This bulletin will be updated with more information on 14th March, 2024 This is a pre-notification so you can prepare for an upcoming security-focussed maintenance release on 14th March. This bulletin will be updated with additional information on release day. On the 14th March 2024 (Australian Eastern Daylight Time), there will be PaperCut MF & NG maintenance releases containing several security fixes for newly discovered vulnerabilities. After a risk assessment of the remediated vulnerabilities, PaperCut has decided to adopt the pre-notification approach for this release. This is to allow organizations to prepare for an upgrade.
We understand these high-priority security patches are disruptive. To protect organizations against potential n-day attacks, PaperCut will not be sharing specific details publicly until the maintenance releases containing all required fixes have been made available on the 14th March.
We are sharing this information with you now to prepare you for the release, and to allow you to plan for scheduling upgrades. Security issues being addressed PaperCut has reserved and allocated the following CVEs.
CVECVSS RatingCVE-2024-12228.6CVE-2024-16547.2CVE-2024-18827.2CVE-2024-12236.5CVE-2024-18846.5CVE-2024-18836.3CVE-2024-12213.1 Recommended customer actions at this time The upgrade is recommended for all, however, those with PaperCut NG/MF servers that are accessible from the Internet (e.g. open ports), or have untrusted clients within the network (e.g. a large University) are strongly advised to upgrade. These organizations should prioritize and schedule this upgrade for 14th March 2024 AEDT. The upgrade will be available using the existing in-app “Check for updates” link.
FAQs Q Can I get more information about these vulnerabilities?
To protect organizations against potential n-day attacks, PaperCut will not be sharing specific details publicly until the maintenance releases containing all required fixes have been made available on the 14th March. At that point, this bulletin will be updated with additional information.
A common way n-day attacks occur is when bad actors glean information from public sources. By disclosing no information, we are trying to give organizations the maximum lead time on bad actors trying to carry out an n-day attack. It should also be noted there are no known active exploits. The planned pre-notifications are merely a precautionary measure to inform organizations so they can plan their out-of-schedule updates.
Q Why is PaperCut publishing this security bulletin without providing full information on the vulnerabilities?
This is to allow organizations and partners to schedule time for security updates to be applied to their systems. Due to the sensitivity of security updates, we will not release additional information until the fixes are publicly available.
Q When will I be able to download the update?
Upgrade information will be available when this bulletin is updated and when the maintenance releases are publicly available on 14th March (AEDT).
Q Where can I get the update?
When this bulletin is updated and the updates go live on 14th March (AEDT), the updates will be available through the usual methods:
The Check for updates link in the PaperCut NG/MF admin interface (through the About tab, then Version info > Check for updates) will allow you to download the latest version of PaperCut NG or MF.
Direct downloads for the latest builds will become available on the upgrade page . It’s easy to identify your edition of PaperCut - it’s on the About tab and in the footer of your PaperCut Web admin login. The PaperCut team has made backports available for all supported versions. The updated versions will be:
23.0.7 22.1.5 21.2.14 20.1.10 Note that updates through either of these methods will not be available until 14th March (AEDT).
Q Where will additional information be published about these vulnerabilities?
This security bulletin will be updated on 14th March (AEDT) with additional information. You can also subscribe to our security notifications list via our Security notifications sign-up form if you prefer to receive email notifications of security updates.
Q How were the vulnerabilities in this release discovered?
The issues addressed in the upcoming release are part of our existing security uplift program which involves internal teams reviewing their code, penetration testing from external parties, and leverages the strong relationships we’ve built with researchers in the security industry post our 23 March 2023 security incident.
Many of these issues were found by researchers working with TrendMicro as part of their ZDI program. All of these have been responsibly disclosed to us by Trend Micro. We’ve worked closely with Trend Micro’s ZDI team over the last 12 months to ensure any of their findings with PaperCut’s products are consistently disclosed collaboratively. Trend Micro now has a better understanding of our customers and partners. We have worked with them and other security vendors to ensure that issues are responsibly disclosed, with adequate lead time to ensure our customers and partners have time to upgrade before the vulnerability is public.
We want to make sure such issues are found through our own uplift activities and NOT by hackers. Yes, security issues are frustrating, but this is required. Our goal is to ensure PaperCut is the most secure solution in our space. Q What version updates will be released?
As documented in our Supported Versions policy , updates will be made available for all supported versions. This includes version 23 (latest version), 22, 21 and 20. The releases will include:
23.0.7 22.1.5 21.2.14 20.1.10 Q What will the upgrade process involve?
The upgrade process will be a standard upgrade for the PaperCut Application Server and Site Servers, following the Upgrading PaperCut MF & NG (upgrade steps) documentation. If there are any additional steps, they will be documented on this bulletin when it’s updated on 14th March (AEDT).
Note that you will not need to update secondary servers, clients, devices or other components. Only an Application Server and Site Server upgrade (if you’re using Site Servers) would be required.
Security notifications: “How do I sign-up for paperCut’s security mailing list?”
In order to get timely notifications of security news (including security related fixes or vulnerability information) please subscribe to our security notifications list via our Security notifications sign-up form . If you’re a sys admin or if you look after PaperCut product implementations at your organization, this list will help you be amongst the first to hear of any security related news or updates.
Updates DateUpdate/action8th March, 2024 (AEDT)Notified subscribers to our Security notifications list by email, linking to this bulletin for further information.8th March, 2024 (AEDT)Enabled the PaperCut MF/NG in-product notification (versions 23.0.3 and later) and the dashboard tile notification (for earlier supported versions), linking to this bulletin for further information.8th March, 2024 (AEDT)Published this Security Bulletin.14th March, 2024 (AEDT)Planned date for go-live for the maintenance releases as well as additional information being shared in this Security Bulletin page.
Comments
0 comments
Please sign in to leave a comment.