Hinweisarchiv
Name & date | Vulnerability ID | Details |
Unauthenticated XMLRPC Functionality Sept 2023 |
CVE-2023-4568 | PaperCut Software is aware of Tenable's view on CVE-2023-4568, impacting PaperCut MF and NG. PaperCut has different perspectives and assessments. We do however echo the advice for customers to review their Options -> Advanced -> Security -> Allowed remote provider IP addresses, and/or firewall settings, to ensure security is appropriate for a given install (as detailed in the IP Address Allow-listing section of the Secure setup page). Tenable report: https://pt-br.tenable.com/security/research/tra-2023-31. |
GhostScript vulnerabilities August 2023 |
CVE-2023-36664 | Please see the GhostScript Vulnerabilities KB for more information. |
PaperCut Mobility Print Security Vulnerabilities August 2023 |
CVE-2023-2508 | CVE-2023-2508 - Address potential CSRF attack in Mobility Print There is an update available for PaperCut Mobility Print customers. Version 1.0.3582 and later contains fixes for these vulnerabilities. Please see the PaperCut MF/NG Security bulletin (August 2023) for more information. |
PaperCut MF/NG Security Vulnerabilities July 2023 |
CVE-2023-3486 ZDI-CAN-21013 CVE-2022-21724 |
CVE-2023-3486 - Potential Denial of Service Issue Unnamed - Chained Path Traversal in Authenticated API ZDI-CAN-21013 / CVE-2022-21724 - Third Party Library Update There is an update available for PaperCut MF/NG customers. Version 22.1.3 and later contains fixes for these vulnerabilities. Please see the PaperCut MF/NG Security bulletin (July 2023) for more information. Please note: these issues do not affect PaperCut Hive, PaperCut Pocket, Print Deploy, Mobility Print, or PaperCut User Clients. |
PaperCut MF/NG Security Vulnerabilities June 2023 |
CVE-2023-31046 (PO-1277) CVE-2023-2533 (PO-1366) CVE-2023-39469 (ZDI-CAN-20965) |
CVE-2023-31046 - Path traversal vulnerability CVE-2023-2533 - Cross-site request forgery vulnerability There is an update available for PaperCut MF/NG customers. Version 22.1.1 and later contains fixes for all of these vulnerabilities. Please see the PaperCut MF/NG Security bulletin (June 2023) for more information. Please note: these issues do not affect PaperCut Hive, PaperCut Pocket, Print Deploy, Mobility Print, or PaperCut User Clients. |
SpEL expression DoS in Spring Framework April 2023 |
CVE-2023-20863 CVE-2023-20861 |
The Spring framework is only used in PaperCut MF/NG. No other PaperCut products (including Multiverse, Mobility Print, Print Deploy, PaperCut Hive and Pocket) use Spring. There is limited product impact since SpEL expressions are used in a limited fashion within PaperCut MF/NG, and do not have direct user-input points. We aim to upgrade the Spring framework in use as part of our regular maintenance upgrades, in a future release of PaperCut MF and NG. See CVE-2023-20863 and CVE-2023-20861 for more information about the vulnerabilities. Please note that if you're running version 22.1.3 or later these will no longer get flagged, due to the Spring Framework upgrades included with PaperCut MF/NG version 22.1.3. |
Service Location Protocol (SLP) April 2023 |
CVE-2023-29552 | PaperCut products (including PaperCut MF/NG, Multiverse, Mobility Print, Print Deploy, PaperCut Hive and Pocket), do not use SLP functionality. Please check with your printer manufacturer or refer to your printer manufacturer online documentation regarding disabling the protocol. See CVE-2023-29552 for more information about the vulnerability. |
Spring double wildcard March 2023 |
CVE-2023-20860 | Is PaperCut impacted by the Spring double wildcard vulnerability CVE-2023-20860? No. The issue identified as Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860) does not impact PaperCut MF or NG. The “**” pattern is not used at all, and in addition the class in question is not used. We will be updating the Spring framework in use a part of our regular upgrades, in a future release of PaperCut MF and NG.Please note that if you're running version 22.1.3 or later these will no longer get flagged, due to the Spring Framework upgrades included with PaperCut MF/NG version 22.1.3. |
PaperCut MF/NG Security Vulnerabilities March 2023 |
CVE-2023-27350 ZDI-CAN-18987 (PO-1216) CVE-2023-27351 ZDI-CAN-19226 (PO-1219) |
