standard document - xerox security content · web viewtherefore a xerox device acquired on or...
TRANSCRIPT
Xerox Product SecurityThe Heartbleed OpenSSL Vulnerability
Version 1.1April 15, 2014
DisclaimerThe information provided in this document is provided "as is" without warranty of any kind. Xerox Corporation disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Xerox Corporation be liable for any damages whatsoever resulting from user's use or disregard of the information provided in this document including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Xerox Corporation has been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential damages so the foregoing limitation may not apply.
The information in this bulletin is subject to change without notice.
©2014 Xerox Corporation. All rights reserved. Contents of this publication may not be reproduced in any form without permission of Xerox Corporation. XEROX®, XEROX and Design®, FreeFlow®, CentreWare®, Phaser®, ColorQube®, Document Centre®, WorkCentre®, and WorkCentre Pro® are trademarks of Xerox Corporation in the United States and/or other countries. Adobe® and PostScript® are registered trademarks or trademarks of Adobe Systems, Incorporated. All other trademarks are the property of their respective manufacturers. BR9733
Other company trademarks are also acknowledged.
Document Version: 1.1 (April 2014).
Table of ContentsTable of Contents...........................................................................................i
Introduction................................................................................2An Important Point.........................................................................................2Recommended Actions.................................................................................2Legend for Product Tables............................................................................2
Hardware Products....................................................................3Monochrome Product Table..........................................................................3Color Product Table......................................................................................4
Software Products MPS/XOS Tools...........................................5Managed Services Product Tables...............................................................5General Markets Product Tables...................................................................6Web Content Product Tables........................................................................6
Software Products Operations Tools.........................................7FreeFlow Print Server Tables........................................................................7FreeFlow Application Tables.........................................................................7
Xerox.com Systems...................................................................8Account Management Applications...............................................................8Other web-based and Managed Print applications.......................................9
Xerox Services Portals...............................................................9Services Applications....................................................................................9
i
IntroductionA vulnerability has been discovered in the OpenSSL cryptographic software version 1.0.1 to 1.0.1f widely used across the Internet for banking, investment, medical and other encrypted network traffic. The Heartbleed OpenSSL vulnerability works by allowing the certificate checking to be corrupted and traffic across a network to be monitored and some have called eavesdropping. Obviously, this presents quite a large problem for anything done with encryption, especially over the Internet.
This document lists the Xerox products and whether or not they are affected by this issue.
An Important PointThis document contains products that Xerox currently sells and some that they have recently stopped sell-ing. If your product is not listed, it is probably older and therefore would have a version of OpenSSL that is not susceptible to this vulnerability. The vulnerable version of OpenSSL was published April 19th 2012. The first vulnerable version of OpenSSL was made available in April of 2012. Therefore a Xerox device ac-quired on or before April of 2012 is not vulnerable.
Recommended ActionsIt is strongly recommended that to ensure data integrity that the user contact organizations to ask if they use OpenSSL and if so, have they updated the version of OpenSSL for web transactions. If they have per-formed this action, you should then change your user name and/or your password for the account. There are extensions for Web Browsers that allow the checking of web sites to see if they use the vulnerable ver-sions of OpenSSL.If your product is not listed or is not listed as green NO below, you can check that SSL is not enabled on your product. Follow your product documentation or contact customer support if you need assistance. This document is being updated regularly, please check back frequently.
Legend for Product TablesA third column with the explanations is provided below. The remainder of the document each table has only two columns.
Type of Product Affected MeaningProduct Name NO Product Not Affected by
VulnerabilityProduct Name YES Product Affected by
VulnerabilityProduct Name UI Product Under InvestigationProduct Name Details Product requires more Details
2
Hardware ProductsMonochrome Product TableMonochrome Models Affect
edPhaser® 3010 NOPhaser® 3040 NOPhaser® 3250 NOPhaser® 3320 NOPhaser® 3610 NOPhaser® 3635 NOPhaser® 4600/4620/4622 NOPhaser® 5550 NOPhaser® 6125 NOWorkCentre® 3210/3220 NOWorkCentre® 3315/3325 YESPhaser® 3635MFP NOWorkCentre® 3045 NOWorkCentre® 3615 NOWorkCentre® 4250/4260 NOWorkCentre® 5135/5150 NOWorkCentre® 5325/5330/5335 NOWorkCentre® 5632/5638/5645/5655/5665/5675/5687 NOWorkCentre® 5740/5745/5755/5765/5775/5790 NOWorkCentre® 5845/5855/5865/5875/5890 NOWorkCentre® 6505 NOD95/D110/D125® Copier/Printer NOXerox® D136® Copier/Printer and Printer NODocuPrint® 425/850 NODocuPrint® 500/1000CF NODocuPrint® 525/1050CF NOXerox 495CF NOXerox 650/1300CF NO
