WorkCentre 5755
WorkCentre 5765
WorkCentre 5775
WorkCentre 5790

Xerox Security Bulletin XRX14-004 v1.0 (PDF 715.7K)

FreeFlow Print Server v7, v8 and v9
April 2014 Security Patch Cluster

Background
Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support Contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

This bulletin announces the availability of the following:

1. April 2014 Security Patch Cluster
This supersedes the January 2014 Security Patch Cluster
2. Java 6 Update 75 Software
This supersedes Java 6 Update 71 Software

Xerox Mini Security Bulletin XRX14B v1.1 (PDF 249K)

NOTE: This Bulletin was re-released to correct an error. No Service Call is needed for installation of this software.

ColorQube 8700/8900
ColorQube 9301/9302/9303
WorkCentre 5845/5855/5865/5875/5890
WorkCentre 7220/7225
WorkCentre 7830/7835/7845/7855

Xerox Mini Security Bulletin XRX14A v1.0 (PDF 453.1K)

NOTE: This Bulletin is ONLY intended for the specific security problem(s) rated as critical for the following products.

WorkCentre 5736
WorkCentre 5740
WorkCentre 5745
WorkCentre 5755
WorkCentre 5765
WorkCentre 5775
WorkCentre 5790

Xerox Security Bulletin XRX14-003 v1.0 (PDF 668.7K)

Software Release to Eliminate SQL Injection Vulnerability

An SQL injection vulnerability exists that, if exploited, could allow remote attackers to insert arbitrary code into the applicable software application. If successful, an attacker could make unauthorized changes to, damage or delete database tables and values.

A set of software “hotfixes” for the software application listed below have been provided that removes this vulnerability. These “hotfixes” are designed to be installed by the customer. The software “hotfixes” are contained in .tar files for Linux and Solaris or .exe/. jar files for Windows and can be accessed via the link to the DocuShare Support & Software Page (http://www.support.xerox.com/support/xerox-docushare/software/enus.htm) or via the links in this bulletin.

Affected Products:
Windows Server 2003 & Windows Server 2008:
DocuShare 6.5.3 Patch 6 — DocuShare 6.5.3 Patch 6 Hotfix 2 for Windows Server

Windows Server 2008 x64 & Windows Server 2008 x64:
DocuShare 6.5.3 Patch 6 — DocuShare 6.5.3 Patch 6 Hotfix 2 for Windows Server
DocuShare 6.6.1 Update 1– DocuShare 6.6.1 Update 1 Hotfix 24 for Windows Server
DocuShare 6.6.1 Update 2 — DocuShare 6.6.1 Update 2 Hotfix 3 for Windows Server

Windows Server 2012 R2 & Windows Server 2012 x64:
DocuShare 6.6.1 Update 1– DocuShare 6.6.1 Update 1 Hotfix 24 for Windows Server
DocuShare 6.6.1 Update 2 — DocuShare 6.6.1 Update 2 Hotfix 3 for Windows Server

Linux:
DocuShare 6.5.3 Patch 6 — DocuShare 6.5.3 Patch 6 Hotfix 2 for Linux
DocuShare 6.6.1 Update 2 — DocuShare 6.6.1 Update 2 Hotfix 3 for Linux

Unix & Solaris:

DocuShare 6.5.3 Patch 6 — DocuShare 6.5.3 Patch 6 Hotfix 2 for Solaris UNIX
DocuShare 6.6.1 Update 2 — DocuShare 6.6.1 Update 2 Hotfix 3 for Solaris UNIX

Xerox Security Bulletin XRX14-002 v1.0 (PDF 66.9K)

FreeFlow Print Server v7, v8 and v9
January 2014 Security Patch Cluster (includes Java 6 Update 71 Software)

Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support Contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

This bulletin announces the availability of the following:

1. Jan 2014 Security Patch Cluster
This supersedes the October 2013 Security Patch Cluster
2. Java 6 Update 71 Software
This supersedes Java 6 Update 65 Software

Xerox Security Bulletin XRX13-002 v1.1 (PDF 61.4K)

Cumulative update for Common Criteria Certification
System Software Version 061.080.221.36200 for the ColorQube 9201/9202/9203 Single Board Controller models is a cumulative update that incorporates security vulnerability fixes up through 06 Jan 2012 as well as other non-security related defect fixes. This release is Common Criteria certified.

This system software release for the products listed below is designed to be installed by the customer. Please follow the procedures in the bulletin to install the solution. This system software version is a full system release so the patch criticality rating is not applicable.