We have received two vulnerability reports for a high severity and critical security issue in PaperCut MF/NG. We strongly recommend that customers upgrade Application Servers and Site Servers to version 22.0.9, or version 21.2.11 (if currently using version 21.x), or version 20.1.7 (if currently using version 20.x). Please note: these issues do not affect PaperCut Hive, PaperCut Pocket, Print Deploy, Mobility Print, or PaperCut User Clients. Please see the PaperCut MF/NG vulnerability bulletin (March 2023) for more information. |
XML external entity (XXE) injection vulnerability in XML-RPC.NET Dec 2022 |
CVE-2022-47514 | Is PaperCut impacted by CVE-2022-47514? No. While a PaperCut github repository is mentioned as a vendor on the National Vulnerability Database, this was an old repository (not linked to MF/NG code) used in some client API example code, and has since been deleted. There are no .NET binaries included with PaperCut NG or MF. If customers are administering PaperCut with .NET we recommend using the latest libraries as documented e.g. on Administering PaperCut with PowerShell. |
OpenSSL Vulnerabilities Nov 2022 |
CVE-2022-3602 CVE-2022-3786 CVE-2023-0286 |
Is PaperCut impacted by OpenSSL vulnerabilities? No. PaperCut has confirmed that neither PaperCut NG nor PaperCut MF are vulnerable to attack. OpenSSL is not in use in these products, so these products are not vulnerable to attack when using PaperCut NG/MF. Note that there have been several vulnerabilities related to OpenSSL, including CVE-2022-3602, CVE-2022-3786 and CVE-2023-0286, discovered in the OpenSSL library. Will this get flagged as a vulnerability when scanning PaperCut MF/NG? Potentially - depending on whether you are using OpenSSL libraries for other tasks and have therefore installed OpenSSL yourself. For example we mention the ability to use OpenSSL to manage certificates on our Mobility Print certificates and Print Deploy certificates instructions. OpenSSL is not packaged as part of the PaperCut NG/MF installation, so if you are using these / have installed these libraries, we recommend patching your OpenSSL tools as noted by the Open SSL advisory. Further updates: While there is no PaperCut product impact, and there are no product changes planned as a result, we are tracking vulnerability under our internal ID of [PC-18929]. We will update this page with other news as necessary. |
Text4Shell / TextShell Oct 2022 |
CVE-2022-42889 | Is PaperCut impacted by the Apache Commons Text vulnerability CVE-2022-42889? No. This critical vulnerability (CVE-2022-42889) has been discovered in Apache Commons Text class. PaperCut has confirmed that neither PaperCut NG nor PaperCut MF are vulnerable to attack: As detailed in the vendor advisory, the attack relies on the vulnerable class org.apache.commons.text.StringSubstitutor being included in the installation. PaperCut MF/NG do not ship with this class, so the attack cannot be performed successfully. As further reassurance, the required functionality for the attack is disabled by default in the product.Will this get flagged as a vulnerability when scanning PaperCut MF/NG? Potentially - depending on your vulnerability scanner. The scanner may pick up handlebars-4.1.2.jar and flag it as vulnerable. Even if this file gets flagged, due to the reasons above, the documented attack cannot be successful.What further changes are planned? Even though (as detailed above) the attack cannot be performed on a PaperCut NG/MF installation, we have upgraded handlebars.java to version 4.3.1 in PaperCut MF and NG version 22.0.9 (release reference PO-1096). This later version of handlebars contains a fix as documented by the vendor. |
Psychic Signatures April 2022 |
CVE-2022-21449 | Is PaperCut impacted by the Java vulnerability CVE-2022-21449? No. PaperCut MF/NG uses Java version 11 which is not impacted by this specific vulnerability according to the OpenJDK Advisory. versions 21.x, 20.x - Java 11.0.9.1 version 19.x - Java 11.0.2 While this specific vulnerability doesn’t impact PaperCut MF/NG, as a precaution (and to benefit from all the other fixes), we will update our JRE with the future 22.0 release. Note: the JRE has been updated to version 11.0.15 in version 22.0.3. See the 22.0.3 Release Notes for more information. |
PaperCut MF/NG Security Vulnerability May 2022 |
