Choose your language

Choose your login

Support

Security vulnerability information and common security questions

THE PAGE APPLIES TO:

Find the answers to PaperCut product security questions, as well as information about specific security vulnerabilities. Scroll down to find specific Common Vulnerabilities and Exposures / CVE IDs.

Security vulnerability log

Ordered from newest to oldest.

Name & dateVulnerability ID(s)Details
PaperCut NG/MF security vulnerabilities

May 2024
CVE-2024-3037
CVE-2024-4712
Resolved in PaperCut NG/MF version 23.0.9.

See PaperCut NG/MF Security Bulletin - May 2024 for more information.
Ghostscript vulnerability in calling the Tesseract library

March 2024
N/AA vulnerability was identified in the way Ghostscript/GhostPDL called tesseract for the OCR devices. See the Ghostscript site for more information.

We have confirmed that PaperCut products do not use Ghostscript's ability to call Tesseract. As such we can confirm that this vulnerability does not impact any PaperCut products.
PaperCut NG/MF security vulnerabilities

March 2024
CVE-2024-1222
CVE-2024-1654
CVE-2024-1882
CVE-2024-1223
CVE-2024-1884
CVE-2024-1883
CVE-2024-1221
There is an update now available for PaperCut NG/MF customers. Versions 23.0.7, 22.1.5, 21.2.14, 20.1.10 have now been released with fixes for these vulnerabilities.

See PaperCut NG/MF Security Bulletin - March 2024 for more information.
Spring Framework URL Parsing with Host Validation

Feb 2024
CVE-2024-22243Our internal teams have investigated this issue and have found that PaperCut NG/MF do use the version of Spring that is vulnerable to CVE-2024-22243. However, we are currently not aware of any known paths to exploit these vulnerabilities.

Currently, we believe that PaperCut NG/MF cannot be used to exploit CVE-2024-22243. Having said that, in line with best practice, this dependency will be upgraded in a future release of PaperCut NG/MF (tracked under PO-2130). As part of our existing dependency upgrade process, this change will undergo extensive testing to ensure it doesn't introduce any bugs or unexpected behaviour in the functionality of PaperCut NG/MF.
Apache Struts file upload exploit

Dec 2023
CVE-2023-50164Is PaperCut impacted by CVE-2023-50164?

No. PaperCut products (including PaperCut MF, PaperCut NG, Print Deploy, Mobility Print, PaperCut Hive, PaperCut Pocket) do not use Apache Struts and are therefore not impacted by this exploit.
PaperCut NG/MF security vulnerability

Nov 2023
CVE-2023-6006CVE-2023-6006 - Privilege escalation vulnerability

There is an update available for PaperCut NG/MF customers. Version 23.0.1 and later contains a fix for this vulnerability. Please see the PaperCut NG/MF Security bulletin (Nov 2023) for more information.

Please note: these issues do not affect PaperCut Hive, PaperCut Pocket, Print Deploy, Mobility Print, or PaperCut User Clients.
curl/libcurl vulnerabilities

Oct 2023
CVE-2023-38545
CVE-2023-38546
CVE-2023-38039
Is PaperCut impacted by CVE-2023-38545, CVE-2023-38546 or CVE-2023-38039?

No. No PaperCut products are impacted by any of the following CVEs.

The only component that uses libcurl is the PaperCut NG/MF print provider (used in a default Application server install, the direct print monitor component and the secondary print server component), however the version in use is not vulnerable to the following CVEs.CVE-2023-38545: PaperCut products don’t use any proxies including the SOCKS5 proxy, so this vulnerability will not be exploitable.CVE-2023-38546: PaperCut products don’t use curl_easy_duphandle, so this vulnerability will not be exploitable.CVE-2023-38039: PaperCut products don’t use any of the impacted versions of libcurl, so this vulnerability will not be exploitable.We’ll continue to monitor the situation and update this page as new information becomes available.
Heap buffer overflow in libwebp

Sept 2023
CVE-2023-4863Is PaperCut impacted by CVE-2023-4863?

