Knowledgebase
Knowledgebase:
PaperCut RCE (PC-18750)
Last modified on 22 May 2022 04:56 PM

We have received a vulnerability report for a high severity security issue in PaperCut MF/NG from version 19.2.1 through to the 21.2.8 release.

This high severity vulnerability allows for an unauthenticated attacker to get Remote Code Execution (RCE) on a PaperCut Application Server. This is only possible if the IP address used in the attack is allowed under the “Allowed device IP addresses” setting (under Options > Advanced > Security). By default this is set to *, meaning all IP addresses are allowed.

There is no indication that this vulnerability has been exploited.

Note: This vulnerability has been fixed in versions 19.2.7, 20.1.6 and 21.2.10 and 22.0.0 and later.

Product Status

Which products are impacted?

Product Version Status Action
PaperCut MF Application Servers & Site Servers 19.2.1 or later

(excluding 19.2.7, 20.1.6, 21.2.10, 22.0.0+)
Impacted Upgrade Application Servers and Site Servers to:
- 19.2.7 (if currently using version 19.x)
- 20.1.6 (if currently using version 20.x)
- 21.2.10 (if currently using version 21.x)
PaperCut MF Application Servers & Site Servers 19.2.0 or earlier Not impacted No action required.
PaperCut NG Application Servers (& Site Servers) with ‘External Hardware Integration’* enabled 19.2.1 or later

(excluding 19.2.7, 20.1.6, 21.2.10, 22.0.0+)
Impacted Upgrade Application Servers and Site Servers to:
- 19.2.7 (if currently using version 19.x)
- 20.1.6 (if currently using version 20.x)
- 21.2.10 (if currently using version 21.x)
PaperCut NG Application Servers (& Site Servers) with ‘External Hardware Integration’* disabled 19.2.1 or later Not impacted No action required.

However, due to the Spring4Shell vulnerability, we recommend upgrading to the latest maintenance release. See the Spring4Shell Security Advisory for more information.
PaperCut NG Application Servers (& Site Servers) with ‘External Hardware Integration’* either enabled or disabled 19.2.0 or earlier Not impacted No action required.
PaperCut Hive
PaperCut Pocket
Print Deploy
Mobility Print
PaperCut User Clients
All Not impacted No action required.

* Note: the ‘External Hardware Integration’ setting is found under Options > Advanced > External Hardware Integration.

FAQs

Is there any impact from applying this fix?

These maintenance releases include an upgraded version of the Rhino JavaScript engine (release note reference PO-816). As a result of this, print scripting and device scripting are now sandboxed by default.

If you are using print scripting or device scripting, we highly recommend reviewing the Enabling print scripting and device scripting KB for more information on these changes.

All other functionality and features will work without any impact.

Where can I get the upgrade?

Please follow your usual upgrade procedure. Additional links on the ‘Check for updates’ page will allow customers to download fixes for previous major versions which are still supported (e.g. 19.2.7, 20.1.6) as well as the current version (21.2.10).

If you are using PaperCut MF, we highly recommend following your regular upgrade process. Your PaperCut partner or reseller information can also be found on the ‘About’ tab in the PaperCut admin interface.

Where are the release notes for these fixes?

You can see the release notes pages for PaperCut MF and NG which list all fixes included per version:

What is the CVSS score for MF/NG RCE (PC-18750)?

High severity (CVSS V3.1 Score 8.1, AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Is there more information about MF/NG RCE (PC-18750)?

Not at this time - to give customers a chance to upgrade, we are not releasing further details about this vulnerability.

Is there a mitigation for this if I don’t want to upgrade?

It is possible to stop the execution of this type of attack by using the Allowed device IP addresses setting under Options > Advanced > Security in the MF/NG admin interface. More information can be found here in the manual. You can either list individual IP addresses of your validated devices, or you can list subnet ranges in the format documented. Note that this field is restricted to 1000 characters, so please bear this in mind when deciding how to list all your devices.

IMPORTANT: even if this mitigation would work for your environment, we highly recommend upgrading to 19.2.6, 20.1.5 or 21.2.9 to limit the potential impact from the Spring4Shell vulnerability which has also been fixed in these latest releases.

What version of log4j do these builds use?

  • 19.2.7: uses log4j 1.x (not impacted)
  • 20.1.6: uses log4j 1.x (not impacted)
  • 21.2.10: uses log4j 2.17.1 (fixed)

See the Log4Shell (CVE-2021-44228) - How is PaperCut Affected? article for more details on log4j.

Is there a maintenance release for versions 18 or older?

No - versions 18 and older are now end of life, as documented on our End of Life Policy page.

I have a version 19 license and no M&S - can I still get this fix?

Yes! As long as you are running a version which is currently supported (19 and above) you can upgrade to whichever maintenance release version you’re licensed for. For example if you are licensed for version 19 but you don’t have a valid license for version 20, you can update to version 19.2.6 as above.

See our Upgrade Policy page for more information on licensing and upgrades.

I saw versions 19.2.6, 20.1.5 and 21.2.9 available at one point - what happened?

We published maintenance releases 19.2.6, 20.1.5 and 21.2.9 on May 18th 2022. We then became aware that a small number of customers with a specific database configuration had to roll back after encountering an upgrade error, so we pulled these maintenance releases from our website to avoid impacting any additional customers. We then identified and fixed the issue with these builds, and have released the new (fixed) builds of 19.2.7, 20.1.6 and 21.2.10. We apologize for the confusion here - it wasn’t our best moment.

The same security fixes that were in the previous (pulled) builds are now in the fixed builds available on the website. If you are not using MS SQL Server as your database, and you upgraded to one of the now-pulled builds, you’ll be able to continue running that build without any issues.