ESB-2018.3028 - [Solaris] Xerox FreeFlow Print Server: Multiple vulnerabilities 2018-10-08

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3028
                     Xerox Security Bulletin XRX18-032
                              8 October 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Xerox FreeFlow Print Server
Publisher:         Xerox
Operating System:  Solaris
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Access Privileged Data          -- Remote/Unauthenticated      
                   Increased Privileges            -- Existing Account            
                   Modify Arbitrary Files          -- Remote/Unauthenticated      
                   Delete Arbitrary Files          -- Remote/Unauthenticated      
                   Denial of Service               -- Remote/Unauthenticated      
                   Provide Misleading Information  -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-12368 CVE-2018-12366 CVE-2018-12365
                   CVE-2018-12364 CVE-2018-12363 CVE-2018-12362
                   CVE-2018-12360 CVE-2018-12359 CVE-2018-10115
                   CVE-2018-6126 CVE-2018-5996 CVE-2018-5188
                   CVE-2018-5185 CVE-2018-5184 CVE-2018-5183
                   CVE-2018-5178 CVE-2018-5174 CVE-2018-5170
                   CVE-2018-5168 CVE-2018-5162 CVE-2018-5161
                   CVE-2018-5159 CVE-2018-5158 CVE-2018-5157
                   CVE-2018-5156 CVE-2018-5155 CVE-2018-5154
                   CVE-2018-5150 CVE-2018-2908 CVE-2018-2815
                   CVE-2018-2814 CVE-2018-2800 CVE-2018-2799
                   CVE-2018-2798 CVE-2018-2797 CVE-2018-2796
                   CVE-2018-2795 CVE-2018-2794 CVE-2018-2790
                   CVE-2018-2783 CVE-2018-1171 CVE-2018-1057
                   CVE-2018-1050 CVE-2018-0739 CVE-2018-0733
                   CVE-2017-17969 CVE-2017-17689 CVE-2017-15275
                   CVE-2017-14746 CVE-2017-10003 CVE-2017-3738
                   CVE-2016-0431 CVE-2016-0426 CVE-2016-0419
                   CVE-2016-0418 CVE-2016-0416 CVE-2016-0414
                   CVE-2016-0403 CVE-2015-5600 CVE-2015-4920
                   CVE-2015-4020 CVE-2015-3900 CVE-2015-2923
                   CVE-2015-2922 CVE-2015-2743 CVE-2015-2742
                   CVE-2015-2741 CVE-2015-2740 CVE-2015-2739
                   CVE-2015-2738 CVE-2015-2737 CVE-2015-2736
                   CVE-2015-2735 CVE-2015-2734 CVE-2015-2733
                   CVE-2015-2731 CVE-2015-2730 CVE-2015-2729
                   CVE-2015-2728 CVE-2015-2726 CVE-2015-2725
                   CVE-2015-2724 CVE-2015-2722 CVE-2015-2721
                   CVE-2015-1819 CVE-2014-3683 CVE-2014-3634
                   CVE-2014-3566 CVE-2014-3564 CVE-2014-2653
                   CVE-2013-6371 CVE-2013-6370 

Reference:         ASB-2018.0208.3
                   ASB-2018.0176
                   ASB-2018.0162
                   ASB-2018.0146
                   ESB-2018.2787
                   ESB-2018.2774
                   ESB-2018.2747
                   ESB-2018.2724
                   ESB-2018.2699

Original Bulletin: 
   https://security.business.xerox.com/wp-content/uploads/2018/08/cert_XRX18-032_FFPSv7-S11_Media-Delivery_Aug2018.pdf

- --------------------------BEGIN INCLUDED TEXT--------------------

Xerox Security Bulletin XRX18-032

Xerox FreeFlow Print Server v7 / Solaris 11

Supports: Xerox Nuvera PSIP 14.0 Printer Products

Delivery of: July 2018 Security Patch Cluster

Includes: Java 7 Update 181 and Firefox v52.9.0

Bulletin Date: August 15, 2018

1.0 Background

Oracle delivers quarterly Critical Patch Updates (CPU) to address 
US-CERT-announced Security vulnerabilities and deliver reliability 
improvements for the Solaris Operating System platform. Oracle does not 
provide these patches to the public, but authorize vendors like Xerox to 
deliver them to customers with an active FreeFlow Print Server Support 
Contracts (FSMA). Customers who may have an Oracle Support Contract for their
non-FreeFlow Print Server / Solaris Servers should not install patches not 
prepared/delivered by Xerox. Installing non-authorized patches for the 
FreeFlow Print Server software violates Oracle agreements, can render the 
platform inoperable, and result in downtime and/or a lengthy re-installation 
service call.

