Security @ Xerox
Product Security Guidance

2012

Xerox Security Bulletin XRX12-011 v1.1 (PDF 86.6K)
November 29, 2012
Digital Signature of Software Upgrade Files
v1.1
NOTE: This bulletin was reissued at version 1.1 to remove the Phaser 3635MFP. An issue with the Phaser 3635MFP will be resolved in a future version of this bulletin.

The Xerox products Phaser 3600, Phasers 4600/4620 and the WorkCentre 3550 were shipped without the ability to accept software upgrade files with digital signatures. The ability to accept only software upgrade files with digital signatures has been added for the indicated products. In addition, the indicated products now include the software upgrade setting in the Configuration Report and have added the capability to enable/disable software upgrade via SNMP.

Firmware solutions that will now only accept software upgrades files with digital signatures have been provided. These solutions are designed to be installed by the customer. The firmware solutions can be accessed via the links below or via the links in this bulletin announcement on: www.xerox.com /security

Phaser 3600: http://www.support.xerox.com/support/_all-products/file-download/enus.html?contentId=122549
Phaser 4600/4620: http://www.support.xerox.com/support/phaser-4600-4620/downloads/enza.html?operatingSystem=win7
WorkCentre 3550: http://www.support.xerox.com/support/workcentre-3550/downloads/enza.html?operatingSystem=win7

Xerox Security Bulletin XRX12-009 v1.1 (PDF 90.7K)
October 29, 2012
FreeFlow Print Server v7.3
July 2012 Security Patch Cluster (includes Java 6 Update 33 Software)

NOTE: This document has been updated to provide corrected file size and checksum information.

Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

This bulletin announces the availability of the following:
1. July 2012 Security Patch Cluster
This supersedes the April 2012 Security Patch Cluster
2. Java 6 Update 33 Software
This supersedes Java 6 Update 31 Software

Consult the bulletin to see all the CVE vulnerabilities this bulletin fixes.

Xerox Security Bulletin XRX12-010 v1.1 (PDF 91.2K)
October 23, 2012
FreeFlow Print Server v8
July 2012 Security Patch Cluster (includes Java 6 Update 33 Software)
v1.1

NOTE: This bulletin has been re-issued to update file size and checksum information.

Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

This bulletin announces the availability of the following:
1. July 2012 Security Patch Cluster
This supersedes the April 2012 Security Patch Cluster
2. Java 6 Update 33 Software
This supersedes Java 6 Update 31 Software

Consult the bulletin to see all the CVE vulnerabilities this bulletin fixes.

Xerox Security Bulletin XRX12-008 v1.0 (PDF 63.2K)
October 15, 2012
Cumulative update for Common Criteria Certification
System Software Version 061.132.222.03800 for the WorkCentre 5735/5740/5745/5755/5765/5775/5790 models is a cumulative update that incorporates security vulnerability fixes up through 09 Feb 2012 as well as other non-security related defect fixes. This release is Common Criteria certified (see http://www.xerox.com/information-security/common-criteria-certified/enus.html).

This system software release for the products listed is designed to be installed by the customer. This system software version is a full system release so the patch criticality rating is not applicable. The software release is compressed into a 295.9 MB zip file and can be accessed via the link below or via the link contained in the bulletin.
http://a400.g.akamai.net/7/400/5566/v0001/xerox.download.akamai.com/5566/cert_061_132_222_03800.zip.

Xerox Security Bulletin XRX12-012 v1.0 (PDF 71.6K)
October 08, 2012
The Xerox Phaser 7800 product was shipped with software upgrades enabled by default and with network protocols enabled that could be exploited to gain unauthorized access to the system.

NOTE: If Software Upgrade is currently disabled on the desired device. it must be enabled prior to installation of this software patch.

The software release indicated below will perform the following action:
• Change the default state of software upgrade to disabled. After installing this firmware/software, software upgrade will be
disabled. It can be re-enabled at the Web UI when necessary.
• Remove protocols that were not intended to be present in the production configuration.