No. PaperCut products (including PaperCut MF, PaperCut NG, Print Deploy, Mobility Print, PaperCut Hive, PaperCut Pocket) are not impacted by CVE-2023-4863. This vulnerability is related to the libwebp libraries which are not used in PaperCut products.
Unauthenticated XMLRPC Functionality

Sept 2023
CVE-2023-4568PaperCut Software is aware of Tenable's view on CVE-2023-4568, impacting PaperCut MF and NG. PaperCut has different perspectives and assessments. We do however echo the advice for customers to review their Options -> Advanced -> Security -> Allowed remote provider IP addresses, and/or firewall settings, to ensure security is appropriate for a given install (as detailed in the IP Address Allow-listing section of the Secure setup page).

Tenable report: https://pt-br.tenable.com/security/research/tra-2023-31.
GhostScript vulnerabilities

August 2023
CVE-2023-36664Please see the GhostScript Vulnerabilities KB for more information.
PaperCut Mobility Print security vulnerabilities

August 2023
CVE-2023-2508CVE-2023-2508 - Address potential CSRF attack in Mobility Print

There is an update available for PaperCut Mobility Print customers. Version 1.0.3582 and later contains fixes for these vulnerabilities. Please see the PaperCut NG/MF Security bulletin (August 2023) for more information.
PaperCut NG/MF security vulnerabilities

July 2023
CVE-2023-3486
ZDI-CAN-21013
CVE-2022-21724
CVE-2023-3486 - Potential Denial of Service Issue
Unnamed - Chained Path Traversal in Authenticated API
ZDI-CAN-21013 / CVE-2022-21724 - Third Party Library Update

There is an update available for PaperCut NG/MF customers. Version 22.1.3 and later contains fixes for these vulnerabilities. Please see the PaperCut NG/MF Security bulletin (July 2023) for more information.

Please note: these issues do not affect PaperCut Hive, PaperCut Pocket, Print Deploy, Mobility Print, or PaperCut User Clients.
PaperCut NG/MF security vulnerabilities

June 2023
CVE-2023-31046
(PO-1277)

CVE-2023-2533
(PO-1366)

CVE-2023-39469
(ZDI-CAN-20965)
CVE-2023-31046 - Path traversal vulnerability
CVE-2023-2533 - Cross-site request forgery vulnerability

There is an update available for PaperCut NG/MF customers. Version 22.1.1 and later contains fixes for all of these vulnerabilities. Please see the PaperCut NG/MF Security bulletin (June 2023) for more information.

Please note: these issues do not affect PaperCut Hive, PaperCut Pocket, Print Deploy, Mobility Print, or PaperCut User Clients.
SpEL expression DoS in Spring Framework

April 2023
CVE-2023-20863
CVE-2023-20861
The Spring framework is only used in PaperCut NG/MF. No other PaperCut products (including Multiverse, Mobility Print, Print Deploy, PaperCut Hive and Pocket) use Spring. There is limited product impact since SpEL expressions are used in a limited fashion within PaperCut NG/MF, and do not have direct user-input points. We aim to upgrade the Spring framework in use as part of our regular maintenance upgrades, in a future release of PaperCut MF and NG.

See CVE-2023-20863 and CVE-2023-20861 for more information about the vulnerabilities.

Please note that if you're running version 22.1.3 or later these will no longer get flagged, due to the Spring Framework upgrades included with PaperCut NG/MF version 22.1.3.
Service Location Protocol (SLP)

April 2023
CVE-2023-29552PaperCut products (including PaperCut NG/MF, Multiverse, Mobility Print, Print Deploy, PaperCut Hive and Pocket), do not use SLP functionality. Please check with your printer manufacturer or refer to your printer manufacturer online documentation regarding disabling the protocol. See CVE-2023-29552 for more information about the vulnerability.
Spring double wildcard

March 2023
CVE-2023-20860Is PaperCut impacted by the Spring double wildcard vulnerability CVE-2023-20860?

No. The issue identified as Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860) does not impact PaperCut MF or NG. The “**” pattern is not used at all, and in addition the class in question is not used. We will be updating the Spring framework in use a part of our regular upgrades, in a future release of PaperCut MF and NG.

