Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2134 Xerox Security Bulletin XRX20-011 for Xerox FreeFlow Print Server v9 19 June 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Xerox FreeFlow Print Server v9 Publisher: Xerox Operating System: Solaris Impact/Access: Access Privileged Data -- Existing Account Denial of Service -- Remote/Unauthenticated Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-2851 CVE-2020-2771 CVE-2020-2757 CVE-2020-2756 CVE-2020-2696 CVE-2020-2647 CVE-2019-8936 CVE-2019-6477 CVE-2018-5743 Reference: ASB-2020.0076 ASB-2020.0026 ESB-2020.2113 ESB-2020.1984 ESB-2020.1797 ESB-2020.1796 Original Bulletin: https://security.business.xerox.com/wp-content/uploads/2020/06/cert_XRX20-011_FFPSv9-S10_DvdUsb-Bulletin_Jun2020.pdf - --------------------------BEGIN INCLUDED TEXT-------------------- Xerox Security Bulletin XRX20-011 Xerox FreeFlow Print Server v9 For: Solaris 10 Operating System Install Method: DVD/USB Media Deliverable: April 2020 Security Patch Cluster Includes: Java 7 Update 261 Bulletin Date: June 17, 2020 1.0 Background Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT Security vulnerabilities and reliability improvements for the Solaris Operating System. Oracle does provide patches to the public but authorize vendors like Xerox to deliver if there is an active FreeFlow Print Server Support Contract (FSMA). Customers that have an Oracle Support Contract for their non-FreeFlow Print Server Solaris Servers should only install patches prepared/delivered by Xerox. Installing non-authorized patches for the FreeFlow Print Server software violates Oracle agreements, and can render the platform inoperable, and result in downtime and/or a lengthy re-installation service call. This bulletin announces the availability of the following: 1. April 2020 Security Patch Cluster • Supersedes the January 2020 Security Patch Cluster 2. Java 7 Update 261 Software • Supersedes Java 7 Update 251 Software Notice: The April 2020 Security Patch Cluster includes patches to mitigate the Meltdown and Spectre vulnerabilities. These vulnerabilities are not mitigated by the Solaris 10 OS patches alone. It is required to install a BIOS firmware update specific to the Xerox printer product and Digital Front End (DFE) platform (E.g., Dell model). Failure to install the Dell BIOS firmware will leave the FreeFlow Print Server and Xerox printer product susceptible to breach of sensitive information using Meltdown and Spectre vulnerabilities. Dell does not deliver BIOS firmware to mitigate Meltdown and Spectre for PC platforms considered EOL (End of Life). See US-CERT Common Vulnerability Exposures (CVE) the April 2020 Security Patch Cluster remediate in table below: April 2020 Security Patch Cluster Remediated US-CERT CVE’s CVE-2018-5743 CVE-2019-8936 CVE-2020-2696 CVE-2019-6477 CVE-2020-2647 CVE-2020-2771 CVE-2020-2851 See the US-CERT Common Vulnerability Exposures (CVE) list for Java 7 Update 261 software below: Java 7 Update 261 Software Remediated US-CERT CVE’s CVE-2020-2756 CVE-2020-2756 CVE-2020-2756 CVE-2020-2756 CVE-2020-2757 CVE-2020-2757 CVE-2020-2757 CVE-2020-2757 Note: Xerox recommends that customers evaluate their security needs periodically and if they need Security patches to address the above CVE issues, schedule an activity with their Xerox Service team to install this announced Security Patch Cluster. Alternatively, the customer can install the Security Patch Cluster using the Update Manager UI from the Xerox FreeFlow Print Server Platform. 2.0 Applicability The customer can schedule a Xerox Service or Analyst representative to deliver and install the Security Patch Cluster using media (DVD/USB). A customer can only perform the install procedures with approval of the Xerox CSE/Analyst. Xerox offers an electronic delivery for “easy to use†install of a Security Patch Cluster, which is more suited for a customer to manage the quarterly patches on their own. The FreeFlow Print Server 93.J0.90 software release has been tested for the Xerox printer products listed on the title page of this document. We have not tested the April 2020 Security Patch Cluster on all earlier FreeFlow Print Server 9.3 releases, but there should not be any problems on these releases. It is always good practice to create a System Backup before installing the Security patches. The Xerox Customer Service Engineer (CSE)/Analyst uses a tool (accessible from a secure FTP site) that enables identification of the currently installed FreeFlow Print Server software release, Security Patch Cluster, and Java Software version. Run this tool after the Security Patch Cluster install to validate a successful install. Example output from this script for the FreeFlow Print Server v9 software release is as following: | Solaris OS Version | 10 Update 11 | | FFPS Release Version | 9.0 SP-3 (93.J0.90.86) | | FFPS Patch Cluster | April 2020 | | Java Version | Java 7 Update 261 | | Spectre Variant #1 | Installed | | Meltdown Variant #3 | Installed | | Spectre Variant #2 | Not Installed | The April 2020 Security Patch Cluster is available for the FreeFlow Print Server v9 release running on the Xerox printer products below: 1. Xerox iGen4 