PaperCut NG/MF Security Bulletin (March 2022)

This page was originally titled PaperCut NG/MF RCE (PC-18750), and has been renamed to reflect our current naming convention for Security Bulletins.

We have received a vulnerability report for a high severity security issue in PaperCut MF/NG from version 19.2.1 through to the 21.2.8 release.

This high severity vulnerability allows for an unauthenticated attacker to get Remote Code Execution (RCE) on a PaperCut Application Server. This is only possible if the IP address used in the attack is allowed under the “Allowed device IP addresses” setting (under Options > Advanced > Security). By default this is set to *, meaning all IP addresses are allowed.

There is no indication that this vulnerability has been exploited.

Product Status

Which products are impacted?

Product	Version	Status	Action
PaperCut MF Application Servers & Site Servers	19.2.1 or later (excluding 19.2.7, 20.1.6, 21.2.10, 22.0.0+)	Impacted	Upgrade Application Servers and Site Servers to: - 19.2.7 (if currently using version 19.x) - 20.1.6 (if currently using version 20.x) - 21.2.10 (if currently using version 21.x)
PaperCut MF Application Servers & Site Servers	19.2.0 or earlier	Not impacted	No action required.
PaperCut NG Application Servers (& Site Servers) with ‘External Hardware Integration’* enabled	19.2.1 or later (excluding 19.2.7, 20.1.6, 21.2.10, 22.0.0+)	Impacted	Upgrade Application Servers and Site Servers to: - 19.2.7 (if currently using version 19.x) - 20.1.6 (if currently using version 20.x) - 21.2.10 (if currently using version 21.x)
PaperCut NG Application Servers (& Site Servers) with ‘External Hardware Integration’* disabled	19.2.1 or later	Not impacted	No action required. However, due to the Spring4Shell vulnerability, we recommend upgrading to the latest maintenance release. See the Spring4Shell Security Advisory for more information.
PaperCut NG Application Servers (& Site Servers) with ‘External Hardware Integration’* either enabled or disabled	19.2.0 or earlier	Not impacted	No action required.
PaperCut Hive PaperCut Pocket Print Deploy Mobility Print PaperCut User Clients	All	Not impacted	No action required.

* Note: the ‘External Hardware Integration’ setting is found under Options > Advanced > External Hardware Integration.

FAQs

These maintenance releases include an upgraded version of the Rhino JavaScript engine (release note reference PO-816). As a result of this, print scripting and device scripting are now sandboxed by default.

If you are using print scripting or device scripting, we highly recommend reviewing the Enabling print scripting and device scripting KB for more information on these changes.

All other functionality and features will work without any impact.

Please follow your usual upgrade procedure. Additional links on the ‘Check for updates’ page will allow customers to download fixes for previous major versions which are still supported (e.g. 19.2.7, 20.1.6) as well as the current version (21.2.10).

If you are using PaperCut MF, we highly recommend following your regular upgrade process. Your PaperCut partner or reseller information can also be found on the ‘About’ tab in the PaperCut admin interface.

You can see the release notes pages for PaperCut MF and NG which list all fixes included per version:

• MF - 19.2.7, 20.1.6, 21.2.10.
• NG - 19.2.7, 20.1.6, 21.2.10.

High severity (CVSS V3.1 Score 8.1, AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Not at this time - to give customers a chance to upgrade, we are not releasing further details about this vulnerability.

It is possible to stop the execution of this type of attack by using the Allowed device IP addresses setting under Options > Advanced > Security in the MF/NG admin interface. More information can be found here in the manual. You can either list individual IP addresses of your validated devices, or you can list subnet ranges in the format documented. Note that this field is restricted to 1000 characters, so please bear this in mind when deciding how to list all your devices.

IMPORTANT: even if this mitigation would work for your environment, we highly recommend upgrading to 19.2.7, 20.1.6 or 21.2.10 to limit the potential impact from the Spring4Shell vulnerability which has also been fixed in these latest releases.

• 19.2.7: uses log4j 1.x (not impacted)
• 20.1.6: uses log4j 1.x (not impacted)
• 21.2.10: uses log4j 2.17.1 (fixed)

See the Log4Shell (CVE-2021-44228) - How is PaperCut Affected? article for more details on log4j.

No - versions 18 and older are now end of life, as documented on our End of Life Policy page.

Yes! As long as you are running a version which is currently supported (19 and above) you can upgrade to whichever maintenance release version you’re licensed for. For example if you are licensed for version 19 but you don’t have a valid license for version 20, you can update to version 19.2.7 as above.

See our Upgrade Policy page for more information on licensing and upgrades.

We published maintenance releases 19.2.6, 20.1.5 and 21.2.9 on May 18th 2022. We then became aware that a small number of customers with a specific database configuration had to roll back after encountering an upgrade error, so we pulled these maintenance releases from our website to avoid impacting any additional customers. We then identified and fixed the issue with these builds, and have released the new (fixed) builds of 19.2.7, 20.1.6 and 21.2.10. We apologize for the confusion here - it wasn’t our best moment.

The same security fixes that were in the previous (pulled) builds are now in the fixed builds available on the website. If you are not using MS SQL Server as your database, and you upgraded to one of the now-pulled builds, you’ll be able to continue running that build without any issues.