Details about this bulletin and other Xerox Product Security features can be found at the Xerox Security
website: http://www.xerox.com/security

The the link to this software needed to upgrade your Phaser 7800 can be found inside the bulletin document or can be downloaded from this link:
http://www.support.xerox.com/go/getfile.asp?objid=122181&EULA=28&Xtype=download&uType=

Xerox Security Bulletin XRX12-007 V1.1 (PDF 1M)
October 02, 2012
Disable software upgrades by default

NOTE: This bulletin has been re-posted as an additional product, the WorkCentre 6015N/I has been included.

The Xerox Phaser 6010, Phaser 6125, Phaser 6128MFP, Phaser 6130, Phaser 6140, Phaser 6180, Phaser 6180MFP, Phaser 6280, Phaser 6500, WorkCentre 3045NI, WorkCentre 6015N/I and the WorkCentre 6505 were shipped with software upgrades enabled by default. The firmware release which changes this default can be downloaded via the links inside the bulletin document. These firmware solutions are classified as Moderate updates.

NOTE: If software upgrade had previously been disabled, software upgrade must be ENABLED on the device at the Local User Interface before this firmware version can be loaded.

Please follow the instructions starting on page 2 for each affected product to install these firmware solutions.

Xerox Security Bulletin XRX12-006 v1.0 (PDF 89.3K)
July 03, 2012
FreeFlow Print Server
April 2012 OS and Security Patch Cluster (includes Java 6 Update 31 Software)

Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

This bulletin announces the availability of the following:
1. April 2012 Security Patch Cluster
This supersedes the January 2012 Security Patch Cluster
2. Java 6 Update 31 Software
This supersedes Java 6 Update 29 Software

Consult the bulletin to see all the CVE vulnerabilities this bulletin fixes.

Xerox Security Bulletin XRX12-005 V1.0 (PDF 109.1K)
June 11, 2012
The Xerox devices ColorQube® 9201/9202/9203, ColorQube® 9301/9302/9303, WorkCentre® 232/238/245/255/265/275, WorkCentre® 5030/5050, WorkCentre® 5135/5150, WorkCentre® 5632/5638/5645/5655/5665/5675/5687, WorkCentre® 5735/5740/5745/5755/5765/5775/5790, WorkCentre® 6400, WorkCentre® 7525/7530/7535/7545/7556, WorkCentre® 7655/7665/7675, WorkCentre® 7755/7765/7775, WorkCentre® Bookmark 40/55, WorkCentre Pro® 232/238/245/255/265/275 were shipped with enabled protocols that could be exploited to gain unauthorized access to the system. These protocols were not intended to be present in the production configuration.

A software solution (patch P49) is provided for the products listed. This solution will perform the following action:
  • Remove protocols that were not intended to be present in the production configuration.

    This solution is designed to be installed by the customer. The software solution is compressed into a 3 KB zip file and can be accessed via the link below or via the link following this bulletin announcement on http://www.xerox.com/security.

    Software available through this link:
    > cert_P49v1_Patch2.zip
    (zip archive 2.5K)

    • Xerox Security Bulletin XRX12-004 V1.0 (PDF 64.5K)
    May 07, 2012
    The vulnerability documented in CVE-2011-3192 exists in the Web Server of the WorkCentre 5135/5150, and the WorkCentre 5632/5638/5645/5655/5665/5675/5687 models. If exploited the vulnerability could allow remote attackers to create a Denial of Service on the device.

    A software solution (patch P50) is provided below. This solution is designed to be installed by the customer. Please follow the procedures in the bulletin to install the solution to protect your product from possible attack through the network.

    The software solution is compressed into an 5.2 MB zip file and can be accessed via the link below or via the link following this bulletin announcement on www.xerox.com/security.
    > cert_P50v2_WC56xx08_Patch
    (zip archive 5.2M)

    Xerox Security Bulletin XRX12-002 v1.1 (PDF 82.7K)
    March 07, 2012
    FreeFlow Print Server (version 7.3)
    Oracle January 2012 CPU OS and Security Patch Cluster (includes Java 6 Update 29 Software)

    NOTE: We have released a new version of this bulletin to correct file size specifications and checksum information. No other technical information has been changed.

    Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support contracts (FSMA). Xerox customizes the patch deliveries as appropriate to each FFPS Product family, and tests the CPU patches on each supported SPAR Release prior to delivery. Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

    Consult the bulletin to see all the CVE vulnerabilities this bulletin fixes.