2. Xerox iGen4 Diamond Edition 3. Xerox iGen150 Press 4. Xerox Versant 80/180/2100 Presses 5. Xerox Color 800/100 Press 6. Xerox Color 800i/1000i Press 7. Xerox Color Press J75/C75 Press 8. Xerox Color Press 560/570 Production Printer 9. Xerox Brenva HD Production Inkjet Press 10. Xerox Impika Compact Inkjet Press 11. Xerox CiPress 325/500 Production Inkjet System 12. Xerox D95/110/125/136 Copier/Printer 13. Xerox Color 8250 Production Press NOTICE: The April 2020 Security Patch Cluster includes patches to mitigate the Meltdown and Spectre vulnerabilities. These vulnerabilities are not mitigated by the Solaris 10 OS patches alone. It is required to install a BIOS firmware update specific to the Xerox printer product and Digital Front End (DFE) platform (E.g., Dell model). Failure to install the Dell BIOS firmware will leave the FreeFlow Print Server and Xerox printer product susceptible to Meltdown and Spectre beaches to obtain sensitive information. Dell does not deliver BIOS firmware to mitigate Meltdown and Spectre for PC platforms considered EOL (End of Life). 3.0 Patch Install Xerox strives to deliver these critical Security patch updates in a timely manner. The customer process to obtain Security Patch Cluster updates (delivered on a quarterly basis) is to contact the Xerox hotline support number. Xerox Service or an analyst can install the Patch Cluster using a script utility that will support installing the patch cluster from the FreeFlow Print Server hard disk, DVD, or USB media. The Security Patch Cluster deliverables are available on a secure FTP site once they are ready for customer delivery. The Xerox CSE/Analyst can download and prepare for the install by writing the Security patch update into a known directory on the FreeFlow Print Server platform, or on DVD/USB media. Delivery of the Security Patch Cluster includes an ISO and ZIP archive file for convenience. Once the patch cluster has been prepared on media, run the provided install script to perform the install. The install script accepts an argument that identifies the media that contains a copy of the FreeFlow Print Server Security Patch Cluster. (e.g., # installSecPatches.sh [disk| dvd| usb]). Important: The install of this Security patch update can fail if the archive file containing the patches is corrupted from file transfer or writing to DVD media. There have been reported install failures when the archive file written on DVD media was corrupt. Writing to media using some DVD write applications and media types could result in a corrupted Security Patch Cluster. The tables below illustrate Solaris checksums and file size on Windows for the Security Patch Cluster ZIP and ISO files. We provide these numbers in this bulletin as a reference to check against the actual checksum. The file size and check sum of these files on Windows and Solaris are as follows: | Security Patch File | Windows Size (K-bytes) | Solaris Size (bytes) | Solaris Checksum | | Apr2020AndJava7U261Patches_v9.zip | 2,245,336 | 2,299,223,299 | 2374 4490671 | | Apr2020AndJava7U261Patches_v9.iso | 2,245,686 | 2,299,582,464 | 27178 4491372 | Verify the Apr2020AndJava7U261Patches_v9.zip file contained on the DVD/USB media or hard drive by comparing it to the original archive file size and checksum in the above table. Change directory to the file location (DVD, USB, or hard disk) and type “sum Apr2020AndJava7U261Patches_v9.zip†from a terminal window. The checksum value should be “2374 4490671†and can be used to validate the correct April 2020 Security Patch Cluster on the DVD/USB or the hard drive. 4.0 Disclaimer The information provided in this Xerox Product Response is provided "as is" without warranty of any kind. Xerox Corporation disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Xerox Corporation be liable for any damages whatsoever resulting from user's use or disregard of the information provided in this Xerox Product Response including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Xerox Corporation has been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential damages so the foregoing limitation may not apply. 2020 Xerox Corporation. All rights reserved. Xerox and Xerox and Design, FreeFlow, iGen, Versant Brenva, Impika, and CiPress, are trademarks of Xerox Corporation in the United States and/or other Countries. BR #21127 Other company trademarks are also acknowledged - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXuwIK+NLKJtyKPYoAQjVkg/8ClPFHDDRK1FbGjLLg/vnIFxzdnr9+QDg Alj48q6H8sCZFUwiQSUhTMcqkQmixP7KH+DTRd5hk+F6Rl/d2DRJdCHivdmc2ppp bXYD+qJyAQ8uELac57ac6j2oFWgKDfU9nVBHGzENqurfchqx8o7gTPd/8TxI2yVx vZyyzy77q1+LXKrCXY60URikQV5ch1ptPpRBcXTmHI3G6ksOaMdpa5gVkp0g3nX/ ICn346bTp/FPmzV2zhlY1eD0C8R7WkXNhJvsXLKhbsYCqqpvfR/fExF0aQCpcU5o 1hQdaw/DyxBwuzMIMxYlGOerLRTcNVjT29kX/egcbBwP/yb3b+NkLuvg0GKFLJxW ZndYH2Vt4++HRnEEVPzbXD5ptCBhN63tt0YMqRsZpgpvn6P6m4pd1x5bshPKiEDW GXGbbY9GBrW7qdcGWD/XKIZ2fGOtHDcK4mCgJQxV5S+w4oNOQzjskfG57NG1Iiuj UMMDdWx6eEDmpKp/9UVNETOMZIp0+GDEu5OviRSO1r22Be4YnXhOs+9QCY0YPJoe rtsqM+VRJGAIGWbsTDaBGlrs768bPzNgueeq0BsaAQyMr+XFGzUt0NupB3sol432 kDASmg7cMCLAIN34mQKMx3PGGzRnAXg25tptLawpkTbO0qX0Y/P4qoFLmHhIQ7+2 PqcZCzygI2Q= =56Mg -----END PGP SIGNATURE-----