The software release is compressed into a 441.3 MB zip file and can be accessed via the link in this bulletin document.

Xerox Security Bulletin XRX14-001 v1.1 (PDF 61.4K)

Cumulative update for Common Criteria Certification

System Software Version 071.161.203.15600 for the ColorQube 8700/8900 Xerox ConnectKey Controller models is a cumulative update that incorporates security vulnerability fixes up through 10 Jun 2013 as well as other non-security related defect fixes. This release is Common Criteria certified.

This system software release for the products listed below is designed to be installed by the customer. Please follow the procedures below to install the solution. This system software version is a full system release so the patch criticality rating is not applicable.

The software release is compressed into a 378.1 MB zip file and can be accessed via the link in this bulletin.

Xerox Security Bulletin XRX13-006 v1.3 (PDF 101.3K)

NOTE: This bulletin has been updated to correct software procedure error in the ColorQube 93XX devices. Contact Xerox Technical Support to obtain system software release 071.180.203.06400 and the instructions for installing this release; if your current system software release is 061.180.223.11601 or less there are interim steps that have to be followed before you can upgrade your device to system software release 071.180.203.06400. A new version of the bulletin will be published once the new information becomes available.

Cumulative update for Common Criteria Certification
System Software Versions listed below for the WorkCentre 5845/5855/5865/5875/5890, WorkCentre 7220/7225, WorkCentre 7830/7835/7845/7855 and ColorQube 9301/9302/9303 models are cumulative updates that incorporate security vulnerability fixes up through 06 March 2013 as well as other non-security related defect fixes. These four releases are Common Criteria certified.

These system software releases for the products listed are designed to be installed by the customer. Please follow the procedures in the bulletin document to install the solution. The system software versions are full system releases so the patch criticality rating is not applicable.

These software releases are compressed into zip files and can be accessed via the links in the bulletin document.

.

Xerox Security Bulletin XRX13-008 v1.0 (PDF 82.3K)

Software Release to Eliminate Unauthorized Access

Note: This bulletin has been re-issued to correct a typographical error in the URL string for one of the product ZIP files.

The Xerox products ColorQube 9201/9202/9203, WorkCentre 6400, WorkCentre 7525/7530/7535/7545/7556, and WorkCentre 7755/7765/7775 contain code for implementing a remote protocol that could be exploited to gain unauthorized access to the device.

The software release indicated in the bulletin will perform the following action:
Remove the affected code that unintentionally created the unauthorized access potential.

A software release for the products listed has been provided. This release is designed to be installed by the customer. The software release is contained in a zip file and can be accessed via the links in this bulletin announcement or on the Security Bulletins page.

Xerox Security Bulletin XRX13-007 v1.0 (PDF 72K)

FreeFlow Print Server v7, v8 and v9
July 2013 Security Patch Cluster (includes Java 6 Update 51 Software)

Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support Contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

This bulletin announces the availability of the following:

1. July 2013 Security Patch Cluster
This supersedes the April 2013 Security Patch Cluster
2. Java 6 Update 51 Software
This supersedes Java 6 Update 45 Software

Consult the bulletin to see all the CVE vulnerabilities this bulletin fixes.

Xerox Security Bulletin XRX13-006 v1.2 (PDF 96.8K)

NOTE: The new version 1.2 of this bulletin has been updated to detail a software procedure error in the ColorQube 93XX devices. The process to update a ColorQube 93XX device to the Common Criteria Certified version of software may require an extra step depending on the current software version. The details are contained in the bulletin along with an updated link to the CCC version of software.

Cumulative update for Common Criteria Certification
System Software Versions listed below for the WorkCentre 5845/5855/5865/5875/5890, WorkCentre 7220/7225, WorkCentre 7830/7835/7845/7855 and ColorQube 9301/9302/9303 models are cumulative updates that incorporate security vulnerability fixes up through 06 March 2013 as well as other non-security related defect fixes. These four releases are Common Criteria certified.

These system software releases for the products listed are designed to be installed by the customer. Please follow the procedures in the bulletin document to install the solution. The system software versions are full system releases so the patch criticality rating is not applicable.

These software releases are compressed into zip files and can be accessed via the links in the bulletin document(Xerox Security Bulletin XRX13-006 v1.2) above.

.

