ESB-2018.1791 - [Solaris] Xerox FreeFlow Print Server: Multiple vulnerabilities 2018-06-19

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1791
                     Xerox Security Bulletin XRX18-025
                               19 June 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Xerox FreeFlow Print Server
Publisher:         Xerox
Operating System:  Solaris
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Modify Arbitrary Files          -- Remote with User Interaction
                   Delete Arbitrary Files          -- Remote with User Interaction
                   Denial of Service               -- Remote/Unauthenticated      
                   Unauthorised Access             -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-2815 CVE-2018-2814 CVE-2018-2800
                   CVE-2018-2799 CVE-2018-2798 CVE-2018-2797
                   CVE-2018-2796 CVE-2018-2795 CVE-2018-2794
                   CVE-2018-2790 CVE-2018-2783 CVE-2018-2764
                   CVE-2018-2718 CVE-2018-2563 CVE-2017-9788
                   CVE-2017-7679 CVE-2017-7668 CVE-2017-7659
                   CVE-2017-5664 CVE-2017-3169 CVE-2017-3167

Reference:         ASB-2018.0100
                   ASB-2018.0090
                   ASB-2017.0181
                   ASB-2017.0177
                   ASB-2017.0175

Original Bulletin: 
   https://security.business.xerox.com/wp-content/uploads/2018/06/cert_XR18-025_FFPSv8_UM-Bulletin_Jun2018.pdf

- --------------------------BEGIN INCLUDED TEXT--------------------

Xerox Security Bulletin XRX18-025

Xerox FreeFlow Print Server 8

Update Manager Delivery of: April 2018 Security Patch Cluster

Includes: Java 6 Update 191

Bulletin Date: June 18, 2018

1.0 Background

Oracle delivers quarterly Critical Patch Updates (CPU) to address 
US-CERT-announced Security vulnerabilities and deliver reliability 
improvements for the Solaris Operating System platform . Oracle does not 
provide these patches to the public , but authorize vendors like Xerox to 
deliver them to Customers with an active FreeFlow Print Server Support 
Contracts (FSMA). Customers who may have an Oracle Support Contract for their
non-FreeFlow Print Server/Solaris Servers should not install patches not 
prepared/delivered by Xerox. Installing non-authorized patches for the 
FreeFlow Print Server software violates Oracle agreements, can render the 
platform inoperable, and result in downtime and/or a lengthy re-installation 
service call.

This bulletin announces the availability of the following:

1. April 2018 Security Patch Cluster 
   o Supersedes the January 2018 Security Patch Cluster
2. Java 6 Update 191 Software
   o Supersedes Java 6 Update 181 Software

CAVEAT: We have a caveat with the April 2018 Security Patch Cluster for the 
FreeFlow Print Server 8.2 software releases. The FreeFlow Print Server 
application is not able to access remote SMB shares after installing the April
2018 Security Patch Cluster. This does not affect the SMB shares used for Hot
Folder workflow. The affected capabilities are SMB access of remote job files
by the 'Print From File' client, and storing PDF/TIFF files to a remote 
location over SMB from a hardcopy scan (E.g., commonly done on a Nuvera 
printer). It is not common for a Security conscience customer to use SMB 
workflows, so this should not affect many customers.

See US-CERT Common Vulnerability Exposures (CVE) the April 2018 Security 
Patch Cluster remediate in table below:

April 2018 Security Patch Cluster Remediated US-CERT CVE’s
CVE-2017-3167 CVE-2017-5664 CVE-2017-7668 CVE-2017-9788 CVE-2018-2718 
CVE-2017-3169 CVE-2017-7659 CVE-2017-7679 CVE-2018-2563 CVE-2018-2764

See the US-CERT Common Vulnerability Exposures (CVE) the Java 6 Update 191 
Software remediate in table below:

Java 6 Update 191 Software Remediated US-CERT CVE’s 
CVE-2018-2783 CVE-2018-2794 CVE-2018-2796 CVE-2018-2798 CVE-2018-2800 CVE-2018-2815 
CVE-2018-2790 CVE-2018-2795 CVE-2018-2797 CVE-2018-2799 CVE-2018-2814

Note: Xerox recommends that customers evaluate their security needs 
periodically and if they need Security patches to address the above CVE 
issues, schedule an activity with their Xerox Service team to install this 
announced Security Patch Cluster. Alternatively,the customer can install the 
Security Patch Cluster using the Update Manager UI from the Xerox FreeFlow 
Print Server Platform.

2.0 Applicability

Xerox offers the Security Patch Update delivery available over the network 
from a Xerox server using an application called FreeFlow Print Server Update 
Manager. The use of FreeFlow Print Server Update Manager (GUI - based 
application) makes it simple for a customer to install Security patch updates.

The FreeFlow Print Server Update Manager delivery of the Security Patch 
Cluster provides the ability to install Security patches on top of a 
pre-installed FreeFlow Print Server software release. The advantage of this 
network install method is the ease of deliver and install of this network 
delivery from a Xerox patch server over the Internet. This easy install method
provides a FreeFlow Print Server customer the option to manage the quarterly 
Security Patch Cluster instal l without need for support from Xerox service. 
This empowers the customer to have the option of installing these patch 
updates as soon as they become available, and not need to rely on the Xerox 
Service team. Many customers do not want the responsibility of installing the
quarterly Security Patch Update or they are not comfortable providing a 
network tunnel to the Xerox or Microsoft server s that store the Security 
Patch Update. In this case, the media install method (i.e., USB/DVD) is the 
best option under those circumstances.

