Xerox Addresses the “Heartbleed Bug”

Xerox is investigating the impact of the “Heartbleed bug” which is a vulnerability in the popular OpenSSL cryptographic software library Version 1.0.1 to 1.0.1f.

We are committed to protecting the data assets of our customers and partners and will provide additional information as it becomes available. Xerox is not aware or have any information indicating that client information has been compromised by the Heartbleed vulnerability/bug.

What you need to know
Xerox is following the course of actions recommended by www.OpenSSL.org and other trusted security industry authorities working on this issue. At this time we believe a small number of our offerings - both products and services – are affected.
Resources
Several of our products, software and solutions have been evaluated and determined as cleared of any potential risk. You can find a list of those products, software and solutions here.

For general security information for your product, visit www.xerox.com/security.

Frequently Asked Questions

What is OpenSSL?
OpenSSL is a software library that provides secure, encrypted communications functions for major information technologies utilized across the Internet. OpenSSL is transparent to most people, but it is present within many types services, including web portals, email systems, and instant messaging services to name a few.

What is the OpenSSL Heartbleed Bug?
On April 7, 2014, the vendor of these encryption software libraries (OpenSSL.org) publicly disclosed the presence of a serious vulnerability in their encryption software. They provided an upgraded version of OpenSSL software (1.0.1g) which fixes the vulnerability.

Due to the severity of the vulnerability, OpenSSL.org named the vulnerability “Heartbleed Bug”. They published an FAQ on the Internet explaining that the issue is very serious, and urged all product vendors who utilize their software to upgrade immediately to mitigate the risk for security incidents to occur. Since OpenSSL is embedded in many commercial technology products and services, in most cases the OpenSSL components can not be upgraded directly by users or IT support staffs. Each vendor must upgrade their own software to the new version, and then in turn provide an appropriate software upgrade for each of their products.

Why is this a cause for concern?
Information has been posted on the Internet from which arbitrary attackers can conduct attacks against vulnerable services. Attacks could be conducted with relative ease, and according to OpenSSL.org such attacks could occur without any means for technology system owners to detect that it has happened. Some expert industry sources state that as much as 66% of all Internet-based functions currently depend on vulnerable versions of OpenSSL.