Xerox Product SecurityThe Heartbleed OpenSSL Vulnerability

Version 1.1April 15, 2014

DisclaimerThe information provided in this document is provided "as is" without warranty of any kind. Xerox Corporation disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Xerox Corporation be liable for any damages whatsoever resulting from user's use or disregard of the information provided in this document including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Xerox Corporation has been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential damages so the foregoing limitation may not apply.

The information in this bulletin is subject to change without notice.

©2014 Xerox Corporation. All rights reserved. Contents of this publication may not be reproduced in any form without permission of Xerox Corporation. XEROX®, XEROX and Design®, FreeFlow®, CentreWare®, Phaser®, ColorQube®, Document Centre®, WorkCentre®, and WorkCentre Pro® are trademarks of Xerox Corporation in the United States and/or other countries. Adobe® and PostScript® are registered trademarks or trademarks of Adobe Systems, Incorporated.  All other trademarks are the property of their respective manufacturers. BR9733

Other company trademarks are also acknowledged.

Document Version: 1.1 (April 2014).

Table of ContentsTable of Contents...........................................................................................i

Introduction................................................................................2An Important Point.........................................................................................2Recommended Actions.................................................................................2Legend for Product Tables............................................................................2

Hardware Products....................................................................3Monochrome Product Table..........................................................................3Color Product Table......................................................................................4

Software Products MPS/XOS Tools...........................................5Managed Services Product Tables...............................................................5General Markets Product Tables...................................................................6Web Content Product Tables........................................................................6

Software Products Operations Tools.........................................7FreeFlow Print Server Tables........................................................................7FreeFlow Application Tables.........................................................................7

Xerox.com Systems...................................................................8Account Management Applications...............................................................8Other web-based and Managed Print applications.......................................9

Xerox Services Portals...............................................................9Services Applications....................................................................................9

i

IntroductionA vulnerability has been discovered in the OpenSSL cryptographic software version 1.0.1 to 1.0.1f widely used across the Internet for banking, investment, medical and other encrypted network traffic. The Heartbleed OpenSSL vulnerability works by allowing the certificate checking to be corrupted and traffic across a network to be monitored and some have called eavesdropping. Obviously, this presents quite a large problem for anything done with encryption, especially over the Internet.

This document lists the Xerox products and whether or not they are affected by this issue.

An Important PointThis document contains products that Xerox currently sells and some that they have recently stopped sell-ing. If your product is not listed, it is probably older and therefore would have a version of OpenSSL that is not susceptible to this vulnerability. The vulnerable version of OpenSSL was published April 19th 2012. The first vulnerable version of OpenSSL was made available in April of 2012. Therefore a Xerox device ac-quired on or before April of 2012 is not vulnerable.

Recommended ActionsIt is strongly recommended that to ensure data integrity that the user contact organizations to ask if they use OpenSSL and if so, have they updated the version of OpenSSL for web transactions. If they have per-formed this action, you should then change your user name and/or your password for the account. There are extensions for Web Browsers that allow the checking of web sites to see if they use the vulnerable ver-sions of OpenSSL.If your product is not listed or is not listed as green NO below, you can check that SSL is not enabled on your product. Follow your product documentation or contact customer support if you need assistance. This document is being updated regularly, please check back frequently.

Legend for Product TablesA third column with the explanations is provided below. The remainder of the document each table has only two columns.

Type of Product Affected MeaningProduct Name NO Product Not Affected by

VulnerabilityProduct Name YES Product Affected by

VulnerabilityProduct Name UI Product Under InvestigationProduct Name Details Product requires more Details

2

Hardware ProductsMonochrome Product TableMonochrome Models Affect

edPhaser® 3010 NOPhaser® 3040 NOPhaser® 3250 NOPhaser® 3320 NOPhaser® 3610 NOPhaser® 3635 NOPhaser® 4600/4620/4622 NOPhaser® 5550 NOPhaser® 6125 NOWorkCentre® 3210/3220 NOWorkCentre® 3315/3325 YESPhaser® 3635MFP NOWorkCentre® 3045 NOWorkCentre® 3615 NOWorkCentre® 4250/4260 NOWorkCentre® 5135/5150 NOWorkCentre® 5325/5330/5335 NOWorkCentre® 5632/5638/5645/5655/5665/5675/5687 NOWorkCentre® 5740/5745/5755/5765/5775/5790 NOWorkCentre® 5845/5855/5865/5875/5890 NOWorkCentre® 6505 NOD95/D110/D125® Copier/Printer NOXerox® D136® Copier/Printer and Printer NODocuPrint® 425/850 NODocuPrint® 500/1000CF NODocuPrint® 525/1050CF NOXerox 495CF NOXerox 650/1300CF NO

3

Color Product TableColor Models Affect

edPhaser® 6010 NOPhaser® 6015 NOPhaser® 6128/6128MFP NOPhaser® 6130 NOPhaser® 6140 NOPhaser® 6180/6180MFP NOPhaser® 6280 NOPhaser® 6400 NOPhaser® 6500 NOPhaser® 6600 NOPhaser® 6700 NOPhaser® 7100 NOPhaser® 7500 NOPhaser® 7800 NOColorQube® 8570/8870 NOColorQube® 8700/8900 Xerox ConnectKey Controller NOColorQube® 8700/8900 NOColorQube® 9201/9202/9203 NOColorQube® 9201/9202/9203 NOColorQube® 9301/9302/9303 XeorxConnectKey Controller NOWorkCentre® 6015 NOWorkCentre® 6505 NOWorkCentre® 6605 NOColorQube® 8700 NOColorQube® 8900 NOWorkCentre® 3550 NOWorkCentre® 6400 NOWorkCentre® 7120/7225 NOWorkCentre® 7220/7225 NOWorkCentre® 7425/7428/7435 NOWorkCentre® 7525/7530/7535.7545/7556 NOWorkCentre® 7655/7665/7675 NOWorkCentre® 7755/7765/7775 NOWorkCentre® 7830/7835/7845/7855 NOXerox Color 550/560/570® NO