This Security patch deliverable has been tested on the FreeFlow Print Server 
82.H3.64 software release . We have not tested the April 2018 Security Patch
Cluster on all earlier FreeFlow Print Server 8.2 releases, but there should 
not be any problems on these releases.

A tool is available that enables identification of the currently installed 
FreeFlow Print Server software release, Security Patch Cluster, and Java 
Software version. Run this tool after the Security Patch Cluster install to 
validate successful install. Example output from this script for the FreeFlow
Print Server v8 software release is as following:

FFPS Release Version     8.0-2_SP-2_(82.H3.64.86) 
FFPS Patch Cluster       April 201 8 
Java Version             Java 6 Update 191

The April 2018 Security Patch Cluster is available for the FreeFlow Print 
Server v8 release running on the Xerox printer products below:

1. Xerox iGen 4 Press 
2. Xerox Color 800/1000 Press 
3. Xerox Color 560/570 Printer 
4. Xerox 700 /700i Digital Color Press 
5. Xerox 770 Digital Color Press

Xerox strives to deliver Security Patch Clusters in a timely manner. The 
customer process to obtain Security Patch Cluster updates (delivered on a 
quarterly basis) is to contact the Xerox hotline support number, or use Update
Manager to install as the System Administrator. Update Manager is a GUI tool 
on the FreeFlow Print Server platform used to check for Security patches, 
download Security patches, and install Security patches. The customer can 
install a quarterly Security Patch Cluster using the Update Manager UI, or 
schedule Xerox Service to perform the install.

Once the Security patches are ready for customer delivery, they are available
from the Xerox patch server. Procedures are available for the FreeFlow Print 
Server System Administrator or Xerox Service for using the Update Manager GUI
to download and install the Security patches over the Internet. The Update 
Manager UI has a 'Check for Updates button that can be selected to retrieve 
and list patch updates available from the Xerox patch server. When this option
is selected the latest Security Patch Cluster should be listed (E.g., April 
2018 Security Patch Cluster for FFPS v8.2) as available for download and 
install. The Update Manager UI includes mouse selectable buttons to download 
and then install the patches.

Xerox uploads the Security Patch Cluster to a Xerox patch server that is 
available on the Internet outside of the Xerox Corporate network once the 
deliverable has been tested and approved. Once in place on the Xerox server, a
CSE/Analyst or the customer can use FreeFlow Print Server Update Manager UI to
download and install on the FreeFlow Print Server platform.

The customer proxy information is required to be setup on the FreeFlow Print 
Server platform so it can access to the Security Patch Update over the 
Internet. The FreeFlow Print Server platform initiates a secure communication
session with the Xerox patch server using HTTP over the TSL 1.0 protocol 
(HTTPS on port 443) using an RSA 2018-bit certificate, SHA2 hash and 
AES256-bit stream encryption algorithms. This connection ensures 
authentication of the FreeFlow Print Server platform for the Xerox server, and
sets up encrypted communication of the patch data. The Xerox server does not 
initiate or have access to the FreeFlow Print Server platform behind the 
customer firewall. The Xerox server and FreeFlow Print Server platform both 
authenticate each other before making a connection between the two end-points,
and patch data transfer.

4.0 Disclaimer

The information provided in this Xerox Product Response is provided "as is" 
without warranty of any kind. Xerox Corporation disclaims all warranties, 
either express or implied, including the warranties of merchantability and 
fitness for a particular purpose. In no event shall Xerox Corporation be 
liable for any damages whatsoever resulting from user's use or disregard of 
the information provided in this Xerox Product Response including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages, even if Xerox Corporation has been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability for
consequential damages so the foregoing limitation may not apply

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWyhzbmaOgq3Tt24GAQiK4g//Zx3uB7r6++yeZV4DskCWWg86Ay10Chjw
2e24D9LWVdz2F/f8q1PvrzH6SZ+5SY63Wvn/tmTNFGzCDYqpkJzeu1Zjo63dnRZh
VAxB+YmdoLK/i6MJgtm/mM+lby9uEB8R7f9S5v656HbqTQcsUzryOybSLxF4XnWx
GFONiGy+QQrrcwj27pS4o7GGGSpyVv5CtgE5+dioe8NngY4F3kHCDqlKdd6zTpin
wmT3xf4dg++srxYliInolYK0Zwnt4IVL1gzQ6bez5pgNZXB9AlP5FJ53+yOn0Ilh
sreGU20ZcvH3MUxeFON0lRqAHEEfalcbD5OCWX2mdX+ZdgwIzDLQ1UCVNn9Vttf0
TM/Kt1INSHTCpGzP7FrCBk6FbabtQEAGAzknJkp+Ud5fEaiOlHzziW3k1x5zQVQh
2oXnnXyoBeb90QC59rHjlgczEzjazsGrmpMWKw7X2BQKHqoOdM0dI7+HunhMffpf
SbpE1MOxxNjsm91KVwhBeCyVtVPeqFYr8Wf50M2Um+Exm8A5fRHzuJcBHg4ZS4T8
Jkke9rAGOr8+1kCMmYOnd8uwDU3bGN2q/zjGMz2RCiYoi2/b4TzqjggeNgLDmdPJ
CZOtrOyeZ2TzANEHPhnjB3LmgBPmzHq4gTNZa5iOONfSGn7Mdt/J4TFsO8WFFrkA
udJQcWvKgd0=
=0w17
-----END PGP SIGNATURE-----

« Back to bulletins