Xerox Security Bulletin XRX14-005

Bash Shellshock Command Line Interpreter Vulnerability

v1.1

10/17/14


Background

A vulnerability has been discovered in the Bash command shell that can allow attackers to remotely execute commands on a target system. Even systems that don't allow remote command shell connections may still use Bash to execute commands in the Apache web server and other network-facing applications. Unix and Unix-derived systems like Linux and Mac OS X are vulnerable to these attacks since they use Bash as the default command shell.


A software solution consisting of two zip files, each one containing a patch, is provided for the products listed below. This solution will replace the affected version of Bash with an unaffected version of Bash in the Linux Operating System for the affected products.


This solution is designed to be installed by the customer. Each software patch is compressed into a 311 KB zip file and can be accessed via the links below or via the links following this bulletin announcement on www.xerox.com/security.


Patch for applicable software system versions `.071.xxx.yyy.xzzzz': SSConnectKey.071 v2.zip

http://www.xerox.com/downloads/usa/en/s/SSConnectKey.071v2.zip 


Patch for software system versions `.072.xxx.yyy.xzzzz': SSConnectKey.072v2.zip

http://www.xerox.com/downloads/usa/en/s/SSConnectKey.072v2.zip 


This solution is classified as an Critical patch. Please follow the instructions starting on page 2 for each affected product to install the relevant security patch.


Applicability

This patch applies to network-connected versions only of the following products: 

ColorQube® 8700, 8900, 9301, 9302, 9303

WorkCentre® 3655, 5845, 5855, 5865, 5875, 5890, 5945, 5955, 6655, 7220, 7225, 7830, 7835, 7845, 7855, 7970