Xerox Security Bulletin XRX21-004
Xerox® FreeFlow® Print Server v2 / Windows® 10
Install Method: USB Media
Supports:
•Xerox® iGen®5 Press
•Xerox® BaltoroTM HF Production Inkjet Press
•Xerox® BrenvaTM HD Production Inkjet Press
Deliverable: January 2021 Security Patch Update
Includes: OpenJDK 1.8.0-102021
Bulletin Date: February 8, 2021
1.0 Background
Microsoft® responds to US CERT advisory council notifications of Security vulnerabilities referred to as Common
Vulnerabilities and Exposures (CVE’s) and develops patches that remediate the Security vulnerabilities that are applicable to Windows® 10 and components (e.g., Windows® Explorer®, .Net Framework®, etc.). The FreeFlow® Print Server organization has a dedicated development team, which actively review the US CERT advisory council CVE notifications, and delivers Security patch updates from Microsoft® to remediate the threat of these Security risks for the FreeFlow® Print Server v2 / Windows® v10 (supporting the Integrated and Standalone platforms)
The FreeFlow® Print Server organization delivers Security Patch Updates on the FreeFlow® Print Server v2 / Windows® v10 platform by the FreeFlow® Print Server organization on a quarterly (i.e., 4 times a year) basis. The FreeFlow® Print Server engineering team receives new patch updates in January, April, July and October, and will test them for supported Printer products (such as iGen®5 printers) prior to delivery for customer install.
Xerox tests FreeFlow® Print Server operations with the patch updates to ensure there are no software issues prior to installing them at a customer location. Alternatively, a customer can use Windows® Update to install patch updates directly from Microsoft®. If the customer manages their own patch install, the Xerox support team can suggest options to minimize the risk of FreeFlow® Print Server operation problems that could result from patch updates.
This bulletin announces the availability of the following:
1.January 2021 Security Patch Update
•This supersedes the October 2020 Security Patch Update
2.Open JDK 1.8.0-012021Software
•This supersedes JDK 1.8.0-102020 Software
3.Firefox v85.0 Software
•This supersedes Firefox v81.0.2
See the US-CERT Common Vulnerability Exposures (CVE) list for OpenJDK 1.8.0-102021 software below:
OpenJDK 1.8.0-012021 Software Remediated US-CERT CVE’s
CVE-2020-14803
See US-CERT Common Vulnerability Exposures (CVE) for the January 2021 Security Patch Update in table below:
January 2021 Security Patch Update Remediated US-CERT CVE’s
|
CVE-2020-0689 |
CVE-2021-1653 |
CVE-2021-1665 |
CVE-2021-1679 |
CVE-2021-1690 |
CVE-2021-1702 |
|
|
|
||||||
|
|
|
|
|
|
|
|
|
CVE-2020-0733 |
CVE-2021-1654 |
CVE-2021-1666 |
CVE-2021-1680 |
CVE-2021-1692 |
CVE-2021-1704 |
|
|
|
|
|
|
|
|
|
|
CVE-2021-1637 |
CVE-2021-1655 |
CVE-2021-1667 |
CVE-2021-1681 |
CVE-2021-1693 |
CVE-2021-1706 |
|
|
|
|
|
|
|
|
|
|
CVE-2021-1642 |
CVE-2021-1656 |
CVE-2021-1668 |
CVE-2021-1683 |
CVE-2021-1694 |
CVE-2021-1708 |
|
|
|
|
|
|
|
|
|
|
CVE-2021-1645 |
CVE-2021-1657 |
CVE-2021-1669 |
CVE-2021-1684 |
CVE-2021-1695 |
CVE-2021-1709 |
|
|
|
|
|
|
|
|
|
|
CVE-2021-1648 |
CVE-2021-1658 |
CVE-2021-1671 |
CVE-2021-1685 |
CVE-2021-1696 |
CVE-2021-1710 |
|
|