    Xerox Security Bulletin XRX12-003 v1.1 (PDF 188.5K)
    March 07, 2012
    NOTE: We are re-issuing this bulletin due to a spelling error of the name of one of the researchers. No technical content in the bulletin has changed.

    Vulnerabilities exist that, if exploited, could allow remote attackers to insert arbitrary code into the device. This could occur with a specifically crafted Postscript or firmware job submitted to the device. If successful, an attacker could make unauthorized changes to the system configuration; however, customer and user passwords are not exposed.

    As part of Xerox’s on-going efforts to protect customers, the ability to accept these specially crafted jobs can be disabled for the affected products listed in the bulletin. Links for the software needed are contained inside the bulletin.

    Xerox Security Bulletin XRX12-001 (PDF 104.2K)
    February 29, 2012
    System Software Version 061.121.221.28308 for the WorkCentre 7525/7530/7535/7545/7556 models is a cumulative update that incorporates several security vulnerability fixes as well as other non-security related defect fixes. This release is Common Criteria certified see http://www.xerox.com/information-security/common-criteria-certified/enus.html.

    This system software release for the products listed is designed to be installed by the customer. Please follow the procedures in the bulletin to install the solution. This system software version is a full system release so the patch criticality rating is not applicable. You may download the software using the link in the Bulletin or from here.

    2011

    Xerox Security Bulletin XRX11-004 (PDF 73.4K)
    October 07, 2011
    A vulnerability exists that, if exploited, could allow remote attackers to bypass local authentication. This could occur with a specially crafted sequence of commands entered through the Web User Interface. If successful, an attacker could make unauthorized changes to the system configuration; however, customer and user passwords are not exposed. A patch file P48 is provided for the ColorQube 9301/9302/9303.
    > cert_CQ93xx_P48v1_Patch.zip
    (zip archive 9.3M)

    Are MFD devices a Security Threat Bulletin (PDF 413.6K)
    September 07, 2011
    At DEFCON, a new presentation for an existing problem has resurfaced. Read the document above for the details.

    Xerox Security Bulletin XRX11-003 (PDF 71.8K)
    August 28, 2011
    FreeFlow Print Server
    Oracle July 2011 CPU OS and Security Patch Cluster (includes Java 6 Update 26 Software)
    Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support contracts (FSMA). Xerox customizes the patch deliveries as appropriate to each FFPS Product family, and tests the CPU patches on each supported SPAR Release prior to delivery. Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

    Consult the bulletin to see all the CVE vulnerabilities this bulletin fixes.

    Xerox Security Bulletin XRX11-002 (PDF 92K)
    March 25, 2011
    A vulnerability documented in CVE-2010-2063 exists that, if exploited, could allow remote attackers to execute arbitrary code via specially crafted fields in a Service Message Block (SMB) packet. This could occur with buffer overflows in the Samba third-party code that handles file and printer sharing services for SMB clients (including Xerox MFD devices). If successful, an attacker could make unauthorized changes to the system configuration; however, customer and user passwords are not exposed. This vulnerability affects only the printer sharing services.
    > Download the Software Update for the WorkCentre 5735/5740/5745/5755/5765/5775/5790
    (zip archive 1.4M)

    Xerox Security Bulletin XRX11-001 (PDF 89.7K)
    February 04, 2011
    A command injection vulnerability exists in the Web Server of the WorkCentre 7655/7665/7675. If exploited, the vulnerability could allow remote attackers to execute arbitrary code via carefully crafted inputs on the affected web page. Customer and user passwords are not exposed. A software solution (patch P45) is provided for the WorkCentre 7655/7665/7675.
    > Download the Software Update for the WorkCentre 7655/7665/7675
    (zip archive 1M)

    2010

    Xerox Security Bulletin XRX10-005 (PDF 79.9K)
    December 10, 2010
    A software defect exists in the WorkCentre 5735/5740/5745/5755/5765/5775/5790 with the scan to email function that can result in two different scan to email documents being merged into one document. This issue is most likely to occur on devices with a color scanner when scanning complex documents at higher resolutions.
    > Download the System Software for the WorkCentre 5735/5740/5745/5755/5765/5775/5790
    (zip archive 624.4K)

