Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3028 Xerox Security Bulletin XRX18-032 8 October 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Xerox FreeFlow Print Server Publisher: Xerox Operating System: Solaris Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Increased Privileges -- Existing Account Modify Arbitrary Files -- Remote/Unauthenticated Delete Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-12368 CVE-2018-12366 CVE-2018-12365 CVE-2018-12364 CVE-2018-12363 CVE-2018-12362 CVE-2018-12360 CVE-2018-12359 CVE-2018-10115 CVE-2018-6126 CVE-2018-5996 CVE-2018-5188 CVE-2018-5185 CVE-2018-5184 CVE-2018-5183 CVE-2018-5178 CVE-2018-5174 CVE-2018-5170 CVE-2018-5168 CVE-2018-5162 CVE-2018-5161 CVE-2018-5159 CVE-2018-5158 CVE-2018-5157 CVE-2018-5156 CVE-2018-5155 CVE-2018-5154 CVE-2018-5150 CVE-2018-2908 CVE-2018-2815 CVE-2018-2814 CVE-2018-2800 CVE-2018-2799 CVE-2018-2798 CVE-2018-2797 CVE-2018-2796 CVE-2018-2795 CVE-2018-2794 CVE-2018-2790 CVE-2018-2783 CVE-2018-1171 CVE-2018-1057 CVE-2018-1050 CVE-2018-0739 CVE-2018-0733 CVE-2017-17969 CVE-2017-17689 CVE-2017-15275 CVE-2017-14746 CVE-2017-10003 CVE-2017-3738 CVE-2016-0431 CVE-2016-0426 CVE-2016-0419 CVE-2016-0418 CVE-2016-0416 CVE-2016-0414 CVE-2016-0403 CVE-2015-5600 CVE-2015-4920 CVE-2015-4020 CVE-2015-3900 CVE-2015-2923 CVE-2015-2922 CVE-2015-2743 CVE-2015-2742 CVE-2015-2741 CVE-2015-2740 CVE-2015-2739 CVE-2015-2738 CVE-2015-2737 CVE-2015-2736 CVE-2015-2735 CVE-2015-2734 CVE-2015-2733 CVE-2015-2731 CVE-2015-2730 CVE-2015-2729 CVE-2015-2728 CVE-2015-2726 CVE-2015-2725 CVE-2015-2724 CVE-2015-2722 CVE-2015-2721 CVE-2015-1819 CVE-2014-3683 CVE-2014-3634 CVE-2014-3566 CVE-2014-3564 CVE-2014-2653 CVE-2013-6371 CVE-2013-6370 Reference: ASB-2018.0208.3 ASB-2018.0176 ASB-2018.0162 ASB-2018.0146 ESB-2018.2787 ESB-2018.2774 ESB-2018.2747 ESB-2018.2724 ESB-2018.2699 Original Bulletin: https://security.business.xerox.com/wp-content/uploads/2018/08/cert_XRX18-032_FFPSv7-S11_Media-Delivery_Aug2018.pdf - --------------------------BEGIN INCLUDED TEXT-------------------- Xerox Security Bulletin XRX18-032 Xerox FreeFlow Print Server v7 / Solaris 11 Supports: Xerox Nuvera PSIP 14.0 Printer Products Delivery of: July 2018 Security Patch Cluster Includes: Java 7 Update 181 and Firefox v52.9.0 Bulletin Date: August 15, 2018 1.0 Background Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements for the Solaris Operating System platform. Oracle does not provide these patches to the public, but authorize vendors like Xerox to deliver them to customers with an active FreeFlow Print Server Support Contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FreeFlow Print Server / Solaris Servers should not install patches not prepared/delivered by Xerox. Installing non-authorized patches for the FreeFlow Print Server software violates Oracle agreements, can render the platform inoperable, and result in downtime and/or a lengthy re-installation service call. This bulletin announces the availability of the following: 1. July 2018 Security Patch Cluster o Supersedes April 2018 Security Patch Cluster. o October 2017 Security Patch Cluster install is prerequisite. 2. Java 7 Update 181 Software o Same version that was included in previous April 2018 Security Patch Cluster. o Supersedes Java 7 Update 171 software. 3. Firefox 52.9.0 Software o Supersedes Firefox v59.0.2 software. 