Please note that if you're running version 22.1.3 or later these will no longer get flagged, due to the Spring Framework upgrades included with PaperCut NG/MF version 22.1.3.
PaperCut NG/MF security vulnerabilities

March 2023
CVE-2023-27350
ZDI-CAN-18987
(PO-1216)

CVE-2023-27351
ZDI-CAN-19226
(PO-1219)
We have received two vulnerability reports for a high severity and critical security issue in PaperCut NG/MF.

We strongly recommend that customers upgrade Application Servers and Site Servers to version 22.0.9, or version 21.2.11 (if currently using version 21.x), or version 20.1.7 (if currently using version 20.x).

Please note: these issues do not affect PaperCut Hive, PaperCut Pocket, Print Deploy, Mobility Print, or PaperCut User Clients.

Please see the PaperCut NG/MF vulnerability bulletin (March 2023) for more information.
XML external entity (XXE) injection vulnerability in XML-RPC.NET

Dec 2022
CVE-2022-47514Is PaperCut impacted by CVE-2022-47514?

No. While a PaperCut github repository is mentioned as a vendor on the National Vulnerability Database, this was an old repository (not linked to NG/MF code) used in some client API example code, and has since been deleted.

There are no .NET binaries included with PaperCut NG or MF. If customers are administering PaperCut with .NET we recommend using the latest libraries as documented e.g. on Administering PaperCut with PowerShell.
OpenSSL Vulnerabilities

Nov 2022
CVE-2022-3602
CVE-2022-3786
CVE-2023-0286
Is PaperCut impacted by OpenSSL vulnerabilities?

No. PaperCut has confirmed that neither PaperCut NG nor PaperCut MF are vulnerable to attack. OpenSSL is not in use in these products, so these products are not vulnerable to attack when using PaperCut NG/MF.

Note that there have been several vulnerabilities related to OpenSSL, including CVE-2022-3602, CVE-2022-3786 and CVE-2023-0286, discovered in the OpenSSL library.

Will this get flagged as a vulnerability when scanning PaperCut NG/MF?

Potentially - depending on whether you are using OpenSSL libraries for other tasks and have therefore installed OpenSSL yourself. For example we mention the ability to use OpenSSL to manage certificates on our Mobility Print certificates and Print Deploy certificates instructions. OpenSSL is not packaged as part of the PaperCut NG/MF installation, so if you are using these / have installed these libraries, we recommend patching your OpenSSL tools as noted by the Open SSL advisory.

Further updates:

While there is no PaperCut product impact, and there are no product changes planned as a result, we are tracking vulnerability under our internal ID of [PC-18929]. We will update this page with other news as necessary.
Text4Shell / TextShell

Oct 2022
CVE-2022-42889Is PaperCut impacted by the Apache Commons Text vulnerability CVE-2022-42889?

No. This critical vulnerability (CVE-2022-42889) has been discovered in Apache Commons Text class. PaperCut has confirmed that neither PaperCut NG nor PaperCut MF are vulnerable to attack:

As detailed in the vendor advisory, the attack relies on the vulnerable class org.apache.commons.text.StringSubstitutor being included in the installation. PaperCut NG/MF do not ship with this class, so the attack cannot be performed successfully. As further reassurance, the required functionality for the attack is disabled by default in the product.

Will this get flagged as a vulnerability when scanning PaperCut NG/MF?

Potentially - depending on your vulnerability scanner. The scanner may pick up handlebars-4.1.2.jar and flag it as vulnerable. Even if this file gets flagged, due to the reasons above, the documented attack cannot be successful.

What further changes are planned?

Even though (as detailed above) the attack cannot be performed on a PaperCut NG/MF installation, we have upgraded handlebars.java to version 4.3.1 in PaperCut MF and NG version 22.0.9 (release reference PO-1096). This later version of handlebars contains a fix as documented by the vendor.
Psychic Signatures

April 2022
CVE-2022-21449Is PaperCut impacted by the Java vulnerability CVE-2022-21449?