3
Color Product TableColor Models Affect
edPhaser® 6010 NOPhaser® 6015 NOPhaser® 6128/6128MFP NOPhaser® 6130 NOPhaser® 6140 NOPhaser® 6180/6180MFP NOPhaser® 6280 NOPhaser® 6400 NOPhaser® 6500 NOPhaser® 6600 NOPhaser® 6700 NOPhaser® 7100 NOPhaser® 7500 NOPhaser® 7800 NOColorQube® 8570/8870 NOColorQube® 8700/8900 Xerox ConnectKey Controller NOColorQube® 8700/8900 NOColorQube® 9201/9202/9203 NOColorQube® 9201/9202/9203 NOColorQube® 9301/9302/9303 XeorxConnectKey Controller NOWorkCentre® 6015 NOWorkCentre® 6505 NOWorkCentre® 6605 NOColorQube® 8700 NOColorQube® 8900 NOWorkCentre® 3550 NOWorkCentre® 6400 NOWorkCentre® 7120/7225 NOWorkCentre® 7220/7225 NOWorkCentre® 7425/7428/7435 NOWorkCentre® 7525/7530/7535.7545/7556 NOWorkCentre® 7655/7665/7675 NOWorkCentre® 7755/7765/7775 NOWorkCentre® 7830/7835/7845/7855 NOXerox Color 550/560/570® NO
4
Xerox Color C75/J75 Press® NO
5
Software Products MPS/XOS ToolsManaged Services Product TablesManaged Services Software Affect
edXerox Device Agent NOXerox Integration Servers NOXerox Report Manager NOPagePack Assistant NOXerox Profit & Loss Tool NOXerox Services Manager Data Warehouse NOAuto Update Server NONon Xerox Pricing Tool NOTandoori NOXerox Incident Killer NOXerox Custom Authentication Server NOXerox Office Productivity Advisor Import Tool NOXerox Web Packager NOXerox License Manager NOXerox Asset Manager NOXerox Help Desk NOSmartSend NOXerox Export Agent NOXerox Mobile Print Portal NOXerox Services Manager Contract Adapter NOPage Pack Local Assistant NOXerox Production Imaging Manager NOMPS Contractibility Catalog NOXerox Print Awareness Tool NOAssetDB NOSmarter Configuration Optimizer NOXerox Device Manager NOXerox Job Ticket NOXerox Models Database NOXerox Mobile Print NOXerox Optimization Tool NOXerox Services Portal NO
6
Managed Services Software Affected
Fleet Management Portal / PagePack Center NOManaged Print Service API NOPrint Services Sales Tool NOXerox Device Data Collector NOXerox Models & Pricing Server NOXerox Print Agent NOXerox Services Manager NOXerox Transformation Manager NO
General Markets Product TablesGeneral Markets Software Affect
edXerox Device Agent Lite NOXerox Device Agent Partner Edition NOCentreWare® Web NO
Web Content Product TablesWeb Content Software Affect
edXerox DocuShare® NOXerox Content Management Services NO
7
Software Products Operations ToolsFreeFlow Print Server TablesFFPS Software AffectedFreeFlow® Versions 7.X, 8.X and 9.X NOFreeFlow® Versions that use Solaris/Oracle 10.X (Repaired by Oracle patch) NO
FreeFlow Application TablesFreeFlow Applications Software Affected
Confident Color
Details needed (Multi-Vendor Product)
FreeFlow® Core NOFreeFlow® Digital Publisher NOFreeFlow® Express to Print NO
FreeFlow® Fleet Navigator
Details needed (Multi-Vendor Product)
FreeFlow® Makeready™ NOFreeFlow® Output Manager™ NOFreeFlow® Process Manager™ NOFreeFlow® Variable Information Suite NOGMC IntegratedPLUS Solution NOXerox® IntegratedPLUS Automated Color Management NOXerox® IntegratedPLUS Finishing Solution NO
ProfitQuick™
Details needed (Multi-Vendor Product)
Specialty Imaging
Details needed (Multi-Vendor Product)
8
9
Xerox.com SystemsAccount Management ApplicationsAs of Sunday, April 13th, Xerox servers have been patched and protected against the Heartbleed Bug. Our recommendation is to change your password, now that our environment has been remediated.
Note: Xerox.com identity management has a single sign-on, therefore you only need to change your password once for all listed account management applications.
Application Name
Previously Vulnerable
Patch loaded
Action Recommended
Meter Reads YES YESChange password
Metered Supplies YES YESChange password
Automatic Supplies Replenishment YES YESChange password
My Supplies YES YESChange password
MySupport YES YESChange password
Online Invoicing – payment system YES YESChange password
Recycling (GWA- Green World Alliance) YES YESChange password
eBuyout YES YESChange password
Order Status YES YESChange password
Support & Drivers YES YESChange password
Loyalty Program / Xerox Genuine Rewards YES YES
Change password
Purchase Order Management YES YESChange password
Find Your Sales Rep YES YESChange password
eCommerce (Open Market, private web ordering portals) YES YES
Change password
To change your password please visit:United States- https://www.accounts.xerox.com/auth/remind.jsf?locale=en_USCanada (English)- https://www.accounts.xerox.com/auth/remind.jsf?locale=en_CACanada (French)- https://www.accounts.xerox.com/auth/remind.jsf?locale=fr_CA
10
Other web-based and Managed Print applications
Application Name
Previously Vulnerable
Patch loaded
Action Recommended
Xerox Direct / Xerox Shop NO NO NOXerox Europe Partner Configurator, Price lists, and SAVE NO NO NOXerox Europe Online Supplies Store NO NO NOXerox Europe Genuine Rewards NO NO NOSimple Secure Sign-on (S3) NO NO NOXerox Partner Print Services (XPPS) NO NO NOEuropean Reseller Accreditation NO NO NOEuropean Trade-in NO NO NOEuropean Reseller Easy Cashback NO NO NOEuropean End User Offer claim system NO NO NO
Reseller sites YES YES
Xerox is formulating a recommendation
Service Partner Tools and Resources YES YESChange password
Service Contract Ordering Tool (SCOT) YES YESChange password
Authorized Service Delivery YES YESChange password
Authorized Service Providers YES YESChange password
Xerox Remote Print Services (XRPS) YES YESChange password
eConcierge YES YESChange password
Free Color Printers YES YESChange password
Xerox Services PortalsServices ApplicationsApplication Name Affected
Action Recommended
CPAS v5 NO NO
11
Cornerstone NO NOCornerstone for Salesforce (CFS) NO NOGrowth Edition (CSB) NO NOCMS Customization Storefront NO NOCMS Inner Circle NO NOCA SDU – debit, credit card and client portal NO NOMidas+ applications NO NO
12