PC-18750 | We have received a vulnerability report for a high severity security issue in PaperCut MF/NG from version 19.2.1 through to the 21.2.8 release. High severity (CVSS V3.1 Score 8.1, AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) security vulnerability in PaperCut MF and some PaperCut NG installations. We strongly recommend that customers upgrade Application Servers and Site Servers to PaperCut versions 19.2.7 (if using 19.x), 20.1.6 (if using 20.x) or 21.2.10 (or the latest version). Please note: these issues do not affect PaperCut Hive, PaperCut Pocket, Print Deploy, Mobility Print, or PaperCut User Clients. Please see the PC-18750 Security Advisory for more information. |
SpringShell March 2022 |
CVE-2022-22965 also includes: CVE-2022-22950 CVE-2022-22970 CVE-2022-22971 |
Is PaperCut impacted by SpringShell/Spring4Shell? This critical vulnerability was disclosed on the 30th March 2022 and impacts the Spring framework. More information can be found on the Spring blog which also references the Spring Framework RCE. The proof of concept (POC) exploit explained in Spring’s blog post requires Apache Tomcat. While our products do use the Spring framework, we can confirm that none of the PaperCut products use Tomcat (for example our MF and NG products use Apache Jetty). However we believe it could only be a matter of time until exploits are developed for 3rd party products that we do use. To prevent this having an impact on our customers, we have proactively provided a fix in the latest maintenance releases. Additional code-fixes have been made in PaperCut versions 21.2.10, 20.1.6 and 19.2.7. Please see the Spring4Shell Security Advisory for more information. |
Improper Restriction of XML External Entity March 2022 |
CVE-2022-0839 | Is PaperCut impacted by CVE-2022-0839? Yes, however PaperCut MF and NG use YAML files for managing the liquibase change logs - not XML. These change log files are and should be considered trusted input and would require an attacker to have already compromised the server to leverage this issue. We are looking to upgrade to a patched version of liquibase in a future release, to completely close this vulnerability. |
Ghost script vulnerabilities March 2022 |
CVE-2019-14869 CVE-2019-14817 CVE-2019-14813 CVE-2019-14812 CVE-2019-14811 CVE-2019-10216 CVE-2020-16302 CVE-2020-16303 CVE-2020-16304 |
Is PaperCut impacted by vulnerabilities for Ghost script? Yes - these include: CVE-2019-14869, CVE-2019-14817, CVE-2019-14813, CVE-2019-14812, CVE-2019-14811, CVE-2019-10216, CVE-2020-16302, CVE-2020-16303, CVE-2020-16304. Please see the Ghost Script Vulnerabilities page for more information. |
Log4j 1.2 (SocketServer) Dec 2021 |
CVE-2019-17571 | Is PaperCut impacted by the Log4j 1.2 SocketServer vulnerability? No. Please see our Known Issue (PO-693) for more detail - but in summary, none of the PaperCut products use the SocketServer functionality, so customers are not vulnerable to this exploit. |
Log4Shell (RCE in log4j) Dec 2021 |
CVE-2021-44228 | Is PaperCut impacted by the Apache log4j Remote Code Execution vulnerability? Yes. Please see our in-depth Knowledgeable article on Remote code execution in Apache log4j (CVE-2021-44228) for more information, and workarounds. |
MS update KB5005408 (Smart card authentication) Sept 2021 |
CVE-2021-33764 | Is PaperCut impacted by the Microsoft update KB5005408 (Smart card authentication)? Microsoft has advised in the article on KB5005408 - Smart card authentication might cause print and scan failures that “Printing and scanning might fail when these devices use smart card (PIV) authentication”. Since PaperCut manages the connection to the device ourselves through the Java Virtual machine, all TLS connections and negotiations are direct with the PaperCut Java VM and not through Windows. This ultimately means that the update should not affect PaperCut or the device embedded by it, unless there is some different piece of 3rd Party software installed on the device that uses the Microsoft method. As a precaution it’s always recommended to test with a test device and test Application Server (even if that’s a test Application Server running on a laptop, connected to a test device) before upgrading your production environment. |
PrintNightmare June 2021 |
CVE-2021-1675 CVE-2021-34527 |