No. PaperCut NG/MF uses Java version 11 which is not impacted by this specific vulnerability according to the OpenJDK Advisory.

versions 21.x, 20.x - Java 11.0.9.1
version 19.x - Java 11.0.2

While this specific vulnerability doesn’t impact PaperCut NG/MF, as a precaution (and to benefit from all the other fixes), we will update our JRE with the future 22.0 release. Note: the JRE has been updated to version 11.0.15 in version 22.0.3. See the 22.0.3 Release Notes for more information.
PaperCut NG/MF security vulnerability

May 2022
PC-18750We have received a vulnerability report for a high severity security issue in PaperCut NG/MF from version 19.2.1 through to the 21.2.8 release.

High severity (CVSS V3.1 Score 8.1, AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) security vulnerability in PaperCut MF and some PaperCut NG installations. We strongly recommend that customers upgrade Application Servers and Site Servers to PaperCut versions 19.2.7 (if using 19.x), 20.1.6 (if using 20.x) or 21.2.10 (or the latest version).

Please note: these issues do not affect PaperCut Hive, PaperCut Pocket, Print Deploy, Mobility Print, or PaperCut User Clients.

Please see the PC-18750 Security Advisory for more information.
SpringShell

March 2022
CVE-2022-22965

also includes:
CVE-2022-22950
CVE-2022-22970
CVE-2022-22971
Is PaperCut impacted by SpringShell/Spring4Shell?

This critical vulnerability was disclosed on the 30th March 2022 and impacts the Spring framework. More information can be found on the Spring blog which also references the Spring Framework RCE.

The proof of concept (POC) exploit explained in Spring’s blog post requires Apache Tomcat.

While our products do use the Spring framework, we can confirm that none of the PaperCut products use Tomcat (for example our MF and NG products use Apache Jetty). However we believe it could only be a matter of time until exploits are developed for 3rd party products that we do use. To prevent this having an impact on our customers, we have proactively provided a fix in the latest maintenance releases.

Additional code-fixes have been made in PaperCut versions 21.2.10, 20.1.6 and 19.2.7. Please see the Spring4Shell Security Advisory for more information.
Improper Restriction of XML External Entity

March 2022
CVE-2022-0839Is PaperCut impacted by CVE-2022-0839?

Yes, however PaperCut MF and NG use YAML files for managing the liquibase change logs - not XML. These change log files are and should be considered trusted input and would require an attacker to have already compromised the server to leverage this issue.

We are looking to upgrade to a patched version of liquibase in a future release, to completely close this vulnerability.
Ghost script vulnerabilities

March 2022
CVE-2019-14869
CVE-2019-14817
CVE-2019-14813
CVE-2019-14812
CVE-2019-14811
CVE-2019-10216
CVE-2020-16302
CVE-2020-16303
CVE-2020-16304
Is PaperCut impacted by vulnerabilities for Ghost script?

Yes - these include: CVE-2019-14869, CVE-2019-14817, CVE-2019-14813, CVE-2019-14812, CVE-2019-14811, CVE-2019-10216, CVE-2020-16302, CVE-2020-16303, CVE-2020-16304.

Please see the Ghost Script Vulnerabilities page for more information.
Log4j 1.2 (SocketServer)

Dec 2021
CVE-2019-17571Is PaperCut impacted by the Log4j 1.2 SocketServer vulnerability?

No. Please see our Known Issue (PO-693) for more detail - but in summary, none of the PaperCut products use the SocketServer functionality, so customers are not vulnerable to this exploit.
Log4Shell (RCE in log4j)

Dec 2021
CVE-2021-44228Is PaperCut impacted by the Apache log4j Remote Code Execution vulnerability?

Yes. Please see our in-depth Knowledgeable article on Remote code execution in Apache log4j (CVE-2021-44228) for more information, and workarounds.
MS update KB5005408 (Smart card authentication)

Sept 2021
CVE-2021-33764Is PaperCut impacted by the Microsoft update KB5005408 (Smart card authentication)?

Microsoft has advised in the article on KB5005408 - Smart card authentication might cause print and scan failures that “Printing and scanning might fail when these devices use smart card (PIV) authentication”.