|
|
|
|
|
|
|
|
CVE-2021-1649 |
CVE-2021-1659 |
CVE-2021-1673 |
CVE-2021-1686 |
CVE-2021-1697 |
|
|
|
|
|
|
|
|
|
|
|
CVE-2021-1650 |
CVE-2021-1660 |
CVE-2021-1674 |
CVE-2021-1687 |
CVE-2021-1699 |
|
|
|
|
|
|
|
|
|
|
|
CVE-2021-1651 |
CVE-2021-1661 |
CVE-2021-1676 |
CVE-2021-1688 |
CVE-2021-1700 |
|
|
|
|
|
|
|
|
|
|
|
CVE-2021-1652 |
CVE-2021-1664 |
CVE-2021-1678 |
CVE-2021-1689 |
CVE-2021-1701 |
|
|
|
|
|
|
|
|
|
|
See the US-CERT Common Vulnerability Exposures (CVE) list for the Firefox v 85.0 software below:
Firefox v85.0 Software Remediated US-CERT CVE’s
|
CVE-2020-15999 |
CVE-2020-26955 |
CVE-2020-26964 |
CVE-2020-26974 |
CVE-2020-35114 |
CVE-2021-23962 |
|
|
|
||||||
|
|
|
|
|
|
|
|
|
CVE-2020-16012 |
CVE-2020-26956 |
CVE-2020-26965 |
CVE-2020-26975 |
CVE-2021-23953 |
CVE-2021-23963 |
|
|
|
|
|
|
|
|
|
|
CVE-2020-16042 |
CVE-2020-26957 |
CVE-2020-26966 |
CVE-2020-26976 |
CVE-2021-23954 |
CVE-2021-23964 |
|
|
|
|
|
|
|
|
|
|
CVE-2020-16044 |
CVE-2020-26958 |
CVE-2020-26967 |
CVE-2020-26977 |
CVE-2021-23955 |
CVE-2021-23965 |
|
|
|
|
|
|
|
|
|
|
CVE-2020-26950 |
CVE-2020-26959 |
CVE-2020-26968 |
CVE-2020-26978 |
CVE-2021-23956 |
|
|
|
|
|
|
|
|
|
|
|
CVE-2020-26951 |
CVE-2020-26960 |
CVE-2020-26969 |
CVE-2020-26979 |
CVE-2021-23957 |
|
|
|
|
|
|
|
|
|
|
|
CVE-2020-26952 |
CVE-2020-26961 |
CVE-2020-26971 |
CVE-2020-35111 |
CVE-2021-23958 |
|
|
|
|
|
|
|
|
|
|
|
CVE-2020-26953 |
CVE-2020-26962 |
CVE-2020-26972 |
CVE-2020-35112 |
CVE-2021-23959 |
|
|
|
|
|
|
|
|
|
|
|
CVE-2020-26954 |
CVE-2020-26963 |
CVE-2020-26973 |
CVE-2020-35113 |
CVE-2021-23960 |
|
|
|
|
|
|
|
|
|
|
Note: Xerox recommends that customers evaluate their security needs periodically and if they need Security patches to address the above CVE issues, schedule an activity with their Xerox Service team to install this announced Security Patch Update. The customer can manage their own Security Patch Updates using Windows® Update services, but we recommend checking with Xerox Service to reduce risk of installing patches that have not been tested by Xerox.
2.0 Applicability
This January 2021 Security Patch Update (including OpenJDK 1.8.0-102021 software, and Firefox v85.0 Patches) is available for the FreeFlow® Print Server v2 Software Release running on Windows® v10 OS. The FreeFlow® Print Server software releases tested with the January 2021 Security Patch Update installed per printer products is illustrated below:
|
Printer Products |
|
|
Patch Update Tested Releases |
|
|
|
|
|
||
|
iGen®5 Press |
|
CP.24.0.18201.0 |
||
|
|
|
|
||
|
|
|
|
||
|
BaltoroTM HF Inkjet |
|
CP.24.0.19114.0 |
||
|
BrenvaTM HD Inkjet |
|
|
|
|
|
|
CP.24.0.19119.0 |
|||
|
|
|
|
All of the listed printer products were tested with each of the releases listed.
Security of the network, devices and information on a customer network may be a consideration when deciding whether to use the USB, or Windows® Update method of Security Patch Update delivery and install. Delivery and install of the Security
Patch Update using Update Manager may still be a concern for some highly “secure” customer locations such as US Federal and State Government sites. Alternatively, delivery and install of Security Patch Updates from USB media may be more