    Xerox Security Bulletin XRX10-003 (PDF 57.9K)
    November 29, 2010
    Original Release June 18, 2010
    System Software Version 021.120.060.00015 for the WorkCentre 5632-5687 Multi-Board controller and WorkCentre 5135/5150 models and System Software Version 025.054.060.00015 for the 5632-5655 Single Board controller models is a cumulative update that incorporates several security vulnerability fixes as well as other non-security related defect fixes. Both devices have been recertified to Common Criteria EAL Level 3. Both releases have been submitted for Common Criteria certification, which is expected to be completed by September 2010.
    > Download System Software Release for the Multi-Board Controller (MBC) products
    (zip archive 106.1M)

    Xerox Security Bulletin XRX10-004 (PDF 46.6K)
    October 29, 2010
    A vulnerability exists in the firmware for the Xerox 4595 Copier/Printer. If exploited, this vulnerability could cause a denial of service condition that causes the device to restart. Customer and user passwords are not exposed. This firmware release can only be installed by a Xerox Customer Support Engineer; please contact the Xerox Support Center to schedule the installation.
    > Download the System Software for the Xerox 4595 Copier/Printer without PostScript Installed
    (zip archive 20.4M)

    Xerox Security Bulletin XRX08-010 (PDF 155.5K)
    August 06, 2010
    A Denial of Service vulnerability exists in the Phaser 6100, Phaser 6200, Phaser 7300, Phaser 7750, and Phaser 8400. If exploited, this vulnerability could allow malicious users to cause the device to restart, thus effectively denying service to legitimate users.

    Xerox Security Bulletin XRX10-002 (PDF 113K)
    March 29, 2010
    Original Release January 22, 2010
    Vulnerabilities exist in the Network Controller and Web Server of the WorkCentre 5632/5638/5645/5655/5665/5675/5687, WorkCentre 5030/5050, WorkCentre 5135/5150, WorkCentre 6400, WorkCentre 7655/7665/7675, WorkCentre 7755/7765/7775, WorkCentre/WorkCentre Pro 232/238/245/255/265/275 and ColorQube 9201/9202/9203 products. If exploited these vulnerabilities could permit an attacker to either bypass Scan to Mailbox authorization to access mailboxes stored on the device or bypass web server authorization to view device configuration settings. Customer and user passwords are not exposed.
    > Download Software Update for the WorkCentre, WorkCentre Pro and ColorQube products listed above
    (zip archive 2.5M)

    Xerox Security Bulletin XRX10-001 (PDF 75.8K)
    January 22, 2010
    A vulnerability exists in the Network Controller of the WorkCentre 6400. If exploited the vulnerability could potentially permit unauthorized access to the Network Controller directory structure via a carefully constructed PostScript file.
    > Download Software Update for the WorkCentre 6400
    (zip archive 5.1M)

    2009

    Xerox Security Bulletin XRX09-004 (PDF 83.5K)
    September 18, 2009
    Original Release September 1, 2009
    An LPD protocol handling vulnerability exists in the firmware for the WorkCentre 7232/7242, the WorkCentre 7328/7335/7345/7346, and the WorkCentre 7425/7428/7435. If exploited, this vulnerability could cause a denial of service by crashing the device, although power cycling the device will recover from this attack. Customer and user passwords are not exposed.

    Xerox Security Bulletin XRX09-002 (PDF 73.9K)
    May 15, 2009
    A command injection vulnerability exists in the web server of the WorkCentre/WorkCentrePro 232/238/245/255/265/275, the WorkCentre 7655/7665/7675, and the WorkCentre 5632/5638/5645/5655/5675/5687. if exploited, the vulnerability could allow remote attackers to execute arbitrary code via carefully crafted inputs on the affected web page. Customer and user passwords are not exposed.
    > Download Software Update for WorkCentre/WorkCentrePro 232/238/245/255/265/275, WorkCentre 7655/7665/7675, and WorkCentre 5632/5638/5645/5655/5675/5687
    (zip archive 7.9M)