Since PaperCut manages the connection to the device ourselves through the Java Virtual machine, all TLS connections and negotiations are direct with the PaperCut Java VM and not through Windows. This ultimately means that the update should not affect PaperCut or the device embedded by it, unless there is some different piece of 3rd Party software installed on the device that uses the Microsoft method.

As a precaution it’s always recommended to test with a test device and test Application Server (even if that’s a test Application Server running on a laptop, connected to a test device) before upgrading your production environment.
PrintNightmare

June 2021
CVE-2021-1675
CVE-2021-34527
Is PaperCut affected by the “Windows Print Spooler Elevation of Privilege Vulnerability” (otherwise known as CVE-2021-1675 or CVE-2021-34527)?

Please note that there is now (as of July 6, 2021) a security vulnerability patch available from Microsoft. We highly recommend installing this on all Windows servers running the print spooler service.

For more information on this, and also on the subsequent impact of patches delivered by Microsoft in September and October 2021, we have detailed the impact to PaperCut applications in a new KB article: Impact on PaperCut Software due to the PrintNightmare vulnerability.
Jasper reports directory traversal

March 2019
CVE-2018-18809We are aware of customer systems flagging the version of Jasper reports used with PaperCut NG/MF as vulnerable. While CVE-2018-18809 relates to a subcomponent that PaperCut NG/MF doesn't actively utilize, we will be resolving this by updating Jasper reports in a future version.

Update 17th Oct 2023: we will be updating Jasper reports to version 6.20.5 in our PaperCut NG/MF 23.0.0 release.
Freak

Jan 2015
CVE-2015-0204Is PaperCut affected by the SSL/TLS “FREAK” attack (CVE-2015-0204)?

The “FREAK” attack allows a malicious man-in-the-middle to downgrade the strength of encryption used. This vulnerability applies to some SSL/TLS implementations. PaperCut uses recent versions of the Java platform which is not vulnerable to the FREAK attack.

Customers running versions prior to version 14 should upgrade their servers as these later versions contain a more recent version of Java.
Poodle

Oct 2014
CVE-2014-3566Is PaperCut affected by the SSL 3.0 “Poodle” vulnerability (otherwise known as CVE-2014-3566)?

This vulnerability, nicknamed “Poodle” can provide a way for attackers to eavesdrop on HTTPS connections running over SSL 3.0. The typical scenario cited involves an attacker running a fake Wi-Fi hot-spot that injects javascript into a non-secure web page. This javascript proceeds to compromise a secure site running SSL 3.0 for which the browser holds a cookie. Unlike the recent HeartBleed vulnerability, Poodle does not expose the server to a standalone attack.

SSL 3.0 is an older protocol, now superseded by TLS. It will generally only be used when both the web server and the client cannot use a more recent TLS protocol. These days, this scenario is becoming less and less common. For example, users would need to be on a browser no more recent than Internet Explorer 6. It is possible, however, that a man-in-the-middle attacker could intercept the protocol negotiation and force a downgrade to SSL 3.0.

In the case of HTTPS connections to the PaperCut server, TLS has always used if the client permits, however, SSL 3.0 will be negotiated if TLS is not supported by the client.

Some customers may prefer to prevent the PaperCut server from accepting SSL 3.0 incoming connections altogether. This may be achieved using any build above PaperCut NG & MF 14.3 build (29819). Instructions on how to customize which ciphers and protocols are used by PaperCut can be found here: https://www.papercut.com/kb/Main/SSLCipherConfiguration.

More information on Poodle can be found here: http://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability
Shellshock

Sept 2014
CVE-2014-6271
CVE-2014-7169
Is PaperCut impacted by the Shellshock vulnerability (CVE-2014-6271) and (CVE-2014-7169)?

The vulnerability known as Shellshock can allow attackers to remotely access and control systems using Bash (and programs that call Bash) as an attack vector. The bug affects many GNU/Linux users, as well as those using Bash on proprietary operating systems like OS X and Windows.

Most software vendors affected by this vulnerability have already issued patches. PaperCut itself does not bundle GNU bash, however, we recommend all Bash users audit their services that may be affected. More information about these issues can be found at CVE-2014-6271 and CVE-2014-7169.