4. Solaris 11.3 Base Repository o Only needed if customer use SMB for workflow (E.g., Hot Folder) o Allows update to Samba v4.4.16. Caveat: If the January 2018 Security Patch Cluster or later is not installed, inserting a USB drive into the USB port on the FreeFlow Print Server will result in a keyboard and mouse freeze up, and make them inoperable. If this is the case, the July 2018 Security Patch Cluster includes patches to fix this issue. We recommend transferring the Security Patch Cluster files to the FreeFlow Print Server hard disk over an SFTP connection, and installing from the hard disk. This method can be used to overcome the USB issues. See US-CERT Common Vulnerability Exposures (CVE) patches installed with Solaris 11.3 OS Upgrade that are remediated in the table below: Solaris 11.3 Included Security Patch Remediated US-CERT CVE’s CVE-2013-6370 CVE-2015-1819 CVE-2015-2729 CVE-2015-2737 CVE-2015-2922 CVE-2016-0414 CVE-2013-6371 CVE-2015-2721 CVE-2015-2730 CVE-2015-2738 CVE-2015-2923 CVE-2016-0416 CVE-2014-2653 CVE-2015-2722 CVE-2015-2731 CVE-2015-2739 CVE-2015-3900 CVE-2016-0418 CVE-2014-3564 CVE-2015-2724 CVE-2015-2733 CVE-2015-2740 CVE-2015-4020 CVE-2016-0419 CVE-2014-3566 CVE-2015-2725 CVE-2015-2734 CVE-2015-2741 CVE-2015-4920 CVE-2016-0426 CVE-2014-3634 CVE-2015-2726 CVE-2015-2735 CVE-2015-2742 CVE-2015-5600 CVE-2016-0431 CVE-2014-3683 CVE-2015-2728 CVE-2015-2736 CVE-2015-2743 CVE-2016-0403 CVE-2017-10003 See US-CERT Common Vulnerability Exposures (CVE) list for the July 2018 Security Patch Cluster below: July 2018 Security Patch Cluster Remediated US-CERT CVE’s CVE-2018-0733 CVE-2017-17969 CVE-2018-1171 CVE-2018-5159 CVE-2018-5174 CVE-2018-5996 CVE-2018-0739 CVE-2017-3738 CVE-2018-2908 CVE-2018-5161 CVE-2018-5178 CVE-2018-1050 CVE-2017-14746 CVE-2018-5150 CVE-2018-5162 CVE-2018-5183 CVE-2018-1057 CVE-2017-15275 CVE-2018-5154 CVE-2018-5168 CVE-2018-5184 CVE-2017-17689 CVE-2018-10115 CVE-2018-5155 CVE-2018-5170 CVE-2018-5185 See the US-CERT Common Vulnerability Exposures (CVE) list for the Java 7 Update 181 Software below: Java 7 Update 181 Software Remediated US-CERT CVE’s CVE-2018-2783 CVE-2018-2794 CVE-2018-2796 CVE-2018-2798 CVE-2018-2800 CVE-2018-2815 CVE-2018-2790 CVE-2018-2795 CVE-2018-2797 CVE-2018-2799 CVE-2018-2814 See the US-CERT Common Vulnerability Exposures (CVE) list for the Firefox v52.9.0 Software below: Firefox v52.9.0 Software Remediated US-CERT CVE’s CVE-2018-12359 CVE-2018-12364 CVE-2018-5150 CVE-2018-5157 CVE-2018-5174 CVE-2018-6126 CVE-2018-12360 CVE-2018-12365 CVE-2018-5154 CVE-2018-5158 CVE-2018-5178 CVE-2018-12362 CVE-2018-12366 CVE-2018-5155 CVE-2018-5159 CVE-2018-5183 CVE-2018-12363 CVE-2018-12368 CVE-2018-5156 CVE-2018-5168 CVE-2018-5188 Note: Xerox recommends that customers evaluate their security needs periodically and if they need Security patches to address the above CVE issues, schedule an activity with their Xerox Service team to install this announced Security Patch Cluster. Alternatively, the customer can install the Security Patch Cluster using the Update Manager UI from the Xerox FreeFlow Print Server Platform. 2.0 Applicability The customer can schedule a Xerox Service or Analyst representative to deliver and install the Security Patch Cluster from USB media or the hard disk on the FreeFlow Print Server platform. A customer can work with the Xerox CSE/Analyst to install the quarterly Security Patch Clusters if they have the expertise. The Xerox CSE/Analyst would be required to provide the Security Patch Cluster deliverables if they agree to allow customer install. The July 2018 Security Patch Cluster is available for the FreeFlow Print Server v7 release on the Solaris 11.3 OS for the Xerox printer products below: 1. Nuvera 100/120/144/157 EA Digital Production System 2. Nuvera 200/288/314 EA Perfecting Production System 3. Nuvera 100/120/144 MX Digital Production System 4. Nuvera 200/288 MX Perfecting Production System This Security patch deliverable has been tested on the FreeFlow Print Server 73.I1.10.11 software release. We have not tested the July 2018 Security Patch Cluster on all earlier FreeFlow Print Server 7.3 releases, but there should not be any problems on these releases. It is a prerequisite to install the October 2017 Security Patch Cluster on the FreeFlow