Product Security Guidance

2014

Xerox Security Bulletin XRX14-007 V1.0 (PDF 316.3K)
November 06, 2014
FreeFlow Print Server v6, v7, v8 and v9
DocuSP Print Server v5
Bash/Shellshock Security Patch
v1.0

Background

This bulletin announces the availability of the following:
1.Bash Security Patch
The Bash/Shellshock patch for FFPS is now available on the Xerox Download Server (aka DMS). The patch is available on the DMS server for all FFPS Releases v7, v8, and v9. (For FFPS v6 and DocuSP 5, refer to the section below). The patch is not mandatory but will be included in future Security Patch Cluster releases. This patch has no dependency on prior-released Security Patch Clusters.

Security vulnerabilities that are remediated with this FFPS Security patch are:
CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278

2.Guide to Using the FFPS Software Update Manager
Customers can download this patch from the Xerox Download Server and install on FFPS using the FFPS Software Update Manager. This feature is included in the FFPS v7, v8, and v9 software releases. Use of the Update Manager requires that the System Administrator has some Unix/Linux/Solaris skills, and experience starting the Command Line (terminal window) tool on the FFPS UI.
The announcement is here:
http://www.xerox.com/information-security/information-security-articles-whitepapers/miss-enus.html

The User Guide document is available for download at this URL:
http://www.xerox.com/download/security/white-paper/eb628-5070df5f278f6/UserGuideForFFPS_SoftwareUpdateManager_Oct2014_v1.0.pdf
If a customer has difficulty performing these procedures, they should contact their local Xerox Service representative for further guidance.

Patch Installation for FFPS v6 and DocuSP v5
Because the FFPS Software Update tool is not available for the FFPS v6 and DocuSP v5 products, the patch must be provided by a Xerox CSE or Analyst. Please contact your local Xerox Service representative to request the patch file and if appropriate, schedule an action to have the patch installed. Because this patch is not mandatory and there is very little risk of vulnerability with FFPS, the action should be scheduled at a mutually-convenient time


Xerox Security Bulletin XRX14-006 V1.0 (PDF 997.1K)
October 30, 2014
Xerox Security Bulletin XRX14-006
Bash Shellshock Command Line Interpreter Vulnerability
v1.0
10/31/14


Background
A vulnerability has been discovered in the Bash command shell that can allow attackers to remotely execute commands on a target system. Even systems that don’t allow remote command shell connections may still use Bash to execute commands in the Apache web server and other network-facing applications. Unix and Unix-derived systems like Linux and Mac OS X are vulnerable to these attacks since they use Bash as the default command shell.

A Bash Shellshock document addressing this vulnerability has been posted to the URL www.xerox.com/security.



Xerox Security Bulletin XRX14-005 V1.2 (PDF 1M)
October 28, 2014
Xerox Security Bulletin XRX14-005
Bash Shellshock Command Line Interpreter Vulnerability
v1.2
10/28/14


Background
A vulnerability has been discovered in the Bash command shell that can allow attackers to remotely execute commands on a target system. Even systems that don’t allow remote command shell connections may still use Bash to execute commands in the Apache web server and other network-facing applications. Unix and Unix-derived systems like Linux and Mac OS X are vulnerable to these attacks since they use Bash as the default command shell.

A Bash Shellshock document addressing this vulnerability has been posted to the URL www.xerox.com/security.


Xerox Mini Security Bulletin XRX14F v1.0 (PDF 251.9K)
September 17, 2014
NOTE: This Bulletin is ONLY intended for the specific security problem(s) rated as IMPORTANT for the following products.

WorkCentre 5736
WorkCentre 5740
WorkCentre 5745
WorkCentre 5755
WorkCentre 5765
WorkCentre 5775
WorkCentre 5790


Xerox Mini Security Bulletin XRX14E v1.0 (PDF 100.3K)
September 17, 2014

Xerox Mini Security Bulletin XRX14C v1.0 (PDF 101.3K)
September 16, 2014

Xerox Security Bulletin XRX14-004 v1.0 (PDF 715.7K)
June 16, 2014
FreeFlow Print Server v7, v8 and v9
April 2014 Security Patch Cluster


Background
Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support Contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

This bulletin announces the availability of the following:

1. April 2014 Security Patch Cluster
This supersedes the January 2014 Security Patch Cluster
2. Java 6 Update 75 Software
This supersedes Java 6 Update 71 Software


Xerox Mini Security Bulletin XRX14B v1.1 (PDF 249K)
June 12, 2014
NOTE: This Bulletin was re-released to correct an error. No Service Call is needed for installation of this software.

ColorQube 8700/8900
ColorQube 9301/9302/9303
WorkCentre 5845/5855/5865/5875/5890
WorkCentre 7220/7225
WorkCentre 7830/7835/7845/7855


Xerox Mini Security Bulletin XRX14D v1.0 (PDF 196.2K)
June 10, 2014
Purpose
Inform our Xerox Customers of an issue that has minor security implications.


Xerox Mini Security Bulletin XRX14A v1.0 (PDF 453.1K)
May 20, 2014
NOTE: This Bulletin is ONLY intended for the specific security problem(s) rated as critical for the following products.

WorkCentre 5736
WorkCentre 5740
WorkCentre 5745
WorkCentre 5755
WorkCentre 5765
WorkCentre 5775
WorkCentre 5790


Xerox Security Bulletin XRX14-003 v1.0 (PDF 668.7K)
April 22, 2014
Software Release to Eliminate SQL Injection Vulnerability

An SQL injection vulnerability exists that, if exploited, could allow remote attackers to insert arbitrary code into the applicable software application. If successful, an attacker could make unauthorized changes to, damage or delete database tables and values.

A set of software “hotfixes” for the software application listed below have been provided that removes this vulnerability. These “hotfixes” are designed to be installed by the customer. The software “hotfixes” are contained in .tar files for Linux and Solaris or .exe/. jar files for Windows and can be accessed via the link to the DocuShare Support & Software Page (http://www.support.xerox.com/support/xerox-docushare/software/enus.htm) or via the links in this bulletin.

