Before I explain software security and patching, a quick public service announcement:
If you’re a PaperCut MF/NG customer for versions 19 to 21, you need to install the latest update for two security vulnerabilities we recently found.
There’s a general issue, Spring4Shell PC-18756 , affecting any software using the Spring framework. And there’s a PaperCut-specific vulnerability PaperCut MF/NG Remote Code Execution PC-18750 .
Here’s a superhumanly quick guide to patching these bugs:
- Read the Spring4Shell KB
- Read the RCE PC-18750 KB
- Read the Enable Print Scripting KB
- Upgrade - like, now!
That is a veeeeeeery quick guide, for more details, please follow your usual upgrade procedure. If you’re using PaperCut MF, contact your PaperCut partner or Reseller - their info can be found in the ‘About’ tab in the PaperCut admin interface.
Now that we’ve got that out the way, I wanted to peel back the curtain a bit and demystify security vulnerabilities a little.
Security vulnerabilities explained
Bugs happen in software. We don’t want them to, but they do. On that note, PaperCut is dedicated to ensuring the security of our customers’ data and systems. So, when vulnerabilities occur, we’re quick-smart to develop patches and then spread the good word about needing to update ASAP. Hence me (not so) subtly doing so a couple of paragraphs ago.
But despite best intentions, security comms usually contain a bunch of buzzwords and jargon. I wanted to break down what some of these terms mean.
Consider this a super quick glossary to help you understand a bit more of what’s happening when a company issues patches and updates for bugs.
What’s a bug? It’s an error, flaw, or fault in software that makes it behave in an unintended way. These can occasionally be exploited by attackers to penetrate a system’s security. Just like real bugs, such as termites or silverfish, they’re small and sneaky but can cause a lot of trouble. It’s important to note that bugs are different from vulnerabilities. Bugs are where the software doesn’t behave properly, a vulnerability is where that behavior can be used to do bad things to the software or system.
What’s a patch? It’s a specific type of update, a batch of changes that improve a computer program. They can include fixes for bugs, or bugfixes, to address security vulnerabilities.
What does RCE mean? Remote Code Execution is the ability to trigger an arbitrary code execution exploit over a network - like the internet.
What’s an arbitrary code execution? Also known as ACE, it’s how an attacker runs commands or codes to infiltrate a target. Stated simply, it’s a bad person running some software of their choosing on your computer.
What’s a CVSS score? The Common Vulnerability Score System is an open industry standard for assessing the severity of computer system security vulnerabilities. The scores measure the ease and impact of an exploit. 10 is the most severe, and 0 is the least. The CVSS score is actually made up of a bunch of metrics and then put together to calculate the final score. The metrics for the base score are dense, for more info check out the resources at the bottom of this post.
Who uses the CVSS score, and what do they do with it? Information Technology professionals must make decisions about what they patch and when they patch. Some patches require preparation, such as running a backup first, and some require servers or services to be restarted. These activities can impact end-users, interrupt scheduled processes, or disrupt other linked systems. So IT departments tend to prioritize their patching based on risk severity and impact. The CVSS rating is a vital input to an IT department’s decision-making process about when they’ll install a patch.
What does “in the wild” mean? Whenever a company refers to an “in the wild” virus or bug, they mean they’re threats that are out in the real world, in real peoples’ computers and systems. A lot of viruses or threats are locked away in test systems or security labs. An “in the wild” threat is one that hasn’t been contained and can impact your organization. Put simply, bad people are using this bug/vulnerability to hack things.
Where can you find out more about security and patching?
That was all ridiculously brief even for a quick guide, so if you want to know more about cybersecurity, check out these resources:
- OWASP Vulnerability Management Guide
- Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology
- Common Vulnerability Scoring System Calculator
- National Cyber Security Centre Vulnerability Management
- What are CVSS scores?
Install the latest PaperCut MF/NG update to secure your server
And don’t forget, if you’re a PaperCut MF/NG Customer on versions 19 to 21, make sure you read our Knowledge Base guides on each patch, then upgrade ASAP for Spring4Shell PC-18756 and PaperCut MF/NG Remote Code Execution PC-18750 . If you’re using PaperCut MF, contact your PaperCut partner.