    Xerox Security Bulletin XRX09-001 (PDF 74.2K)
    January 30, 2009
    A command injection vulnerability exists in the web server of the WorkCentre/WorkCentre Pro 232/238/245/255/265/275 and the WorkCentre 5632/5638/5645/5655/5665/5675/5687. If exploited, the vulnerability could allow remote attackers to execute arbitrary code via carefully crafted inputs on the affected web page. Customer and user passwords are not exposed.
    > Download Software Update for WorkCentre/WorkCentre Pro 232/238/245/255/265/275 and WorkCentre 5632/5638/5645/5655/5665/5675/5687
    (zip archive 162.6K)

    Xerox Security Bulletin XRX09-003 (PDF 82.9K)
    January 22, 2009
    Second Release September 29, 2009
    Original Release August 28, 2009
    A vulnerability exists in the web servers of the WorkCentre 5030/5050, the WorkCentre 5135/5150, the WorkCentre 5632/5638/5645/5655/5665/5675/5687, the WorkCentre 7655/7665/7675, the WorkCentre 6400, and the ColorQube 9201/9202/9203. If exploited when SSL is not enabled on the device, the vulnerability could allow remote attackers to obtain unauthorized access to device configuration settings, possibly exposing customer passwords

    NOTE: The original version of the P39 patch required a manual reboot after installation. This version of the patch automatically performs a re-boot upon installation.
    > Download Software Update for the WorkCentre and ColorQube products listed above
    (zip archive 11.4K)

    2008

    Xerox Security Bulletin XRX08-009 (PDF 104.4K)
    October 16, 2008
    A vulnerability exists in the WorkCentre Pro 232/238/245/255/265/275, WorkCentre 232/238/245/255/265/275, WorkCentre 7655/7665/7675, and WorkCentre 5632/5638/5645/5655/5665/5675/5687 ESS/Network Controller that, if exploited, could allow remote attackers to execute arbitrary code via specially crafted Remove Service Message Block (SMB) responses. This could occur with buffer overflows and un-validated user input in the Samba third-party code that handles file and printer sharing services for SMB clients (including Xerox MFD devices). If successful, an attacker could make unauthorized changes to the system configuration; however, customer and user passwords are not exposed. This vulnerability affects only the printer sharing services.
    > Download Software Update for WorkCentre Pro 232/238/245/255/265/275, WorkCentre 232/238/245/255/265/275, WorkCentre 7655/7665/7675, and WorkCentre 5632/5638/5645/5655/5665/5675/5687
    (zip archive 6.6M)

    Xerox Security Bulletin XRX08-008 (PDF 39.1K)
    July 09, 2008
    CentreWare Web has been found to be vulnerable to a set of potential SQL Injection and Cross Site Scripting vulnerabilities. If exploited, these vulnerabilities could allow an attacker to make unauthorized changes to CentreWare Web or asset data, or redirect user browsing sessions.

    Xerox Security Bulletin XRX08-005 (PDF 1M)
    June 12, 2008
    A persistent cross site scripting vulnerability exists in the web server of the WorkCentre M123/M128, WorkCentre 133, WorkCentre Pro 123/128 and WorkCentre Pro 133. If exploited, this vulnerability could allow code injection by malicious web users into the web pages viewed by other users.
    Download Software Update: Refer to the XRX08-005 Security Bulletin to determine which file to download.
    > Group 2 Languages with Postscript Executable
    (zip archive 21.3M)
    > Group 1 Languages with Postscript Executable
    (zip archive 21.6M)
    > Group 3 Languages with Postscript Executable
    (zip archive 14.9M)
    > Group 2 Languages Standard Executable
    (zip archive 16.6M)
    > Group 3 Languages Standard Executable
    (zip archive 15.8M)

    Xerox Security Bulletin XRX08-006 (PDF 42.5K)
    June 12, 2008
    A vulnerability exists in the Web Services of the WorkCentre 7655/7665/7675 when attempting to access the Extensible Interface Platform feature under certain conditions. If exploited, this vulnerability could allow an attacker unauthorized access to make changes to the system configuration.
    > Download Software Update for WorkCentre 7655/7665/7675
    (zip archive 46.8M)