Affected Products:
Windows Server 2003 & Windows Server 2008:
DocuShare 6.5.3 Patch 6 -- DocuShare 6.5.3 Patch 6 Hotfix 2 for Windows Server

Windows Server 2008 x64 & Windows Server 2008 x64:
DocuShare 6.5.3 Patch 6 -- DocuShare 6.5.3 Patch 6 Hotfix 2 for Windows Server
DocuShare 6.6.1 Update 1-- DocuShare 6.6.1 Update 1 Hotfix 24 for Windows Server
DocuShare 6.6.1 Update 2 -- DocuShare 6.6.1 Update 2 Hotfix 3 for Windows Server

Windows Server 2012 R2 & Windows Server 2012 x64:
DocuShare 6.6.1 Update 1-- DocuShare 6.6.1 Update 1 Hotfix 24 for Windows Server
DocuShare 6.6.1 Update 2 -- DocuShare 6.6.1 Update 2 Hotfix 3 for Windows Server

Linux:
DocuShare 6.5.3 Patch 6 -- DocuShare 6.5.3 Patch 6 Hotfix 2 for Linux
DocuShare 6.6.1 Update 2 -- DocuShare 6.6.1 Update 2 Hotfix 3 for Linux

Unix & Solaris:

DocuShare 6.5.3 Patch 6 -- DocuShare 6.5.3 Patch 6 Hotfix 2 for Solaris UNIX
DocuShare 6.6.1 Update 2 -- DocuShare 6.6.1 Update 2 Hotfix 3 for Solaris UNIX



Xerox Security Bulletin XRX14-002 v1.0 (PDF 66.9K)
April 16, 2014
FreeFlow Print Server v7, v8 and v9
January 2014 Security Patch Cluster (includes Java 6 Update 71 Software)


Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support Contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

This bulletin announces the availability of the following:

1. Jan 2014 Security Patch Cluster
This supersedes the October 2013 Security Patch Cluster
2. Java 6 Update 71 Software
This supersedes Java 6 Update 65 Software


Xerox Security Bulletin XRX13-002 v1.1 (PDF 61.4K)
April 07, 2014
Cumulative update for Common Criteria Certification
System Software Version 061.080.221.36200 for the ColorQube 9201/9202/9203 Single Board Controller models is a cumulative update that incorporates security vulnerability fixes up through 06 Jan 2012 as well as other non-security related defect fixes. This release is Common Criteria certified (see http://www.xerox.com/information-security/common-criteria-certified/enus.html).

This system software release for the products listed below is designed to be installed by the customer. Please follow the procedures in the bulletin to install the solution. This system software version is a full system release so the patch criticality rating is not applicable.

The software release is compressed into a 441.3 MB zip file and can be accessed via the link in this bulletin document.

Xerox Security Bulletin XRX14-001 v1.1 (PDF 61.4K)
March 24, 2014
Cumulative update for Common Criteria Certification

System Software Version 071.161.203.15600 for the ColorQube 8700/8900 Xerox ConnectKey Controller models is a cumulative update that incorporates security vulnerability fixes up through 10 Jun 2013 as well as other non-security related defect fixes. This release is Common Criteria certified (see http://www.xerox.com/information-security/common-criteria-certified/enus.html).

This system software release for the products listed below is designed to be installed by the customer. Please follow the procedures below to install the solution. This system software version is a full system release so the patch criticality rating is not applicable.

The software release is compressed into a 378.1 MB zip file and can be accessed via the link in this bulletin.

2013

Xerox Security Bulletin XRX13-006 v1.3 (PDF 101.3K)
November 07, 2013
NOTE: This bulletin has been updated to correct software procedure error in the ColorQube 93XX devices. Contact Xerox Technical Support to obtain system software release 071.180.203.06400 and the instructions for installing this release; if your current system software release is 061.180.223.11601 or less there are interim steps that have to be followed before you can upgrade your device to system software release 071.180.203.06400. A new version of the bulletin will be published once the new information becomes available.


Cumulative update for Common Criteria Certification
System Software Versions listed below for the WorkCentre 5845/5855/5865/5875/5890, WorkCentre 7220/7225, WorkCentre 7830/7835/7845/7855 and ColorQube 9301/9302/9303 models are cumulative updates that incorporate security vulnerability fixes up through 06 March 2013 as well as other non-security related defect fixes. These four releases are Common Criteria certified (see http://www.xerox.com/information-security/common-criteria-certified/enus.html).

These system software releases for the products listed are designed to be installed by the customer. Please follow the procedures in the bulletin document to install the solution. The system software versions are full system releases so the patch criticality rating is not applicable.

These software releases are compressed into zip files and can be accessed via the links in the bulletin document.

.

Xerox Security Bulletin XRX13-008 v1.0 (PDF 82.3K)
October 24, 2013
Software Release to Eliminate Unauthorized Access

Note: This bulletin has been re-issued to correct a typographical error in the URL string for one of the product ZIP files.

The Xerox products ColorQube 9201/9202/9203, WorkCentre 6400, WorkCentre 7525/7530/7535/7545/7556, and WorkCentre 7755/7765/7775 contain code for implementing a remote protocol that could be exploited to gain unauthorized access to the device.

The software release indicated in the bulletin will perform the following action:
Remove the affected code that unintentionally created the unauthorized access potential.

A software release for the products listed has been provided. This release is designed to be installed by the customer. The software release is contained in a zip file and can be accessed via the links in this bulletin announcement or on http://www.xerox.com/information-security/security-bulletins-by-year/enus.html.


Xerox Security Bulletin XRX13-007 v1.0 (PDF 72K)
August 27, 2013
FreeFlow Print Server v7, v8 and v9
July 2013 Security Patch Cluster (includes Java 6 Update 51 Software)


Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support Contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

This bulletin announces the availability of the following:

1. July 2013 Security Patch Cluster
This supersedes the April 2013 Security Patch Cluster
2. Java 6 Update 51 Software
This supersedes Java 6 Update 45 Software

Consult the bulletin to see all the CVE vulnerabilities this bulletin fixes.