This bulletin announces the availability of the following:
1. July 2018 Security Patch Cluster
  o Supersedes April 2018 Security Patch Cluster.
  o October 2017 Security Patch Cluster install is prerequisite.
2. Java 7 Update 181 Software
  o Same version that was included in previous April 2018 Security Patch Cluster.
  o Supersedes Java 7 Update 171 software.
3. Firefox 52.9.0 Software
  o Supersedes Firefox v59.0.2 software.
4. Solaris 11.3 Base Repository
  o Only needed if customer use SMB for workflow (E.g., Hot Folder)
  o Allows update to Samba v4.4.16.

Caveat: If the January 2018 Security Patch Cluster or later is not installed,
inserting a USB drive into the USB port on the FreeFlow Print Server will 
result in a keyboard and mouse freeze up, and make them inoperable. If this is
the case, the July 2018 Security Patch Cluster includes patches to fix this 
issue. We recommend transferring the Security Patch Cluster files to the 
FreeFlow Print Server hard disk over an SFTP connection, and installing from 
the hard disk. This method can be used to overcome the USB issues.

See US-CERT Common Vulnerability Exposures (CVE) patches installed with 
Solaris 11.3 OS Upgrade that are remediated in the table below:

Solaris 11.3 Included Security Patch Remediated US-CERT CVE’s
CVE-2013-6370	CVE-2015-1819	CVE-2015-2729	CVE-2015-2737	CVE-2015-2922	CVE-2016-0414
CVE-2013-6371	CVE-2015-2721	CVE-2015-2730	CVE-2015-2738	CVE-2015-2923	CVE-2016-0416
CVE-2014-2653	CVE-2015-2722	CVE-2015-2731	CVE-2015-2739	CVE-2015-3900	CVE-2016-0418
CVE-2014-3564	CVE-2015-2724	CVE-2015-2733	CVE-2015-2740	CVE-2015-4020	CVE-2016-0419
CVE-2014-3566	CVE-2015-2725	CVE-2015-2734	CVE-2015-2741	CVE-2015-4920	CVE-2016-0426
CVE-2014-3634	CVE-2015-2726	CVE-2015-2735	CVE-2015-2742	CVE-2015-5600	CVE-2016-0431
CVE-2014-3683	CVE-2015-2728	CVE-2015-2736	CVE-2015-2743	CVE-2016-0403	CVE-2017-10003

See US-CERT Common Vulnerability Exposures (CVE) list for the July 2018 
Security Patch Cluster below:

July 2018 Security Patch Cluster Remediated US-CERT CVE’s
CVE-2018-0733	CVE-2017-17969	CVE-2018-1171	CVE-2018-5159	CVE-2018-5174	CVE-2018-5996
CVE-2018-0739	CVE-2017-3738	CVE-2018-2908	CVE-2018-5161	CVE-2018-5178
CVE-2018-1050	CVE-2017-14746	CVE-2018-5150	CVE-2018-5162	CVE-2018-5183
CVE-2018-1057	CVE-2017-15275	CVE-2018-5154	CVE-2018-5168	CVE-2018-5184
CVE-2017-17689	CVE-2018-10115	CVE-2018-5155	CVE-2018-5170	CVE-2018-5185

See the US-CERT Common Vulnerability Exposures (CVE) list for the Java 7 
Update 181 Software below:

Java 7 Update 181 Software Remediated US-CERT CVE’s
CVE-2018-2783	CVE-2018-2794	CVE-2018-2796	CVE-2018-2798	CVE-2018-2800	CVE-2018-2815
CVE-2018-2790	CVE-2018-2795	CVE-2018-2797	CVE-2018-2799	CVE-2018-2814

See the US-CERT Common Vulnerability Exposures (CVE) list for the Firefox 
v52.9.0 Software below:

Firefox v52.9.0 Software Remediated US-CERT CVE’s
CVE-2018-12359	CVE-2018-12364	CVE-2018-5150	CVE-2018-5157	CVE-2018-5174	CVE-2018-6126
CVE-2018-12360	CVE-2018-12365	CVE-2018-5154	CVE-2018-5158	CVE-2018-5178
CVE-2018-12362	CVE-2018-12366	CVE-2018-5155	CVE-2018-5159	CVE-2018-5183
CVE-2018-12363	CVE-2018-12368	CVE-2018-5156	CVE-2018-5168	CVE-2018-5188

Note: Xerox recommends that customers evaluate their security needs 
periodically and if they need Security patches to address the above CVE 
issues, schedule an activity with their Xerox Service team to install this 
announced Security Patch Cluster. Alternatively, the customer can install the
Security Patch Cluster using the Update Manager UI from the Xerox FreeFlow 
Print Server Platform.

