1. I cannot find the hotfix on the Xerox.com software download site.
a. Go to the DocuShare Support & Software page.
b. Select the appropriate operating system from the Operating System menu.
c. Select the Critical Security Updates link in the Refine Results box on the left side of the page.
Note: Only 64-bit versions of Windows Server are supported for DocuShare 6.6.1
2. Does the Hotfix need to be applied to ALL DocuShare Servers?
Yes, the hotfix should be applied to all DocuShare servers running versions 6.5.3 or 6.6.1 no matter which backend database is used.
3. We are at version 6.6.1 P3, which is a lower version. The hotfixes are for 6.6.1 update 1 and update 2. Do we need to apply this hotfix?
Yes the server is vulnerable. We recommend you install DocuShare 6.6.1 Update 1 and Update 2, then install DocuShare 6.6.1 Update 2 Hotfix 3 (ds661update2hf3).
4. I am at DocuShare 6.5.3 and if I apply this hotfix will I need to apply another hotfix if I upgrade to 6.6.1?
Yes. When you upgrade to 6.6.1 you should install Update 1, Update 2, and the DocuShare Update 2 Hotfix 3.
5. If I am at 6.6.1 Update 1 and I apply Update1 Hotfix 24 will I need to apply another hotfix if I install Update 2?
Yes. Update 2 was released prior to the discovery of the vulnerability. DocuShare 6.6.1 Update 2 Hotfix 3 (ds661u2hf3) should be installed.
6. If my DocuShare server is still running version 6.0.1. Is this version affected? Is there a Hotfix for this version? Do I have to upgrade to one of the versions with a Hotfix?
All versions of DocuShare are assumed to be vulnerable. Hotfixes were built for the currently supported versions of DocuShare, v6.5.3 & v6.6.1. Your server must be updated to the most current version and patch level of DocuShare to continue receiving technical support from Xerox.
7. Are older versions (5.x and below) of DocuShare affected?
Yes, all versions of DocuShare are assumed to be vulnerable.
8. How long has this vulnerability been happening?
The vulnerability was reported on 15 April 2014. We responded immediately and released hotfixes to address the issue starting on 18 April 2014.
9. How can I tell if my site has been compromised?
First, the vulnerability does not allow the intruder to read DocuShare data. However the vulnerability could allow the intruder to write data to the database tables or delete tables and indexes. The most obvious symptom will be the site will fail or not start up because database tables are missing or the data has become corrupted. Follow best practices to frequently backup the database. This is important for recovery should the database be compromised.
10. How do I disable the Guest account to prevent unauthorized users from accessing the site?
Under the Administration Menu go to Site Management Access Policies. Change the Site Access Authority from Guest to User. All users will now be forced to provide a valid Username and password to access the site.
11. Our DocuShare site is in house and not accessible from the outside. Do I still need to apply this hotfix?
While your risk of a malicious intruder is low we still recommend the hotfix be applied.
12. The site is protected behind a firewall do I need to apply this hotfix?
Yes.
13. What is the update and hotfix installation sequence?
See the table below:
Version |
Minimum Level of Required Patches and Updates |
Required Hotfix |
Comment |
Versions earlier than 6.5.3 |
n/a |
n/a |
Upgrade to at least v6.5.3 then follow patch & hotfix sequence below. |
6.5.3 |
Patch 6 |
DS653p6hf2 |
|
6.6.1 |
Update 1 |
DS661update1hf24 |
|
6.6.1 Update 1 |
|
DS661update1hf24 |
If you are going to install Update 2 skip hotfix 24 and install Update 2 then Update 2 Hotfix 3 |
6.6.1 Release 2 or Update 2 |
|
DS661update2hf3 |
|
14. Our site is at v6.6.1 and we want to be at the most current release and patch level what do we need to install?
Install in the following sequence:
DocuShare 6.6.1 Update 1
DocuShare 6.6.1 Update 2
DocuShare 6.6.1 Update 2 Hotfix 3
Note: Update 1 is a prerequisite for Update 2.