    Xerox Security Bulletin XRX08-007 (PDF 48.7K)
    June 12, 2008
    A persistent cross site scripting vulnerability exists in the web server of the Xerox 4110 Copier/Printer, the Xerox 4590 Copier/Printer, and the Xerox 4595 Copier/Printer. If exploited, this vulnerability could allow code injection by malicious web users into the web pages viewed by other users.
    > Download Software Update for Xerox 4110/4590/4595
    (zip archive 28.6M)
    > Download Install Instructions
    (PDF 845.5K)

    Xerox Security Bulletin XRX08-004 (PDF 1M)
    May 22, 2008
    A persistent cross site scripting vulnerability exists in the web server of the WorkCentre 7132 and WorkCentre 7228/7235/7245. If exploited, this vulnerability could allow code injection by malicious web users into the web pages viewed by other users.

    Download Software Update: Refer to the XRX08-004 Security Bulletin to determine which file to download.
    > WorkCentre 7132 with Postscript Binary
    (zip archive 25.8M)
    > WorkCentre 7132 with Postscript Executable
    (zip archive 27.7M)
    > WorkCentre 7132 Standard Binary
    (zip archive 20.4M)
    > WorkCentre 7132 Standard Executable
    (zip archive 22.3M)
    > WorkCentre 7228/7235/7245 Binary
    (zip archive 39.4M)
    > WorkCentre 7228/7235/7245 Executable
    (zip archive 41.3M)

    Xerox Security Bulletin XRX08-003 (PDF 27.9K)
    March 28, 2008
    As part of Xerox’s on-going efforts to protect customers, a patch is being provided for customers interested in the Common Criteria Certified version, 21.113.02.000, for the WorkCentre 56xx products that adds improved audit logging to meet the requirements of NIAP Policy #15.
    > Download Software Update for WorkCentre 56xx products
    (zip archive 19.6M)

    Xerox Security Bulletin XRX08-001 (PDF 40.6K)
    January 04, 2008
    Vulnerabilities exist in the WorkCentre 232/238/245/255/265/275, WorkCentre Pro 232/238/245/255/265/275, and WorkCentre 7655/7665 ESS/Network Controller that, if exploited, could allow remote attackers to execute arbitrary code via specially crafted Remote Procedure Call (RPC) requests.
    > Download Software Update for WorkCentre 232/238/245/255/265/275, WorkCentre Pro 232/238/245/255/265/275, and WorkCentre 7655/7665
    (zip archive 8M)

    2007

    Xerox Security Bulletin XRX06-005 (PDF 144K)
    October 15, 2007
    Vulnerability in the ESS/ Network Controller and MicroServer Web Server could allow remote execution of arbitrary software.

    This bulletin been superseded by XRX07-002. Download Permanently Unavailable

    Xerox Security Bulletin XRX07-002 (PDF 42.5K)
    October 15, 2007
    A command injection vulnerability exists in the WorkCentre 232/238/245/255/265/275, WorkCentre Pro 232/238/245/255/265/275, and WorkCentre 7655/7665 ESS/ Network Controller and MicroServer Web Server. If exploited, this vulnerability could allow remote execution of arbitrary software.
    > Download Software Update for WorkCentre 232/238/245/255/265/275, WorkCentre Pro 232/238/245/255/265/275, and WorkCentre 7655/7665
    (zip archive 1.1M)

    Xerox Security Bulletin XRX07-001 (PDF 43.7K)
    August 30, 2007
    A command injection vulnerability exists in the WorkCentre 232/238/245/255/265/275, WorkCentre Pro 232/238/245/255/265/275, and WorkCentre 7655/7665 ESS/ Network Controller that, if exploited, could allow remote execution of arbitrary software, forgery of digital certificates, or initiation of Denial of Service attacks.
    > Download Software Update
    (zip archive 989.4K)

    Xerox Security Bulletin XRX06-003 (PDF 19.7K)
    July 27, 2007
    Cumulative update for Common Criteria Assurance Maintenance.

    Note: This bulletin has been superseded by XRX06-006.