2.0 Applicability

The customer can schedule a Xerox Service or Analyst representative to deliver
and install the Security Patch Cluster from USB media or the hard disk on the
FreeFlow Print Server platform. A customer can work with the Xerox CSE/Analyst
to install the quarterly Security Patch Clusters if they have the expertise. 
The Xerox CSE/Analyst would be required to provide the Security Patch Cluster
deliverables if they agree to allow customer install. The July 2018 Security 
Patch Cluster is available for the FreeFlow Print Server v7 release on the 
Solaris 11.3 OS for the Xerox printer products below:

 1. Nuvera 100/120/144/157 EA Digital Production System
 2. Nuvera 200/288/314 EA Perfecting Production System
 3. Nuvera 100/120/144 MX Digital Production System
 4. Nuvera 200/288 MX Perfecting Production System

This Security patch deliverable has been tested on the FreeFlow Print Server 
73.I1.10.11 software release. We have not tested the July 2018 Security Patch
Cluster on all earlier FreeFlow Print Server 7.3 releases, but there should 
not be any problems on these releases.

It is a prerequisite to install the October 2017 Security Patch Cluster on the
FreeFlow Print Server platform before installing the July 2018 Security Patch
Cluster. A patch version script is provided to assist with identification of 
the current Security Patch Cluster version installed as well as other version
information (E.g., Solaris OS). If the script output illustrates that the 
January 2018 Security Patch Cluster or later is installed it means that the 
October 2017 Security Patch Cluster had already been installed, so the 
prerequisite is satisfied. As a result of the very large file size of these 
deliverables, the download and install of the Solaris 11.3 OS upgrade and July
2018 Security Patch Cluster are not supported from the Update Manager UI on 
the FreeFlow Print Server platform. The July 2018 Security Patch Cluster is 
delivered as three-part ZIP files so that they can be transported on DVD/USB 
media, and installed from USB media or from a directory location on the 
FreeFlow Print Server platform. We delivered the Solaris 11.3 OS upgrade and 
October 2017 Security Patch Cluster as two-part ZIP files as a result of their
large size. They can be transferred to the FreeFlow Print Server over the 
network using SFTP, or copied from USB media.

The Xerox Customer Service Engineer (CSE)/Analyst uses a tool that enables 
identification of the currently installed Solaris OS version, FreeFlow Print 
Server software version, Security Patch Cluster version, Java Software version
and identification if the Solaris 11.3 Base Repository has been installed. 
This tool can be initially run to determine of the prerequisite Solaris 11.3 
OS and October 2017 Security Patch Cluster are currently installed. Example 
output from this script for the FreeFlow Print Server v9 software is as 
follows:

Solaris OS Version:  11.3
FFPS Release Version 7.0_SP-3_(73.I1.10.11.86)
FFPS Patch Cluster   July 2018
Java Version         Java 7 Update 181
Base Repository      Installed

The above versions are the correct information after installing the July 2018
Security Patch Cluster. The Base Repository is options. We deliver a Base 
Repository software for the Solaris 11.3 OS with the delivery of the July 2018
Security Patch Cluster. You only need to install the Base Repository if 
interested in updating Samba from v3.6.25 to v4.4.16. If a customer is using 
SMB shares for any purpose (E.g., Hot Folder workflow) it is recommended to 
install the Base Repository to ensure Samba is updated to v4.4.16. The Base 
Repository software is a large package so delivered as three-part ZIP files.

3.0 Patch Install

Xerox strives to deliver these critical Security patch updates in a timely 
manner. The customer process to obtain Security Patch Cluster updates 
(delivered on a quarterly basis) is to contact the Xerox hotline support 
number. Xerox Service or an analyst can install the Patch Cluster using a 
script utility that will support installing from USB media or from the hard 
disk on the FreeFlow Print Server platform. The Security Patch Cluster 
deliverables are available on a secure FTP site once they are ready for 
customer delivery. The Xerox CSE/Analyst can download and prepare for the 
install by writing the Security patch update into a known directory on the 
FreeFlow Print Server platform, or on DVD/USB media. Delivery of the Security
Patch Cluster includes an ISO and ZIP archive file for convenience. Once the 
patch cluster has been prepared on media, run the provided install script to 
perform the install. The install script accepts an argument that identifies 
the media that contains a copy of the FreeFlow Print Server Security Patch 
Cluster. (e.g., # installSecPatches.sh [disk | usb]). Delivery of the July 
2018 Security Patch Cluster includes ZIP files separated as three parts to 
address file size issues. Once the patch cluster has been prepared on the hard
disk, a script is run to perform the install. Make sure that the Nuvera 
printer is upgraded to the Solaris 11.3OS prior to installing the July 2018 
Security Patch Cluster. This delivery is not available using the Update 
Manager UI from the FreeFlow Print Server given the large size of the 
deliverable.