Xerox Security Bulletin XRX13-005 v1.0 (PDF 63.4K)

Cumulative update for Common Criteria Certification
System Software Version 061.090.221.36202 for the WorkCentre 7755/7765/7775 models is a cumulative update that incorporates security vulnerability fixes up through 19 Oct 2012 as well as other non-security related defect fixes. This release is Common Criteria certified.

This system software release for the products listed is designed to be installed by the customer. Please follow the procedures in the bulletin document to install the solution. This system software version is a full system release so the patch criticality rating is not applicable.

The software release is compressed into a 237.9 MB zip file and can be accessed via the link below or via the link contained in the bulletin announcement on the Xerox Security Site.

http://www.xerox.com/downloads/usa/en/c/cert_061_090_221_36202.zip

Xerox Security Bulletin XRX13-004 v1.0 (PDF 90K)

FreeFlow Print Server v7
January 2013 Security Patch Cluster (includes Java 6 Update 39 Software)

Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

This bulletin announces the availability of the following:

1. January 2013 Security Patch Cluster
This supersedes the October 2012 Security Patch Cluster
2. Java 6 Update 39 Software
This supersedes Java 6 Update 37 Software

Consult the bulletin to see all the CVE vulnerabilities this bulletin fixes.

Xerox Security Bulletin XRX12-005 V1.1 (PDF 103.3K)

The Xerox devices ColorQube® 9201/9202/9203, ColorQube® 9301/9302/9303, WorkCentre® 232/238/245/255/265/275, WorkCentre® 5030/5050, WorkCentre® 5135/5150, WorkCentre® 5632/5638/5645/5655/5665/5675/5687, WorkCentre® 5735/5740/5745/5755/5765/5775/5790, WorkCentre® 6400, WorkCentre® 7525/7530/7535/7545/7556, WorkCentre® 7655/7665/7675, WorkCentre® 7755/7765/7775, WorkCentre® Bookmark 40/55, WorkCentre Pro® 232/238/245/255/265/275 were shipped with certain protocols enabled that, if properly exploited, could be used to gain
unauthorized access to the system. These particular protocols should not have been present in the production configuration and need to be removed from that configuration to minimize the possibility of unauthorized system access.

A software solution (patch P49) is provided for the products listed. This solution will remove from the production configuration the unwanted protocols in question so they can’t be exploited to gain unauthorized access to the system.

This solution is designed to be installed by the customer. The software solution is compressed into a 3 KB zip file and can be accessed via the link below or via the link following this bulletin announcement on the Xerox Security Site.

Software available through this link:


cert_P49v1_Patch2.zip

Xerox Security Bulletin XRX13-003 v1.0 (PDF 88.6K)

FreeFlow Print Server v8
January 2013 Security Patch Cluster (includes Java 6 Update 37 Software)

Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

This bulletin announces the availability of the following:

1. January 2013 Security Patch Cluster
This supersedes the October 2012 Security Patch Cluster
2. Java 6 Update 37 Software
This supersedes Java 6 Update 33 Software

Consult the bulletin to see all the CVE vulnerabilities this bulletin fixes.

Xerox Security Bulletin XRX13-002 v1.0 (PDF 57.9K)

Cumulative update for Common Criteria Certification
System Software Version 061.050.221.36200 for the ColorQube 9201/9202/9203 models is a cumulative update that incorporates security vulnerability fixes up through 06 Jan 2012 as well as other non-security related defect fixes. This release is Common Criteria certified.

This system software release for the products listed below is designed to be installed by the customer. Please follow the procedures in the bulletin to install the solution. This system software version is a full system release so the patch criticality rating is not applicable.

The software release is compressed into a 441.3 MB zip file and can be accessed via the link below or via the link following this bulletin announcement on the Xerox Security Site.

http://www.xerox.com/downloads/usa/en/c/cert_061_050_221_36200.zip.

Xerox Security Bulletin XRX13-001 v1.0 (PDF 57.3K)

Cumulative update for Common Criteria Certification
System Software Version 071.160.222.23700 for the ColorQube 8700/8900 models is a cumulative update that incorporates security vulnerability fixes up through 29 Aug 2012 as well as other non-security related defect fixes. This release is Common Criteria certified.

This system software release for the products listed is designed to be installed by the customer. Please follow the procedures in the bulletin to install the solution. This system software version is a full system release so the patch criticality rating is not applicable.

The software release is compressed into a 479.3 MB zip file and can be accessed via the link below or via the link inside the bulletin.

http://www.xerox.com/downloads/usa/en/c/cert_071.160.222.23700.zip