Xerox Security Bulletin XRX13-006 v1.2 (PDF 96.8K)
June 27, 2013
NOTE: The new version 1.2 of this bulletin has been updated to detail a software procedure error in the ColorQube 93XX devices. The process to update a ColorQube 93XX device to the Common Criteria Certified version of software may require an extra step depending on the current software version. The details are contained in the bulletin along with an updated link to the CCC version of software.


Cumulative update for Common Criteria Certification
System Software Versions listed below for the WorkCentre 5845/5855/5865/5875/5890, WorkCentre 7220/7225, WorkCentre 7830/7835/7845/7855 and ColorQube 9301/9302/9303 models are cumulative updates that incorporate security vulnerability fixes up through 06 March 2013 as well as other non-security related defect fixes. These four releases are Common Criteria certified (see http://www.xerox.com/information-security/common-criteria-certified/enus.html).

These system software releases for the products listed are designed to be installed by the customer. Please follow the procedures in the bulletin document to install the solution. The system software versions are full system releases so the patch criticality rating is not applicable.

These software releases are compressed into zip files and can be accessed via the links in the bulletin document(Xerox Security Bulletin XRX13-006 v1.2) above.

.

Xerox Security Bulletin XRX13-005 v1.0 (PDF 63.4K)
April 11, 2013
Cumulative update for Common Criteria Certification
System Software Version 061.090.221.36202 for the WorkCentre 7755/7765/7775 models is a cumulative update that incorporates security vulnerability fixes up through 19 Oct 2012 as well as other non-security related defect fixes. This release is Common Criteria certified (see http://www.xerox.com/information-security/common-criteria-certified/enus.html).

This system software release for the products listed is designed to be installed by the customer. Please follow the procedures in the bulletin document to install the solution. This system software version is a full system release so the patch criticality rating is not applicable.

The software release is compressed into a 237.9 MB zip file and can be accessed via the link below or via the link contained in the bulletin announcement on www.xerox.com/security.

http://www.xerox.com/downloads/usa/en/c/cert_061_090_221_36202.zip


Xerox Security Bulletin XRX13-004 v1.0 (PDF 90K)
April 02, 2013
FreeFlow Print Server v7
January 2013 Security Patch Cluster (includes Java 6 Update 39 Software)

Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

This bulletin announces the availability of the following:

1. January 2013 Security Patch Cluster
This supersedes the October 2012 Security Patch Cluster
2. Java 6 Update 39 Software
This supersedes Java 6 Update 37 Software

Consult the bulletin to see all the CVE vulnerabilities this bulletin fixes.


Xerox Security Bulletin XRX12-005 V1.1 (PDF 103.3K)
March 25, 2013
The Xerox devices ColorQube® 9201/9202/9203, ColorQube® 9301/9302/9303, WorkCentre® 232/238/245/255/265/275, WorkCentre® 5030/5050, WorkCentre® 5135/5150, WorkCentre® 5632/5638/5645/5655/5665/5675/5687, WorkCentre® 5735/5740/5745/5755/5765/5775/5790, WorkCentre® 6400, WorkCentre® 7525/7530/7535/7545/7556, WorkCentre® 7655/7665/7675, WorkCentre® 7755/7765/7775, WorkCentre® Bookmark 40/55, WorkCentre Pro® 232/238/245/255/265/275 were shipped with certain protocols enabled that, if properly exploited, could be used to gain
unauthorized access to the system. These particular protocols should not have been present in the production configuration and need to be removed from that configuration to minimize the possibility of unauthorized system access.

A software solution (patch P49) is provided for the products listed. This solution will remove from the production configuration the unwanted protocols in question so they can’t be exploited to gain unauthorized access to the system.

This solution is designed to be installed by the customer. The software solution is compressed into a 3 KB zip file and can be accessed via the link below or via the link following this bulletin announcement on http://www.xerox.com/security.

Software available through this link:
> cert_P49v1_Patch2.zip
(zip archive 2.5K)

Xerox Security Bulletin XRX13-003 v1.0 (PDF 88.6K)
February 27, 2013
FreeFlow Print Server v8
January 2013 Security Patch Cluster (includes Java 6 Update 37 Software)

Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

This bulletin announces the availability of the following:

1. January 2013 Security Patch Cluster
This supersedes the October 2012 Security Patch Cluster
2. Java 6 Update 37 Software
This supersedes Java 6 Update 33 Software

Consult the bulletin to see all the CVE vulnerabilities this bulletin fixes.


Xerox Security Bulletin XRX13-002 v1.0 (PDF 57.9K)
February 04, 2013
Cumulative update for Common Criteria Certification
System Software Version 061.050.221.36200 for the ColorQube 9201/9202/9203 models is a cumulative update that incorporates security vulnerability fixes up through 06 Jan 2012 as well as other non-security related defect fixes. This release is Common Criteria certified (see http://www.xerox.com/information-security/common-criteria-certified/enus.html).

This system software release for the products listed below is designed to be installed by the customer. Please follow the procedures in the bulletin to install the solution. This system software version is a full system release so the patch criticality rating is not applicable.

The software release is compressed into a 441.3 MB zip file and can be accessed via the link below or via the link following this bulletin announcement on www.xerox.com/security.

http://www.xerox.com/downloads/usa/en/c/cert_061_050_221_36200.zip.


Xerox Security Bulletin XRX13-001 v1.0 (PDF 57.3K)
January 30, 2013
Cumulative update for Common Criteria Certification
System Software Version 071.160.222.23700 for the ColorQube 8700/8900 models is a cumulative update that incorporates security vulnerability fixes up through 29 Aug 2012 as well as other non-security related defect fixes. This release is Common Criteria certified (see http://www.xerox.com/information-security/common-criteria-certified/enus.html).

This system software release for the products listed is designed to be installed by the customer. Please follow the procedures in the bulletin to install the solution. This system software version is a full system release so the patch criticality rating is not applicable.

The software release is compressed into a 479.3 MB zip file and can be accessed via the link below or via the link inside the bulletin.

http://www.xerox.com/downloads/usa/en/c/cert_071.160.222.23700.zip


2012

Xerox Security Bulletin XRX12-011 v1.1 (PDF 86.6K)
November 29, 2012
Digital Signature of Software Upgrade Files
v1.1
NOTE: This bulletin was reissued at version 1.1 to remove the Phaser 3635MFP. An issue with the Phaser 3635MFP will be resolved in a future version of this bulletin.


