NOTE: A new document indicates software updates for Xerox devices previously vulnerable. This version of the document is for hardware only. Software products and web sites are still being investigated.

A vulnerability was reported in OpenSSL versions 0.9.8 – 0.9.8z and 1.0.1-1.0.1g that allow a Man-In-The-Middle attack. The attack would require that both hosts have a vulnerable version of OpenSSL.

This problem affects very few cases as shown below.

• Microsoft Windows (all versions, client or servers) are not affected as those Operating Systems uses a different encryption tool.
• Apple Macintosh users (all versions, clients or servers) are not affected as that Operating System uses a different encryption tool.
• Linux clients or server versions are able to upgrade to a non-vulnerable OpenSSL easily using the APT or RPM Package Management tools.
• Solaris client or server versions are able to upgrade to a non-vulnerable OpenSSL easily using the dpkg Package Management tool

Beyond showing that many Operating Systems are not vulnerable or can be easily protected, it is very unlikely that an attacker could predict and be ready to act at the precise moment when two vulnerable devices are communicating. This document lists Xerox products and whether they are affected by this issue.