Notification about the vulnerability in Xerox FreeFlow Core
January 7, 2025
Dear Customers,
We would like to thank you for your continued support towards FUJIFILM Business Innovation products.
A vulnerability (CVE-2024-47555~47559)*1 has been found in Xerox FreeFlow Core, which is included in the Xerox FreeFlow Digital Workflow Collection.
- *1Vulnerability information published by the National Institute of Standards and Technology (NIST)
We apologize for any inconvenience this may cause, but please check if your Xerox FreeFlow Core is compatible with the target version, and if so, take the following actions.
At the time of posting this notice, we have not confirmed any attacks that exploit this vulnerability.
Vulnerability Details
We have found the following vulnerabilities in our product Xerox FreeFlow Core that lead to multiple remote code execution.
- CVE-2024-47555 (High): Lack of authentication for critical functions (CWE-306)
- CVE-2024-47556 (High), CVE-2024-47557 (High):
Pre-Authentication Remote Code Execution via Path Traversal (CWE-22) - CVE-2024-47558 (High), CVE-2024-47559 (High):
Remote Code Execution Authenticated via Path Traversal (CWE-22)
Eligible products and versions
Xerox FreeFlow Core 7.0.0~7.0.10
- How to check the version
- After logging in, click the “?” mark in the upper right corner of the screen and select the “FreeFlow Core Information” menu.
- Check the version on the screen that appears.
Correspondence
Xerox FreeFlow Core 7.0.11
We have prepared a Xerox FreeFlow Core 7.0.11 patch module that addresses this vulnerability.
Please introduce this.
Workaround
If you are using the site in a network environment protected by your firewall, etc., you are not affected by this vulnerability.
Therefore, until the Xerox FreeFlow Core 7.0.11 patch module is introduced, it is recommended to use it in a protected network environment.
Related Information
- Xerox Security Bulletin XRX24-014 for Xerox® FreeFlow® Core v7.0
- CVE-2024-47555: Lack of Authentication for Critical Functions (CWE-306)
- CVE-2024-47556, CVE-2024-47557: Pre-Authentication Remote Code Execution via Path Traversal (CWE-22)
- CVE-2024-47558, CVE-2024-47559: Remote Code Execution Authenticated via Path Traversal (CWE-22)
Contact information
- Customers who have a software support contract
Please contact the Fujifilm Business Innovation subsidiary/distributor where you purchased your software. - Customers who do not have a software support contract
Please contact the distributor where you purchased your software.