The Xerox products Phaser 3600, Phasers 4600/4620 and the WorkCentre 3550 were shipped without the ability to accept software upgrade files with digital signatures. The ability to accept only software upgrade files with digital signatures has been added for the indicated products. In addition, the indicated products now include the software upgrade setting in the Configuration Report and have added the capability to enable/disable software upgrade via SNMP.

Firmware solutions that will now only accept software upgrades files with digital signatures have been provided. These solutions are designed to be installed by the customer. The firmware solutions can be accessed via the links below or via the links in this bulletin announcement on: http://www.xerox.com/security

Phaser 3600: http://www.support.xerox.com/support/_all-products/file-download/enus.html?contentId=122549
Phaser 4600/4620: http://www.support.xerox.com/support/phaser-4600-4620/downloads/enza.html?operatingSystem=win7
WorkCentre 3550: http://www.support.xerox.com/support/workcentre-3550/downloads/enza.html?operatingSystem=win7


Xerox Security Bulletin XRX12-009 v1.1 (PDF 90.7K)
October 29, 2012
FreeFlow Print Server v7.3
July 2012 Security Patch Cluster (includes Java 6 Update 33 Software)


NOTE: This document has been updated to provide corrected file size and checksum information.


Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

This bulletin announces the availability of the following:
1. July 2012 Security Patch Cluster
This supersedes the April 2012 Security Patch Cluster
2. Java 6 Update 33 Software
This supersedes Java 6 Update 31 Software

Consult the bulletin to see all the CVE vulnerabilities this bulletin fixes.


Xerox Security Bulletin XRX12-010 v1.1 (PDF 91.2K)
October 23, 2012
FreeFlow Print Server v8
July 2012 Security Patch Cluster (includes Java 6 Update 33 Software)
v1.1

NOTE: This bulletin has been re-issued to update file size and checksum information.

Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

This bulletin announces the availability of the following:
1. July 2012 Security Patch Cluster
This supersedes the April 2012 Security Patch Cluster
2. Java 6 Update 33 Software
This supersedes Java 6 Update 31 Software

Consult the bulletin to see all the CVE vulnerabilities this bulletin fixes.


Xerox Security Bulletin XRX12-008 v1.0 (PDF 63.2K)
October 15, 2012
Cumulative update for Common Criteria Certification
System Software Version 061.132.222.03800 for the WorkCentre 5735/5740/5745/5755/5765/5775/5790 models is a cumulative update that incorporates security vulnerability fixes up through 09 Feb 2012 as well as other non-security related defect fixes. This release is Common Criteria certified (see http://www.xerox.com/information-security/common-criteria-certified/enus.html).

This system software release for the products listed is designed to be installed by the customer. This system software version is a full system release so the patch criticality rating is not applicable. The software release is compressed into a 295.9 MB zip file and can be accessed via the link below or via the link contained in the bulletin.
http://a400.g.akamai.net/7/400/5566/v0001/xerox.download.akamai.com/5566/cert_061_132_222_03800.zip.


Xerox Security Bulletin XRX12-012 v1.0 (PDF 71.6K)
October 08, 2012
The Xerox Phaser 7800 product was shipped with software upgrades enabled by default and with network protocols enabled that could be exploited to gain unauthorized access to the system.

NOTE: If Software Upgrade is currently disabled on the desired device. it must be enabled prior to installation of this software patch.

The software release indicated below will perform the following action:
• Change the default state of software upgrade to disabled. After installing this firmware/software, software upgrade will be
disabled. It can be re-enabled at the Web UI when necessary.
• Remove protocols that were not intended to be present in the production configuration.

Details about this bulletin and other Xerox Product Security features can be found at the Xerox Security
website: http://www.xerox.com/security

The the link to this software needed to upgrade your Phaser 7800 can be found inside the bulletin document or can be downloaded from this link:
http://www.support.xerox.com/go/getfile.asp?objid=122181&EULA=28&Xtype=download&uType=


Xerox Security Bulletin XRX12-007 V1.1 (PDF 1M)
October 02, 2012
Disable software upgrades by default

NOTE: This bulletin has been re-posted as an additional product, the WorkCentre 6015N/I has been included.

The Xerox Phaser 6010, Phaser 6125, Phaser 6128MFP, Phaser 6130, Phaser 6140, Phaser 6180, Phaser 6180MFP, Phaser 6280, Phaser 6500, WorkCentre 3045NI, WorkCentre 6015N/I and the WorkCentre 6505 were shipped with software upgrades enabled by default. The firmware release which changes this default can be downloaded via the links inside the bulletin document. These firmware solutions are classified as Moderate updates.

NOTE: If software upgrade had previously been disabled, software upgrade must be ENABLED on the device at the Local User Interface before this firmware version can be loaded.

Please follow the instructions starting on page 2 for each affected product to install these firmware solutions.


Xerox Security Bulletin XRX12-006 v1.0 (PDF 89.3K)
July 03, 2012
FreeFlow Print Server
April 2012 OS and Security Patch Cluster (includes Java 6 Update 31 Software)


Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

This bulletin announces the availability of the following:
1. April 2012 Security Patch Cluster
This supersedes the January 2012 Security Patch Cluster
2. Java 6 Update 31 Software
This supersedes Java 6 Update 29 Software

Consult the bulletin to see all the CVE vulnerabilities this bulletin fixes.


Xerox Security Bulletin XRX12-004 V1.0 (PDF 64.5K)
May 07, 2012
The vulnerability documented in CVE-2011-3192 exists in the Web Server of the WorkCentre 5135/5150, and the WorkCentre 5632/5638/5645/5655/5665/5675/5687 models. If exploited the vulnerability could allow remote attackers to create a Denial of Service on the device.

A software solution (patch P50) is provided below. This solution is designed to be installed by the customer. Please follow the procedures in the bulletin to install the solution to protect your product from possible attack through the network.