4

Xerox Color C75/J75 Press® NO

5

Software Products MPS/XOS ToolsManaged Services Product TablesManaged Services Software Affect

edXerox Device Agent NOXerox Integration Servers NOXerox Report Manager NOPagePack Assistant NOXerox Profit & Loss Tool NOXerox Services Manager Data Warehouse NOAuto Update Server NONon Xerox Pricing Tool NOTandoori NOXerox Incident Killer NOXerox Custom Authentication Server NOXerox Office Productivity Advisor Import Tool NOXerox Web Packager NOXerox License Manager NOXerox Asset Manager NOXerox Help Desk NOSmartSend NOXerox Export Agent NOXerox Mobile Print Portal NOXerox Services Manager Contract Adapter NOPage Pack Local Assistant NOXerox Production Imaging Manager NOMPS Contractibility Catalog NOXerox Print Awareness Tool NOAssetDB NOSmarter Configuration Optimizer NOXerox Device Manager NOXerox Job Ticket NOXerox Models Database NOXerox Mobile Print NOXerox Optimization Tool NOXerox Services Portal NO

6

Managed Services Software Affected

Fleet Management Portal / PagePack Center NOManaged Print Service API NOPrint Services Sales Tool NOXerox Device Data Collector NOXerox Models & Pricing Server NOXerox Print Agent NOXerox Services Manager NOXerox Transformation Manager NO

General Markets Product TablesGeneral Markets Software Affect

edXerox Device Agent Lite NOXerox Device Agent Partner Edition NOCentreWare® Web NO

Web Content Product TablesWeb Content Software Affect

edXerox DocuShare® NOXerox Content Management Services NO

7

Software Products Operations ToolsFreeFlow Print Server TablesFFPS Software AffectedFreeFlow® Versions 7.X, 8.X and 9.X NOFreeFlow® Versions that use Solaris/Oracle 10.X (Repaired by Oracle patch) NO

FreeFlow Application TablesFreeFlow Applications Software Affected

Confident Color

Details needed (Multi-Vendor Product)

FreeFlow® Core NOFreeFlow® Digital Publisher NOFreeFlow® Express to Print NO

FreeFlow® Fleet Navigator

Details needed (Multi-Vendor Product)

FreeFlow® Makeready™ NOFreeFlow® Output Manager™ NOFreeFlow® Process Manager™ NOFreeFlow® Variable Information Suite NOGMC IntegratedPLUS Solution NOXerox® IntegratedPLUS Automated Color Management NOXerox® IntegratedPLUS Finishing Solution NO

ProfitQuick™

Details needed (Multi-Vendor Product)

Specialty Imaging

Details needed (Multi-Vendor Product)

8

9

Xerox.com SystemsAccount Management ApplicationsAs of Sunday, April 13th, Xerox servers have been patched and protected against the Heartbleed Bug. Our recommendation is to change your password, now that our environment has been remediated.

Note: Xerox.com identity management has a single sign-on, therefore you only need to change your password once for all listed account management applications.

Application Name

Previously Vulnerable

Patch loaded

Action Recommended

Meter Reads YES YESChange password

Metered Supplies YES YESChange password

Automatic Supplies Replenishment YES YESChange password

My Supplies YES YESChange password

MySupport YES YESChange password

Online Invoicing – payment system YES YESChange password

Recycling (GWA- Green World Alliance) YES YESChange password

eBuyout YES YESChange password

Order Status YES YESChange password

Support & Drivers YES YESChange password

Loyalty Program / Xerox Genuine Rewards YES YES

Change password

Purchase Order Management YES YESChange password

Find Your Sales Rep YES YESChange password

eCommerce (Open Market, private web ordering portals) YES YES

Change password

To change your password please visit:United States- https://www.accounts.xerox.com/auth/remind.jsf?locale=en_USCanada (English)- https://www.accounts.xerox.com/auth/remind.jsf?locale=en_CACanada (French)- https://www.accounts.xerox.com/auth/remind.jsf?locale=fr_CA

10

Other web-based and Managed Print applications

Application Name

Previously Vulnerable

Patch loaded

Action Recommended

Xerox Direct / Xerox Shop NO NO NOXerox Europe Partner Configurator, Price lists, and SAVE NO NO NOXerox Europe Online Supplies Store NO NO NOXerox Europe Genuine Rewards NO NO NOSimple Secure Sign-on (S3) NO NO NOXerox Partner Print Services (XPPS) NO NO NOEuropean Reseller Accreditation NO NO NOEuropean Trade-in NO NO NOEuropean Reseller Easy Cashback NO NO NOEuropean End User Offer claim system NO NO NO

Reseller sites YES YES

Xerox is formulating a recommendation

Service Partner Tools and Resources YES YESChange password

Service Contract Ordering Tool (SCOT) YES YESChange password

Authorized Service Delivery YES YESChange password

Authorized Service Providers YES YESChange password

Xerox Remote Print Services (XRPS) YES YESChange password

eConcierge YES YESChange password

Free Color Printers YES YESChange password

Xerox Services PortalsServices ApplicationsApplication Name Affected

Action Recommended

CPAS v5 NO NO

11

Cornerstone NO NOCornerstone for Salesforce (CFS) NO NOGrowth Edition (CSB) NO NOCMS Customization Storefront NO NOCMS Inner Circle NO NOCA SDU  – debit, credit card and client portal NO NOMidas+ applications NO NO

12