Is PaperCut affected by the “Windows Print Spooler Elevation of Privilege Vulnerability” (otherwise known as CVE-2021-1675 or CVE-2021-34527)? Please note that there is now (as of July 6, 2021) a security vulnerability patch available from Microsoft. We highly recommend installing this on all Windows servers running the print spooler service. For more information on this, and also on the subsequent impact of patches delivered by Microsoft in September and October 2021, we have detailed the impact to PaperCut applications in a new KB article: Impact on PaperCut Software due to the PrintNightmare vulnerability. |
Freak Jan 2015 |
CVE-2015-0204 | Is PaperCut affected by the SSL/TLS “FREAK” attack (CVE-2015-0204)? The “FREAK” attack allows a malicious man-in-the-middle to downgrade the strength of encryption used. This vulnerability applies to some SSL/TLS implementations. PaperCut uses recent versions of the Java platform which is not vulnerable to the FREAK attack. Customers running versions prior to version 14 should upgrade their servers as these later versions contain a more recent version of Java. |
Poodle Oct 2014 |
CVE-2014-3566 | Is PaperCut affected by the SSL 3.0 “Poodle” vulnerability (otherwise known as CVE-2014-3566)? This vulnerability, nicknamed “Poodle” can provide a way for attackers to eavesdrop on HTTPS connections running over SSL 3.0. The typical scenario cited involves an attacker running a fake Wi-Fi hot-spot that injects javascript into a non-secure web page. This javascript proceeds to compromise a secure site running SSL 3.0 for which the browser holds a cookie. Unlike the recent HeartBleed vulnerability, Poodle does not expose the server to a standalone attack. SSL 3.0 is an older protocol, now superseded by TLS. It will generally only be used when both the web server and the client cannot use a more recent TLS protocol. These days, this scenario is becoming less and less common. For example, users would need to be on a browser no more recent than Internet Explorer 6. It is possible, however, that a man-in-the-middle attacker could intercept the protocol negotiation and force a downgrade to SSL 3.0. In the case of HTTPS connections to the PaperCut server, TLS has always used if the client permits, however, SSL 3.0 will be negotiated if TLS is not supported by the client. Some customers may prefer to prevent the PaperCut server from accepting SSL 3.0 incoming connections altogether. This may be achieved using any build above PaperCut NG & MF 14.3 build (29819). Instructions on how to customize which ciphers and protocols are used by PaperCut can be found here: https://www.papercut.com/kb/Main/SSLCipherConfiguration. More information on Poodle can be found here: http://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability |
Shellshock Sept 2014 |
CVE-2014-6271 CVE-2014-7169 |
Is PaperCut impacted by the Shellshock vulnerability (CVE-2014-6271) and (CVE-2014-7169)? The vulnerability known as Shellshock can allow attackers to remotely access and control systems using Bash (and programs that call Bash) as an attack vector. The bug affects many GNU/Linux users, as well as those using Bash on proprietary operating systems like OS X and Windows. Most software vendors affected by this vulnerability have already issued patches. PaperCut itself does not bundle GNU bash, however, we recommend all Bash users audit their services that may be affected. More information about these issues can be found at CVE-2014-6271 and CVE-2014-7169. We believe PaperCut is not impacted by the ShellShock vulnerability but it is possible for systems hosting PaperCut to be vulnerable. The majority of PaperCut runs in Java code in the JVM (Java Virtual Machine). There are points at which PaperCut does execute other processes, but the commands invoked are hard-coded and there is no way for an external source to set environment variables before execution. Because of this, PaperCut is not vulnerable to this attack. |
Heartbleed April 2014 |
CVE-2014-0160 | Is PaperCut affected by the OpenSSL “Heartbleed” vulnerability (otherwise known as CVE-2014-0160)? Neither PaperCut MF nor PaperCut NG is affected by the Heartbleed issue, as neither product uses OpenSSL libraries. The PaperCut.com website is also not impacted as it uses a version of OpenSSL that does not contain the vulnerability. We do suggest using a standalone OpenSSL utility in some cases for key and certificate generation. This utility is not impacted by the Heartbleed vulnerability. There is more general information about Heartbleed here: http://heartbleed.com/ |