The software solution is compressed into an 5.2 MB zip file and can be accessed via the link below or via the link following this bulletin announcement on www.xerox.com/security.
> cert_P50v2_WC56xx08_Patch
(zip archive 5.2M)

Xerox Security Bulletin XRX12-002 v1.1 (PDF 82.7K)
March 07, 2012
FreeFlow Print Server (version 7.3)
Oracle January 2012 CPU OS and Security Patch Cluster (includes Java 6 Update 29 Software)


NOTE: We have released a new version of this bulletin to correct file size specifications and checksum information. No other technical information has been changed.

Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support contracts (FSMA). Xerox customizes the patch deliveries as appropriate to each FFPS Product family, and tests the CPU patches on each supported SPAR Release prior to delivery. Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

Consult the bulletin to see all the CVE vulnerabilities this bulletin fixes.


Xerox Security Bulletin XRX12-003 v1.1 (PDF 185.5K)
March 07, 2012
NOTE: We are re-issuing this bulletin due to a spelling error of the name of one of the researchers. No technical content in the bulletin has changed.

Vulnerabilities exist that, if exploited, could allow remote attackers to insert arbitrary code into the device. This could occur with a specifically crafted Postscript or firmware job submitted to the device. If successful, an attacker could make unauthorized changes to the system configuration; however, customer and user passwords are not exposed.

As part of Xerox’s on-going efforts to protect customers, the ability to accept these specially crafted jobs can be disabled for the affected products listed in the bulletin. Links for the software needed are contained inside the bulletin.


Xerox Security Bulletin XRX12-001 (PDF 104.2K)
February 29, 2012
System Software Version 061.121.221.28308 for the WorkCentre 7525/7530/7535/7545/7556 models is a cumulative update that incorporates several security vulnerability fixes as well as other non-security related defect fixes. This release is Common Criteria certified see http://www.xerox.com/information-security/common-criteria-certified/enus.html.

This system software release for the products listed is designed to be installed by the customer. Please follow the procedures in the bulletin to install the solution. This system software version is a full system release so the patch criticality rating is not applicable. You may download the software using the link in the Bulletin or from here.


2011

Xerox Security Bulletin XRX11-004 (PDF 73.4K)
October 07, 2011
A vulnerability exists that, if exploited, could allow remote attackers to bypass local authentication. This could occur with a specially crafted sequence of commands entered through the Web User Interface. If successful, an attacker could make unauthorized changes to the system configuration; however, customer and user passwords are not exposed. A patch file P48 is provided for the ColorQube 9301/9302/9301.
> cert_CQ93xx_P48v1_Patch.zip
(zip archive 9.3M)

Are MFD devices a Security Threat Bulletin (PDF 413.6K)
September 07, 2011
At DEFCON, a new presentation for an existing problem has resurfaced. Read the document above for the details.

Xerox Security Bulletin XRX11-003 (PDF 71.8K)
August 28, 2011
FreeFlow Print Server
Oracle July 2011 CPU OS and Security Patch Cluster (includes Java 6 Update 26 Software)

Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support contracts (FSMA). Xerox customizes the patch deliveries as appropriate to each FFPS Product family, and tests the CPU patches on each supported SPAR Release prior to delivery. Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call.

Consult the bulletin to see all the CVE vulnerabilities this bulletin fixes.


Xerox Security Bulletin XRX11-002 (PDF 92K)
March 25, 2011
A vulnerability documented in CVE-2010-2063 exists that, if exploited, could allow remote attackers to execute arbitrary code via specially crafted fields in a Service Message Block (SMB) packet. This could occur with buffer overflows in the Samba third-party code that handles file and printer sharing services for SMB clients (including Xerox MFD devices). If successful, an attacker could make unauthorized changes to the system configuration; however, customer and user passwords are not exposed. This vulnerability affects only the printer sharing services.
> Download the Software Update for the WorkCentre 5735/5740/5745/5755/5765/5775/5790
(zip archive 1.4M)

Xerox Security Bulletin XRX11-001 (PDF 89.7K)
February 04, 2011
A command injection vulnerability exists in the Web Server of the WorkCentre 7655/7665/7675. If exploited, the vulnerability could allow remote attackers to execute arbitrary code via carefully crafted inputs on the affected web page. Customer and user passwords are not exposed. A software solution (patch P45) is provided for the WorkCentre 7655/7665/7675.
> Download the Software Update for the WorkCentre 7655/7665/7675
(zip archive 1M)

2010

Xerox Security Bulletin XRX10-005 (PDF 79.9K)
December 10, 2010
A software defect exists in the WorkCentre 5735/5740/5745/5755/5765/5775/5790 with the scan to email function that can result in two different scan to email documents being merged into one document. This issue is most likely to occur on devices with a color scanner when scanning complex documents at higher resolutions.
> Download the System Software for the WorkCentre 5735/5740/5745/5755/5765/5775/5790
(zip archive 624.4K)

Xerox Security Bulletin XRX10-003 (PDF 57.9K)
November 29, 2010
Original Release June 18, 2010
System Software Version 021.120.060.00015 for the WorkCentre 5632-5687 Multi-Board controller and WorkCentre 5135/5150 models and System Software Version 025.054.060.00015 for the 5632-5655 Single Board controller models is a cumulative update that incorporates several security vulnerability fixes as well as other non-security related defect fixes. Both devices have been recertified to Common Criteria EAL Level 3. Both releases have been submitted for Common Criteria certification, which is expected to be completed by September 2010.
> Download System Software Release for the Multi-Board Controller (MBC) products
(zip archive 106.1M)

Xerox Security Bulletin XRX10-004 (PDF 46.6K)
October 29, 2010
A vulnerability exists in the firmware for the Xerox 4595 Copier/Printer. If exploited, this vulnerability could cause a denial of service condition that causes the device to restart. Customer and user passwords are not exposed. This firmware release can only be installed by a Xerox Customer Support Engineer; please contact the Xerox Support Center to schedule the installation.


> Download the System Software for the Xerox 4595 Copier/Printer without PostScript Installed
(zip archive 20.4M)

Xerox Security Bulletin XRX08-010 (PDF 155.5K)
August 06, 2010
A Denial of Service vulnerability exists in the Phaser 6100, Phaser 6200, Phaser 7300, Phaser 7750, and Phaser 8400. If exploited, this vulnerability could allow malicious users to cause the device to restart, thus effectively denying service to legitimate users.