    Xerox Security Bulletin XRX06-006 (PDF 31.8K)
    July 26, 2007
    Cumulative update to address multiple security vulnerabilities

    2006

    Xerox Security Bulletin XRX06-002 (PDF 43.6K)
    October 25, 2006
    System software versions available to address denial of service and other vulnerabilities in the ESS.

    Xerox Security Bulletin XRX06-007 (PDF 228.1K)
    October 15, 2006
    A command injection vulnerability exists in the ESS/ Network Controller and MicroServer Web Server. If exploited this vulnerability could allow remote execution of arbitrary software.

    This bulletin has been rescinded and is no longer valid. Software Download permanently unavailable

    Xerox Security Bulletin XRX06-004 (PDF 47.4K)
    October 04, 2006
    Cumulative update to address multiple security vulnerabilities.

    Xerox Security Bulletin XRX06-001 (PDF 37.4K)
    April 24, 2006
    Vulnerabilities in the ESS/ Network Controller and MicroServer Web Server could potentially permit unauthorized access.

    Note: This bulletin has been superseded by XRX06-003.

    2005

    Xerox Security Bulletin XRX05-007 (PDF 102.7K)
    August 25, 2005
    Vulnerabilities in the WorkCentre M35/M45/M55, WorkCentre M165/175 and the WorkCentre Pro 32/40 Color, WorkCentre 35/45/55/65/75/90 and WorkCentre Pro 165/175 Xerox MicroServer Web Server could potentially permit unauthorized access.
    > Download Software Update
    (zip archive 1.6M)

    Xerox Security Bulletin XRX05-008 (PDF 69.5K)
    August 10, 2005
    Vulnerabilities in the Document Centre 240/255/265, Document Centre 420/425/428/430/432/440, Document Centre 460/470/480/490, and Document Centre 535/545/555 Xerox MicroServer Web Server could potentially permit unauthorized access.
    > Download Software Update
    (zip archive 2.6M)

    Xerox Security Bulletin XRX05-009 (PDF 42.3K)
    August 10, 2005
    Vulnerabilities in the Document Centre 220/230 and Document Centre 332/340 Xerox MicroServer Web Server could potentially permit unauthorized access.
    > Download Software Update
    (zip archive 517.4K)

    Xerox Security Bulletin XRX05-006 (PDF 41.9K)
    August 04, 2005
    Vulnerabilities in the WorkCentre Pro C2128/2636/3545 Xerox MicroServer Web Server could potentially permit unauthorized access.
    > Download Software Update
    (zip archive 581K)

    Xerox Security Bulletin XRX05-003 (PDF 54.1K)
    June 13, 2005
    Vulnerability in the Document Centre 240/255/265, Document Centre 460/470/480/490 and Document Centre 535/545/555 http server on the ESS/ Network Controller could potentially permit unauthorized access.
    > Download Software Update
    (zip archive 97.7K)

    Xerox Security Bulletin XRX05-004 (PDF 53.7K)
    June 13, 2005
    Vulnerability in the Document Centre 420/425/426/430/432/440, Document Centre 470/480/490, and Document Centre 535/545/555 Xerox MicroServer Web Server could cause a denial of service.
    > Download Software Update
    (zip archive 2.1M)

    Xerox Security Bulletin XRX04-005 (PDF 67.2K)
    June 07, 2005
    Vulnerability in the Document Centre 220/230, Document Centre 240/255/265, Document Centre 332/340, Document Centre 420/425/426/430/432/440, Document Centre 460/470/480/490 and Document Centre 535/545/555 ESS/ Network Controller could potentially permit unauthorized access.
    > Download Software Update
    (zip archive 8.4M)

    Xerox Security Bulletin XRX04-008 (PDF 32.9K)
    May 02, 2005
    The information provided here is consistent with the security functional claims made regarding CopyCentre 65/75/90 and WorkCentre Pro 65/75/90 in the Security Target for Common Criteria Certification.

    Xerox Security Bulletin XRX05-005 (PDF 37.3K)
    April 13, 2005
    Vulnerability in the WorkCentre M35/M45/M55, WorkCentre M165/M175, WorkCentre Pro 32/40 Color, WorkCentre Pro 35/45/55/65/75/90 and WorkCentre Pro C2128/C2636/C3545 Xerox MicroServer Web Server could potentially permit unauthorized access.