Print Server platform before installing the July 2018 Security Patch Cluster. A patch version script is provided to assist with identification of the current Security Patch Cluster version installed as well as other version information (E.g., Solaris OS). If the script output illustrates that the January 2018 Security Patch Cluster or later is installed it means that the October 2017 Security Patch Cluster had already been installed, so the prerequisite is satisfied. As a result of the very large file size of these deliverables, the download and install of the Solaris 11.3 OS upgrade and July 2018 Security Patch Cluster are not supported from the Update Manager UI on the FreeFlow Print Server platform. The July 2018 Security Patch Cluster is delivered as three-part ZIP files so that they can be transported on DVD/USB media, and installed from USB media or from a directory location on the FreeFlow Print Server platform. We delivered the Solaris 11.3 OS upgrade and October 2017 Security Patch Cluster as two-part ZIP files as a result of their large size. They can be transferred to the FreeFlow Print Server over the network using SFTP, or copied from USB media. The Xerox Customer Service Engineer (CSE)/Analyst uses a tool that enables identification of the currently installed Solaris OS version, FreeFlow Print Server software version, Security Patch Cluster version, Java Software version and identification if the Solaris 11.3 Base Repository has been installed. This tool can be initially run to determine of the prerequisite Solaris 11.3 OS and October 2017 Security Patch Cluster are currently installed. Example output from this script for the FreeFlow Print Server v9 software is as follows: Solaris OS Version: 11.3 FFPS Release Version 7.0_SP-3_(73.I1.10.11.86) FFPS Patch Cluster July 2018 Java Version Java 7 Update 181 Base Repository Installed The above versions are the correct information after installing the July 2018 Security Patch Cluster. The Base Repository is options. We deliver a Base Repository software for the Solaris 11.3 OS with the delivery of the July 2018 Security Patch Cluster. You only need to install the Base Repository if interested in updating Samba from v3.6.25 to v4.4.16. If a customer is using SMB shares for any purpose (E.g., Hot Folder workflow) it is recommended to install the Base Repository to ensure Samba is updated to v4.4.16. The Base Repository software is a large package so delivered as three-part ZIP files. 3.0 Patch Install Xerox strives to deliver these critical Security patch updates in a timely manner. The customer process to obtain Security Patch Cluster updates (delivered on a quarterly basis) is to contact the Xerox hotline support number. Xerox Service or an analyst can install the Patch Cluster using a script utility that will support installing from USB media or from the hard disk on the FreeFlow Print Server platform. The Security Patch Cluster deliverables are available on a secure FTP site once they are ready for customer delivery. The Xerox CSE/Analyst can download and prepare for the install by writing the Security patch update into a known directory on the FreeFlow Print Server platform, or on DVD/USB media. Delivery of the Security Patch Cluster includes an ISO and ZIP archive file for convenience. Once the patch cluster has been prepared on media, run the provided install script to perform the install. The install script accepts an argument that identifies the media that contains a copy of the FreeFlow Print Server Security Patch Cluster. (e.g., # installSecPatches.sh [disk | usb]). Delivery of the July 2018 Security Patch Cluster includes ZIP files separated as three parts to address file size issues. Once the patch cluster has been prepared on the hard disk, a script is run to perform the install. Make sure that