Xerox XRX21-004 User Manual

Xerox Security Bulletin XRX21-004

Xerox® FreeFlow® Print Server v2 / Windows® 10

Install Method: USB Media

Supports:

•Xerox® iGen®5 Press

•Xerox® BaltoroTM HF Production Inkjet Press

•Xerox® BrenvaTM HD Production Inkjet Press

Deliverable: January 2021 Security Patch Update

Includes: OpenJDK 1.8.0-102021

Bulletin Date: February 8, 2021

1.0 Background

Microsoft® responds to US CERT advisory council notifications of Security vulnerabilities referred to as Common

Vulnerabilities and Exposures (CVE’s) and develops patches that remediate the Security vulnerabilities that are applicable to Windows® 10 and components (e.g., Windows® Explorer®, .Net Framework®, etc.). The FreeFlow® Print Server organization has a dedicated development team, which actively review the US CERT advisory council CVE notifications, and delivers Security patch updates from Microsoft® to remediate the threat of these Security risks for the FreeFlow® Print Server v2 / Windows® v10 (supporting the Integrated and Standalone platforms)

The FreeFlow® Print Server organization delivers Security Patch Updates on the FreeFlow® Print Server v2 / Windows® v10 platform by the FreeFlow® Print Server organization on a quarterly (i.e., 4 times a year) basis. The FreeFlow® Print Server engineering team receives new patch updates in January, April, July and October, and will test them for supported Printer products (such as iGen®5 printers) prior to delivery for customer install.

Xerox tests FreeFlow® Print Server operations with the patch updates to ensure there are no software issues prior to installing them at a customer location. Alternatively, a customer can use Windows® Update to install patch updates directly from Microsoft®. If the customer manages their own patch install, the Xerox support team can suggest options to minimize the risk of FreeFlow® Print Server operation problems that could result from patch updates.

This bulletin announces the availability of the following:

1.January 2021 Security Patch Update

•This supersedes the October 2020 Security Patch Update

2.Open JDK 1.8.0-012021Software

•This supersedes JDK 1.8.0-102020 Software

3.Firefox v85.0 Software

•This supersedes Firefox v81.0.2

See the US-CERT Common Vulnerability Exposures (CVE) list for OpenJDK 1.8.0-102021 software below:

OpenJDK 1.8.0-012021 Software Remediated US-CERT CVE’s

CVE-2020-14803

See US-CERT Common Vulnerability Exposures (CVE) for the January 2021 Security Patch Update in table below:

January 2021 Security Patch Update Remediated US-CERT CVE’s

	CVE-2020-0689	CVE-2021-1653	CVE-2021-1665	CVE-2021-1679	CVE-2021-1690	CVE-2021-1702
	CVE-2020-0733	CVE-2021-1654	CVE-2021-1666	CVE-2021-1680	CVE-2021-1692	CVE-2021-1704
	CVE-2021-1637	CVE-2021-1655	CVE-2021-1667	CVE-2021-1681	CVE-2021-1693	CVE-2021-1706
	CVE-2021-1642	CVE-2021-1656	CVE-2021-1668	CVE-2021-1683	CVE-2021-1694	CVE-2021-1708
	CVE-2021-1645	CVE-2021-1657	CVE-2021-1669	CVE-2021-1684	CVE-2021-1695	CVE-2021-1709
	CVE-2021-1648	CVE-2021-1658	CVE-2021-1671	CVE-2021-1685	CVE-2021-1696	CVE-2021-1710
	CVE-2021-1649	CVE-2021-1659	CVE-2021-1673	CVE-2021-1686	CVE-2021-1697
	CVE-2021-1650	CVE-2021-1660	CVE-2021-1674	CVE-2021-1687	CVE-2021-1699
	CVE-2021-1651	CVE-2021-1661	CVE-2021-1676	CVE-2021-1688	CVE-2021-1700
	CVE-2021-1652	CVE-2021-1664	CVE-2021-1678	CVE-2021-1689	CVE-2021-1701

See the US-CERT Common Vulnerability Exposures (CVE) list for the Firefox v 85.0 software below:

Firefox v85.0 Software Remediated US-CERT CVE’s

	CVE-2020-15999	CVE-2020-26955	CVE-2020-26964	CVE-2020-26974	CVE-2020-35114	CVE-2021-23962
	CVE-2020-16012	CVE-2020-26956	CVE-2020-26965	CVE-2020-26975	CVE-2021-23953	CVE-2021-23963
	CVE-2020-16042	CVE-2020-26957	CVE-2020-26966	CVE-2020-26976	CVE-2021-23954	CVE-2021-23964
	CVE-2020-16044	CVE-2020-26958	CVE-2020-26967	CVE-2020-26977	CVE-2021-23955	CVE-2021-23965
	CVE-2020-26950	CVE-2020-26959	CVE-2020-26968	CVE-2020-26978	CVE-2021-23956
	CVE-2020-26951	CVE-2020-26960	CVE-2020-26969	CVE-2020-26979	CVE-2021-23957
	CVE-2020-26952	CVE-2020-26961	CVE-2020-26971	CVE-2020-35111	CVE-2021-23958
	CVE-2020-26953	CVE-2020-26962	CVE-2020-26972	CVE-2020-35112	CVE-2021-23959
	CVE-2020-26954	CVE-2020-26963	CVE-2020-26973	CVE-2020-35113	CVE-2021-23960

Note: Xerox recommends that customers evaluate their security needs periodically and if they need Security patches to address the above CVE issues, schedule an activity with their Xerox Service team to install this announced Security Patch Update. The customer can manage their own Security Patch Updates using Windows® Update services, but we recommend checking with Xerox Service to reduce risk of installing patches that have not been tested by Xerox.

2.0 Applicability

This January 2021 Security Patch Update (including OpenJDK 1.8.0-102021 software, and Firefox v85.0 Patches) is available for the FreeFlow® Print Server v2 Software Release running on Windows® v10 OS. The FreeFlow® Print Server software releases tested with the January 2021 Security Patch Update installed per printer products is illustrated below:

	Printer Products			Patch Update Tested Releases
	iGen®5 Press			CP.24.0.18201.0
	BaltoroTM HF Inkjet			CP.24.0.19114.0
	BrenvaTM HD Inkjet
				CP.24.0.19119.0

All of the listed printer products were tested with each of the releases listed.

Security of the network, devices and information on a customer network may be a consideration when deciding whether to use the USB, or Windows® Update method of Security Patch Update delivery and install. Delivery and install of the Security

Patch Update using Update Manager may still be a concern for some highly “secure” customer locations such as US Federal and State Government sites. Alternatively, delivery and install of Security Patch Updates from USB media may be more