Xerox Security Bulletin XRX10-002 (PDF 113K)
March 29, 2010
Original Release January 22, 2010
Vulnerabilities exist in the Network Controller and Web Server of the WorkCentre 5632/5638/5645/5655/5665/5675/5687, WorkCentre 5030/5050, WorkCentre 5135/5150, WorkCentre 6400, WorkCentre 7655/7665/7675, WorkCentre 7755/7765/7775, WorkCentre/WorkCentre Pro 232/238/245/255/265/275 and ColorQube 9201/9202/9203 products. If exploited these vulnerabilities could permit an attacker to either bypass Scan to Mailbox authorization to access mailboxes stored on the device or bypass web server authorization to view device configuration settings. Customer and user passwords are not exposed.


> Download Software Update for the WorkCentre, WorkCentre Pro and ColorQube products listed above
(zip archive 2.5M)

Xerox Security Bulletin XRX10-001 (PDF 75.8K)
January 22, 2010
A vulnerability exists in the Network Controller of the WorkCentre 6400. If exploited the vulnerability could potentially permit unauthorized access to the Network Controller directory structure via a carefully constructed PostScript file.
> Download Software Update for the WorkCentre 6400
(zip archive 5.1M)

2009

Xerox Security Bulletin XRX09-004 (PDF 83.5K)
September 18, 2009
Original Release September 1, 2009
An LPD protocol handling vulnerability exists in the firmware for the WorkCentre 7232/7242, the WorkCentre 7328/7335/7345/7346, and the WorkCentre 7425/7428/7435. If exploited, this vulnerability could cause a denial of service by crashing the device, although power cycling the device will recover from this attack. Customer and user passwords are not exposed.


Xerox Security Bulletin XRX09-002 (PDF 73.9K)
May 15, 2009
A command injection vulnerability exists in the web server of the WorkCentre/WorkCentrePro 232/238/245/255/265/275, the WorkCentre 7655/7665/7675, and the WorkCentre 5632/5638/5645/5655/5675/5687. if exploited, the vulnerability could allow remote attackers to execute arbitrary code via carefully crafted inputs on the affected web page. Customer and user passwords are not exposed.
> Download Software Update for WorkCentre/WorkCentrePro 232/238/245/255/265/275, WorkCentre 7655/7665/7675, and WorkCentre 5632/5638/5645/5655/5675/5687
(zip archive 7.9M)

Xerox Security Bulletin XRX09-001 (PDF 74.2K)
January 30, 2009
A command injection vulnerability exists in the web server of the WorkCentre/WorkCentre Pro 232/238/245/255/265/275 and the WorkCentre 5632/5638/5645/5655/5665/5675/5687. If exploited, the vulnerability could allow remote attackers to execute arbitrary code via carefully crafted inputs on the affected web page. Customer and user passwords are not exposed.


> Download Software Update for WorkCentre/WorkCentre Pro 232/238/245/255/265/275 and WorkCentre 5632/5638/5645/5655/5665/5675/5687
(zip archive 162.6K)

Xerox Security Bulletin XRX09-003 (PDF 82.9K)
January 22, 2009
Second Release September 29, 2009
Original Release August 28, 2009
A vulnerability exists in the web servers of the WorkCentre 5030/5050, the WorkCentre 5135/5150, the WorkCentre 5632/5638/5645/5655/5665/5675/5687, the WorkCentre 7655/7665/7675, the WorkCentre 6400, and the ColorQube 9201/9202/9203. If exploited when SSL is not enabled on the device, the vulnerability could allow remote attackers to obtain unauthorized access to device configuration settings, possibly exposing customer passwords

NOTE: The original version of the P39 patch required a manual reboot after installation. This version of the patch automatically performs a re-boot upon installation.


> Download Software Update for the WorkCentre and ColorQube products listed above
(zip archive 11.4K)

2008

Xerox Security Bulletin XRX08-009 (PDF 104.4K)
October 16, 2008
A vulnerability exists in the WorkCentre Pro 232/238/245/255/265/275, WorkCentre 232/238/245/255/265/275, WorkCentre 7655/7665/7675, and WorkCentre 5632/5638/5645/5655/5665/5675/5687 ESS/Network Controller that, if exploited, could allow remote attackers to execute arbitrary code via specially crafted Remove Service Message Block (SMB) responses. This could occur with buffer overflows and un-validated user input in the Samba third-party code that handles file and printer sharing services for SMB clients (including Xerox MFD devices).

If successful, an attacker could make unauthorized changes to the system configuration; however, customer and user passwords are not exposed. This vulnerability affects only the printer sharing services.


> Download Software Update for WorkCentre Pro 232/238/245/255/265/275, WorkCentre 232/238/245/255/265/275, WorkCentre 7655/7665/7675, and WorkCentre 5632/5638/5645/5655/5665/5675/5687
(zip archive 6.6M)

Xerox Security Bulletin XRX08-008 (PDF 39.1K)
July 09, 2008
CentreWare Web has been found to be vulnerable to a set of potential SQL Injection and Cross Site Scripting vulnerabilities. If exploited, these vulnerabilities could allow an attacker to make unauthorized changes to CentreWare Web or asset data, or redirect user browsing sessions.


Xerox Security Bulletin XRX08-005 (PDF 1M)
June 12, 2008
A persistent cross site scripting vulnerability exists in the web server of the WorkCentre M123/M128, WorkCentre 133, WorkCentre Pro 123/128 and WorkCentre Pro 133. If exploited, this vulnerability could allow code injection by malicious web users into the web pages viewed by other users.
Download Software Update: Refer to the XRX08-005 Security Bulletin to determine which file to download.


> Group 2 Languages with Postscript Executable
(zip archive 21.3M)
> Group 1 Languages with Postscript Executable
(zip archive 21.6M)
> Group 3 Languages with Postscript Executable
(zip archive 14.9M)
> Group 2 Languages Standard Executable
(zip archive 16.6M)
> Group 3 Languages Standard Executable
(zip archive 15.8M)

Xerox Security Bulletin XRX08-006 (PDF 42.5K)
June 12, 2008
A vulnerability exists in the Web Services of the WorkCentre 7655/7665/7675 when attempting to access the Extensible Interface Platform feature under certain conditions. If exploited, this vulnerability could allow an attacker unauthorized access to make changes to the system configuration.