Note: The install of this Security Patch Cluster can fail if the archive file
containing the software is corrupted from when downloading the deliverables 
from the SFTP site, copying them to USB media or uploading them to the hard 
drive on the FreeFlow Print Server platform over a network connection. The 
table below illustrate file size on Windows, file size on Solaris checksum on
Solaris for the July 2018 Security Patch Cluster files.

July 2018 Security Patch Cluster Files       
Security Patch File        				Windows		Solaris Size	Solaris Checksum
                           				Size (Kb)	(bytes)
Jul2018AndJava7Update181Patches_v7S11-Part1.zip		3,402,443	3,484,100,631	34458 6804885
Jul2018AndJava7Update181Patches_v7S11-Part2.zip		3,258,468	3,336,671,023	38610 6516936
Jul2018AndJava7Update181Patches_v7S11-Part3.zip		2,163,289	2,215,207,183	38015 4326577

Verify integrity of the Security Patch ZIP files contained on the FreeFlow 
Print Server hard drive by comparing it to the original archive file size 
checksum with the actual checksum of these files on the platform. Change 
directory to the location of the Security Patch Cluster ZIP files and use the
UNIX sum command to output the check sum numbers of each ZIP file (E.g., sum 
Jul2018AndJava7Update181Patches_v7S11-Part1.zip). The output of the sum 
command should match the above table

The table below illustrate file size on Windows and file size on Solaris and 
checksum on Solaris for the Solaris 11.3OS Base Repository files.

Solaris 11.3 OS Base Repository Files
Security Patch File        		Windows Size 	Solaris Size	Solaris Checksum
                           		(K-bytes)	(bytes)
Solaris11.3_Base_Repo_part1.zip  	3,194,109	3270767004	13588 6388217
Solaris11.3_Base_Repo_part2.zip		3,374,944	3589100941	7577 7009963
Solaris11.3_Base_Repo_part3.zip		1,533,570	1570375293	15522 3067140

Verify integrity of the Solaris 11.3 Base Repository ZIP files contained on 
the FreeFlow Print Server hard drive by comparing it to the original archive 
file checksum with the actual checksum of these files on the platform. Change
directory to the location of the Solaris 11.3 Base Repository ZIP files and 
use the UNIX sum command to output the check sum numbers of each ZIP file 
(E.g., sum Solaris11.3_Base_Repo_part1.zip). The output of the sum command 
should match the above table.

4.0 Disclaimer

The information provided in this Xerox Product Response is provided "as is" 
without warranty of any kind. Xerox Corporation disclaims all warranties, 
either express or implied, including the warranties of merchantability and 
fitness for a particular purpose. In no event shall Xerox Corporation be 
liable for any damages whatsoever resulting from user's use or disregard of 
the information provided in this Xerox Product Response including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages, even if Xerox Corporation has been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability for
consequential damages so the foregoing limitation may not apply.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW7rDbmaOgq3Tt24GAQi0sA/8D3Lwm+qa3uiblgp4miqafADA29AvyqMg
NjjF8ZcplxpFpQVkXJcj0p+IjljgOlIkm3DwKbymslnQ88+8OkA7aUT/f52gx3sy
V5lm1Lc2gLzQmNn5gttBD68XaUq1zyiZcksErdbphpq6auHlXISu/kZ7KpBs0ezr
HuatuAEl2eZNMzNbzXU/KG/uSlSJ5GbFlh38axO1sf0cvkuQB8gg0fQqFw7Up4Cn
g5skrFCuRPIN5BgEtmHduGbxrmrSa0QMPgnXMp/LZqhPkSWHRWGanz8MnemqT3kV
C5rA5e92RuFgLZWGhyG4pS/ycTKjPpA/vD8MYT52KoVYtM5xh5gfficIB6I/ZPPw
XUgLY99A4EW+TQ7N+z95kIzBHVSLSrlEBSsDM0uWj3rl8odSdeXTzRrUdink8BHl
Jq7Em1HJZXCRZMoy7iiIhtUdvoxy+IBHAPI1BoetrDjl8UA0C/lztozuHp1eFc0H
nfnY49NDgr7ChZ2rIYLIsEpfwFhcKrTmGaD7C9VX+wcNjOlmKiSn04I+JEMzxiB8
49Y/4Hop7ebm9ASKBi++JKMZ1cbQn/jCpKbN66gc4wHn6o1V0k2p2XlWcMiRpGfH
MkOHkoDR6WYC6Ss09m9NTj/l6roK5GCQhA8sqNZ+qoibW4n3ZwGEdyMqkwKu7V+f
oAmyp0yf2lc=
=cssJ
-----END PGP SIGNATURE-----

« Back to bulletins