the Nuvera printer is upgraded to the Solaris 11.3OS prior to installing the July 2018 Security Patch Cluster. This delivery is not available using the Update Manager UI from the FreeFlow Print Server given the large size of the deliverable. Note: The install of this Security Patch Cluster can fail if the archive file containing the software is corrupted from when downloading the deliverables from the SFTP site, copying them to USB media or uploading them to the hard drive on the FreeFlow Print Server platform over a network connection. The table below illustrate file size on Windows, file size on Solaris checksum on Solaris for the July 2018 Security Patch Cluster files. July 2018 Security Patch Cluster Files Security Patch File Windows Solaris Size Solaris Checksum Size (Kb) (bytes) Jul2018AndJava7Update181Patches_v7S11-Part1.zip 3,402,443 3,484,100,631 34458 6804885 Jul2018AndJava7Update181Patches_v7S11-Part2.zip 3,258,468 3,336,671,023 38610 6516936 Jul2018AndJava7Update181Patches_v7S11-Part3.zip 2,163,289 2,215,207,183 38015 4326577 Verify integrity of the Security Patch ZIP files contained on the FreeFlow Print Server hard drive by comparing it to the original archive file size checksum with the actual checksum of these files on the platform. Change directory to the location of the Security Patch Cluster ZIP files and use the UNIX sum command to output the check sum numbers of each ZIP file (E.g., sum Jul2018AndJava7Update181Patches_v7S11-Part1.zip). The output of the sum command should match the above table The table below illustrate file size on Windows and file size on Solaris and checksum on Solaris for the Solaris 11.3OS Base Repository files. Solaris 11.3 OS Base Repository Files Security Patch File Windows Size Solaris Size Solaris Checksum (K-bytes) (bytes) Solaris11.3_Base_Repo_part1.zip 3,194,109 3270767004 13588 6388217 Solaris11.3_Base_Repo_part2.zip 3,374,944 3589100941 7577 7009963 Solaris11.3_Base_Repo_part3.zip 1,533,570 1570375293 15522 3067140 Verify integrity of the Solaris 11.3 Base Repository ZIP files contained on the FreeFlow Print Server hard drive by comparing it to the original archive file checksum with the actual checksum of these files on the platform. Change directory to the location of the Solaris 11.3 Base Repository ZIP files and use the UNIX sum command to output the check sum numbers of each ZIP file (E.g., sum Solaris11.3_Base_Repo_part1.zip). The output of the sum command should match the above table. 4.0 Disclaimer The information provided in this Xerox Product Response is provided "as is" without warranty of any kind. Xerox Corporation disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Xerox Corporation be liable for any damages whatsoever resulting from user's use or disregard of the information provided in this Xerox Product Response including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Xerox Corporation has been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential damages so the foregoing limitation may not apply. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW7rDbmaOgq3Tt24GAQi0sA/8D3Lwm+qa3uiblgp4miqafADA29AvyqMg NjjF8ZcplxpFpQVkXJcj0p+IjljgOlIkm3DwKbymslnQ88+8OkA7aUT/f52gx3sy V5lm1Lc2gLzQmNn5gttBD68XaUq1zyiZcksErdbphpq6auHlXISu/kZ7KpBs0ezr HuatuAEl2eZNMzNbzXU/KG/uSlSJ5GbFlh38axO1sf0cvkuQB8gg0fQqFw7Up4Cn g5skrFCuRPIN5BgEtmHduGbxrmrSa0QMPgnXMp/LZqhPkSWHRWGanz8MnemqT3kV C5rA5e92RuFgLZWGhyG4pS/ycTKjPpA/vD8MYT52KoVYtM5xh5gfficIB6I/ZPPw XUgLY99A4EW+TQ7N+z95kIzBHVSLSrlEBSsDM0uWj3rl8odSdeXTzRrUdink8BHl Jq7Em1HJZXCRZMoy7iiIhtUdvoxy+IBHAPI1BoetrDjl8UA0C/lztozuHp1eFc0H nfnY49NDgr7ChZ2rIYLIsEpfwFhcKrTmGaD7C9VX+wcNjOlmKiSn04I+JEMzxiB8 49Y/4Hop7ebm9ASKBi++JKMZ1cbQn/jCpKbN66gc4wHn6o1V0k2p2XlWcMiRpGfH MkOHkoDR6WYC6Ss09m9NTj/l6roK5GCQhA8sqNZ+qoibW4n3ZwGEdyMqkwKu7V+f oAmyp0yf2lc= =cssJ -----END PGP SIGNATURE-----