> Download Software Update for WorkCentre 7655/7665/7675
(zip archive 46.8M)

Xerox Security Bulletin XRX08-007 (PDF 48.7K)
June 12, 2008
A persistent cross site scripting vulnerability exists in the web server of the Xerox 4110 Copier/Printer, the Xerox 4590 Copier/Printer, and the Xerox 4595 Copier/Printer. If exploited, this vulnerability could allow code injection by malicious web users into the web pages viewed by other users.


> Download Software Update for Xerox 4110/4590/4595
(zip archive 27.4M)
> Download Install Instructions
(PDF 845.5K)

Xerox Security Bulletin XRX08-004 (PDF 1M)
May 22, 2008
A persistent cross site scripting vulnerability exists in the web server of the WorkCentre 7132 and WorkCentre 7228/7235/7245. If exploited, this vulnerability could allow code injection by malicious web users into the web pages viewed by other users.

Download Software Update: Refer to the XRX08-004 Security Bulletin to determine which file to download.


> WorkCentre 7132 with Postscript Binary
(zip archive 25.8M)
> WorkCentre 7132 with Postscript Executable
(zip archive 27.7M)
> WorkCentre 7132 Standard Binary
(zip archive 20.4M)
> WorkCentre 7132 Standard Executable
(zip archive 22.3M)
> WorkCentre 7228/7235/7245 Binary
(zip archive 39.4M)
> WorkCentre 7228/7235/7245 Executable
(zip archive 41.3M)

Xerox Security Bulletin XRX08-003 (PDF 27.9K)
March 28, 2008
As part of Xerox’s on-going efforts to protect customers, a patch is being provided for customers interested in the Common Criteria Certified version, 21.113.02.000, for the WorkCentre 56xx products that adds improved audit logging to meet the requirements of NIAP Policy #15.


> Download Software Update for WorkCentre 56xx products
(zip archive 19.6M)

Xerox Security Bulletin XRX08-001 (PDF 40.6K)
January 04, 2008
Vulnerabilities exist in the WorkCentre 232/238/245/255/265/275, WorkCentre Pro 232/238/245/255/265/275, and WorkCentre 7655/7665 ESS/Network Controller that, if exploited, could allow remote attackers to execute arbitrary code via specially crafted Remote Procedure Call (RPC) requests.


> Download Software Update for WorkCentre 232/238/245/255/265/275, WorkCentre Pro 232/238/245/255/265/275, and WorkCentre 7655/7665
(zip archive 8M)

2007

Xerox Security Bulletin XRX06-005 (PDF 144K)
October 15, 2007
Vulnerability in the ESS / Network Controller and MicroServer Web Server could allow remote execution of arbitrary software.

This bulletin been superseded by XRX07-002. Download Permanently Unavailable


Xerox Security Bulletin XRX07-002 (PDF 42.5K)
October 15, 2007
A command injection vulnerability exists in the WorkCentre 232/238/245/255/265/275, WorkCentre Pro 232/238/245/255/265/275, and WorkCentre 7655/7665 ESS/ Network Controller and MicroServer Web Server. If exploited, this vulnerability could allow remote execution of arbitrary software.


> Download Software Update for WorkCentre 232/238/245/255/265/275, WorkCentre Pro 232/238/245/255/265/275, and WorkCentre 7655/7665
(zip archive 1.1M)

Xerox Security Bulletin XRX07-001 (PDF 43.7K)
August 30, 2007
A command injection vulnerability exists in the WorkCentre 232/238/245/255/265/275, WorkCentre Pro 232/238/245/255/265/275, and WorkCentre 7655/7665 ESS/ Network Controller that, if exploited, could allow remote execution of arbitrary software, forgery of digital certificates, or initiation of Denial of Service attacks.


> Download Software Update
(zip archive 989.4K)

Xerox Security Bulletin XRX06-003 (PDF 19.7K)
July 27, 2007
Cumulative update for Common Criteria Assurance Maintenance.

Note: This bulletin has been superseded by XRX06-006.


Xerox Security Bulletin XRX06-006 (PDF 31.8K)
July 26, 2007
Cumulative update to address multiple security vulnerabilities.


2006

Xerox Security Bulletin XRX06-002 (PDF 43.6K)
October 25, 2006
System software versions available to address denial of service and other vulnerabilities in the ESS.


Xerox Security Bulletin XRX06-007 (PDF 228.1K)
October 15, 2006
A command injection vulnerability exists in the ESS/ Network Controller and MicroServer Web Server. If exploited this vulnerability could allow remote execution of arbitrary software.

This bulletin has been rescinded and is no longer valid. Software Download permanently unavailable


Xerox Security Bulletin XRX06-004 (PDF 47.4K)
October 04, 2006
Cumulative update to address multiple security vulnerabilities.


Xerox Security Bulletin XRX06-001 (PDF 37.4K)
April 24, 2006
Vulnerabilities in the ESS/ Network Controller and MicroServer Web Server could potentially permit unauthorized access.

Note: This bulletin has been superseded by XRX06-003.


2005

Xerox Security Bulletin XRX05-007 (PDF 102.7K)
August 25, 2005
Vulnerabilities in the WorkCentre M35/M45/M55, WorkCentre M165/175 and the WorkCentre Pro 32/40 Color, WorkCentre 35/45/55/65/75/90 and WorkCentre Pro 165/175 Xerox MicroServer Web Server could potentially permit unauthorized access.


> Download Software Update
(zip archive 1.6M)

Xerox Security Bulletin XRX05-008 (PDF 69.5K)
August 10, 2005
Vulnerabilities in the Document Centre 240/255/265, Document Centre 420/425/428/430/432/440, Document Centre 460/470/480/490, and Document Centre 535/545/555 Xerox MicroServer Web Server could potentially permit unauthorized access.