    Note: The patch applies to launch level software only.
    > Download Software Update
    (zip archive 7.7M)

    No bulletin attachment found
    February 18, 2005
    Critical Security Update for Xerox DocuColor 7000/8000 XPe System Update Software (1H23O1)Version: 1.0
    System Updates is a print server service that keeps the system software on your print server up-to-date with the latest Microsoft security updates.
    Note: The prerequisite for System Updates functionality is to have patches 1-G88R5, and 1-G6ZLT installed on the Fiery.

    No bulletin attachment found
    February 18, 2005
    Critical Security Update for Xerox DocuColor 6060 XPe System Update Software (1H23O1)Version: 2.2
    System Updates is a print server service that keeps the system software on your print server up-to-date with the latest Microsoft security updates.
    Note: The prerequisite for System Updates functionality is to have patches 1-G88R5, and 1-G6ZLT installed on the Fiery.

    Xerox Security Bulletin XRX05-002 (PDF 23.9K)
    January 19, 2005
    Vulnerability in the WorkCentre M24 scanning/faxing software could expose personal information.

    Xerox Security Bulletin XRX05-001 (PDF 126.9K)
    January 14, 2005
    Vulnerability in the WorkCentre Pro Color 35/40 ESS/ Network Controller could potentially permit unauthorized access.
    > Download Software Update
    (zip archive 8.2M)

    2004

    Xerox Security Bulletin XRX04-010 (PDF 41K)
    December 20, 2004
    Vulnerability in the WorkCentre M35/M45/M45 and WorkCentre Pro 35/45/55/65/75/90 ESS/ Network Controller could potentially permit unauthorized access.
    > Download Software Update
    (zip archive 24.5M)

    Xerox Security Bulletin XRX04-006 (PDF 105.8K)
    August 31, 2004
    Vulnerability in the WorkCentre M35/M45/M55, WorkCentre Pro Color 32/40, and WorkCentre Pro 35/45/55 ESS/ Network Controller could cause Immediate Image Overwrite to fail in a specific instance with no indication after an unexpected power loss.
    > Download Software Update
    (zip archive 613.4K)

    Xerox Security Bulletin XRX04-007 (PDF 103.3K)
    August 31, 2004
    Vulnerability in the WorkCentre M35/M45/M55, WorkCentre Pro Color 322/40 and WorkCentre Pro 35/45/55 Xerox MicroServer Web Server could cause a denial of service.
    > Download Software Update
    (zip archive 2.1M)

    Xerox Security Bulletin XRX04-004 (PDF 99K)
    June 24, 2004
    Vulnerability in the WorkCentre M35/M45/M55, WorkCentre Pro Color 32/40, and WorkCentre Pro 35/45/55/65/75/90 ESS/ Network Controller could cause a denial of service.
    > Download Software Update
    (zip archive 27.2M)

    Xerox Security Bulletin XRX04-003 (PDF 148.9K)
    April 14, 2004
    WorkCentre Multifunction Devices (MFD) WorkCentre M35/M45/M55, WorkCentre Pro Color 32/40 and WorkCentre Pro 35/45/55/65/75/90 PostScript directory traversal patch.
    > Download Software Update
    (zip archive 5.4M)

    Xerox Security Bulletin XRX04-009 (PDF 35.4K)
    April 13, 2004
    Vulnerability in the http server on the WorkCentre M35/M45/M55, WorkCentre Pro Color 32/40 and WorkCentrePro 35/45/55/65/75/90 ESS/ Network Controller could potentially permit unauthorized access.
    > Download Software Update
    (zip archive 13.6K)

    Xerox Security Bulletin XRX04-002 (PDF 118.3K)
    March 10, 2004
    The Document Centre 220/230, Document Centre 240/255/265, Document Centre 332/340, Document Centre 420/425/432/440, Document Centre 460/470/480/490, Document Centre 535/545/555, WorkCentre M35/M45/M55, WorkCentre Pro Color 32/40, contain a Xerox MicroServer Web Server Vulnerability.
    > Download Software Update
    (zip archive 28.9M)