> Download Software Update
(zip archive 2.6M)

Xerox Security Bulletin XRX05-009 (PDF 42.3K)
August 10, 2005
Vulnerabilities in the Document Centre 220/230 and Document Centre 332/340 Xerox MicroServer Web Server could potentially permit unauthorized access.


> Download Software Update
(zip archive 517.4K)

Xerox Security Bulletin XRX05-006 (PDF 41.9K)
August 04, 2005
Vulnerabilities in the WorkCentre Pro C2128/2636/3545 Xerox MicroServer Web Server could potentially permit unauthorized access.


> Download Software Update
(zip archive 581K)

Xerox Security Bulletin XRX05-003 (PDF 54.1K)
June 13, 2005
Vulnerability in the Document Centre 240/255/265, Document Centre 460/470/480/490 and Document Centre 535/545/555 http server on the ESS/ Network Controller could potentially permit unauthorized access.


> Download Software Update
(zip archive 97.7K)

Xerox Security Bulletin XRX05-004 (PDF 53.7K)
June 13, 2005
Vulnerability in the Document Centre 420/425/426/430/432/440, Document Centre 470/480/490, and Document Centre 535/545/555 Xerox MicroServer Web Server could cause a denial of service.


> Download Software Update
(zip archive 2.1M)

Xerox Security Bulletin XRX04-005 (PDF 67.2K)
June 07, 2005
Vulnerability in the Document Centre 220/230, Document Centre 240/255/265, Document Centre 332/340, Document Centre 420/425/426/430/432/440, Document Centre 460/470/480/490 and Document Centre 535/545/555 ESS/ Network Controller could potentially permit unauthorized access.


> Download Software Update
(zip archive 8.4M)

Xerox Security Bulletin XRX04-008 (PDF 32.9K)
May 02, 2005
The information provided here is consistent with the security functional claims made regarding CopyCentre 65/75/90 and WorkCentre Pro 65/75/90 in the Security Target for Common Criteria Certification.


Xerox Security Bulletin XRX05-005 (PDF 37.3K)
April 13, 2005
Vulnerability in the WorkCentre M35/M45/M55, WorkCentre M165/M175, WorkCentre Pro 32/40 Color, WorkCentre Pro 35/45/55/65/75/90 and WorkCentre Pro C2128/C2636/C3545 Xerox MicroServer Web Server could potentially permit unauthorized access.

Note: The patch applies to launch level software only.


> Download Software Update
(zip archive 7.7M)

No bulletin attachment found
February 18, 2005
Critical Security Update for Xerox DocuColor 7000/8000 XPe System Update Software (1H23O1)Version: 1.0
System Updates is a print server service that keeps the system software on your print server up-to-date with the latest Microsoft security updates.
Note: The prerequisite for System Updates functionality is to have patches 1-G88R5, and 1-G6ZLT installed on the Fiery.

No bulletin attachment found
February 18, 2005
Critical Security Update for Xerox DocuColor 6060 XPe System Update Software (1H23O1)Version: 2.2
System Updates is a print server service that keeps the system software on your print server up-to-date with the latest Microsoft security updates.
Note: The prerequisite for System Updates functionality is to have patches 1-G88R5, and 1-G6ZLT installed on the Fiery.

Xerox Security Bulletin XRX05-002 (PDF 23.9K)
January 19, 2005
Vulnerability in the WorkCentre M24 scanning/faxing software could expose personal information.


Xerox Security Bulletin XRX05-001 (PDF 126.9K)
January 14, 2005
Vulnerability in the WorkCentre Pro Color 35/40 ESS/ Network Controller could potentially permit unauthorized access.


> Download Software Update
(zip archive 8.2M)

2004

Xerox Security Bulletin XRX04-010 (PDF 41K)
December 20, 2004
Vulnerability in the WorkCentre M35/M45/M45 and WorkCentre Pro 35/45/55/65/75/90 ESS/ Network Controller could potentially permit unauthorized access.


> Download Software Update
(zip archive 24.5M)

Xerox Security Bulletin XRX04-006 (PDF 105.8K)
August 31, 2004
Vulnerability in the WorkCentre M35/M45/M55, WorkCentre Pro Color 32/40, and WorkCentre Pro 35/45/55 ESS/ Network Controller could cause Immediate Image Overwrite to fail in a specific instance with no indication after an unexpected power loss.


> Download Software Update
(zip archive 613.4K)

Xerox Security Bulletin XRX04-007 (PDF 103.3K)
August 31, 2004
Vulnerability in the WorkCentre M35/M45/M55, WorkCentre Pro Color 322/40 and WorkCentre Pro 35/45/55 Xerox MicroServer Web Server could cause a denial of service.


> Download Software Update
(zip archive 2.1M)

Xerox Security Bulletin XRX04-004 (PDF 99K)
June 24, 2004
Vulnerability in the WorkCentre M35/M45/M55, WorkCentre Pro Color 32/40, and WorkCentre Pro 35/45/55/65/75/90 ESS/ Network Controller could cause a denial of service.


> Download Software Update
(zip archive 27.2M)

Xerox Security Bulletin XRX04-003 (PDF 148.9K)
April 14, 2004
WorkCentre Multifunction Devices (MFD) WorkCentre M35/M45/M55, WorkCentre Pro Color 32/40 and WorkCentre Pro 35/45/55/65/75/90 PostScript directory traversal patch.


> Download Software Update
(zip archive 5.4M)

Xerox Security Bulletin XRX04-009 (PDF 35.4K)
April 13, 2004
Vulnerability in the http server on the WorkCentre M35/M45/M55, WorkCentre Pro Color 32/40 and WorkCentrePro 35/45/55/65/75/90 ESS/ Network Controller could potentially permit unauthorized access.


> Download Software Update
(zip archive 13.6K)

Xerox Security Bulletin XRX04-002 (PDF 118.3K)
March 10, 2004
The Document Centre 220/230, Document Centre 240/255/265, Document Centre 332/340, Document Centre 420/425/432/440, Document Centre 460/470/480/490, Document Centre 535/545/555, WorkCentre M35/M45/M55, WorkCentre Pro Color 32/40, contain a Xerox MicroServer Web Server Vulnerability.


> Download Software Update
(zip archive 28.9M)