We believe PaperCut is not impacted by the ShellShock vulnerability but it is possible for systems hosting PaperCut to be vulnerable.

The majority of PaperCut runs in Java code in the JVM (Java Virtual Machine). There are points at which PaperCut does execute other processes, but the commands invoked are hard-coded and there is no way for an external source to set environment variables before execution. Because of this, PaperCut is not vulnerable to this attack.
Heartbleed

April 2014
CVE-2014-0160Is PaperCut affected by the OpenSSL “Heartbleed” vulnerability (otherwise known as CVE-2014-0160)?

Neither PaperCut MF nor PaperCut NG is affected by the Heartbleed issue, as neither product uses OpenSSL libraries. The PaperCut.com website is also not impacted as it uses a version of OpenSSL that does not contain the vulnerability.

We do suggest using a standalone OpenSSL utility in some cases for key and certificate generation. This utility is not impacted by the Heartbleed vulnerability.

There is more general information about Heartbleed here: http://heartbleed.com/

General Security Questions

Q Does PaperCut have a print security best practice checklist?

Absolutely! We have pooled our knowledge and created a comprehensive Print Security whitepaper that will help you not only make the most of PaperCut’s security features but also help you secure your entire print infrastructure. Take a look at: PaperCut Security white paper

Q What about advice on securing our PaperCut server?

We’re glad you asked. Our article, Secure your PaperCut NG/MF server, collects all our best advice for security-conscious customers about locking down your PaperCut application server.

Q Does PaperCut store any passwords?

User authentication is performed by the operating system - usually via a directory service such as Active Directory or LDAP. PaperCut does not store any user passwords and instead interrogates the directory service in real-time. Caching or storing passwords is regarded as a security risk. The only exceptions to this rule are the built-in admin user account and PaperCut internal accounts.

The built-in admin password is stored in a one-way salted hashed format in the server.properties file. This account is kept separate from the directory user accounts ensuring that administrator level login is still possible even during a directory outage.

Internal user passwords are stored in the PaperCut database as a one-way hash in line with security best practice - a BCrypt sum factored from a combination of username + password + a salt. This use of a secure one-way hash ensures that users’ passwords are kept private even if someone has access to the PaperCut database.

In addition, PaperCut also encrypts all user’s Personal Identification Numbers used to secure card numbers.

Q How does PaperCut authenticate with Active Directory?

Communication between the PaperCut server and Active Directory (AD) is provided and secured by the Windows operating system. PaperCut calls the AD API on the local Windows system, and the PaperCut software does not collect passwords over the network to any remote server, as this is handled by AD itself.

PaperCut does not store any user passwords and instead interrogates the directory service in real-time, as caching or storing passwords is regarded as a security risk. The only exceptions to this rule are the built-in admin user account and PaperCut internal accounts which are covered above.

Q What level of encryption does PaperCut use?

Client-server communication of sensitive data is conducted over a TLS link - this is an equivalent level of encryption to that used by a web browser connected on an https:// website.

Q I am going to use Popup Authentication. What should I consider?

Popup-authentication is an auxiliary authentication method and in general should not be used in preference to a protocol-level authentication system. Popup authentication (IP session-based authentication) and it’s security considerations are discussed in detail in the article [REDIRECTED] Considerations When Using Popup Authentication.

Q Does PaperCut use Secure and HttpOnly secured cookies?

Yes. As of PaperCut NG and PaperCut MF 17.1, all session cookies generated for access attempts over secure connections are marked as both Secure and HtmlOnly in order to help mitigate a number of potential risks, such as certain styles of XSS attack, as well as the interception of secure session data improperly transmitted in cleartext.

Q Can I open port 9191/9192 to the world?

Best practice suggests not exposing any services to the Internet unless required. Having said that, we have designed PaperCut to be secure and with the intention of our users opening the HTTPS port 9192 to the Internet to facilitate services such as:

  • Remote administration
  • Allowing end-users to login from home to check balances and add credit/quota to their accounts

We have a number of large University/College sites that have opened up PaperCut’s port to the Internet since 2005. It is recommended to open port 9192 (the TLS port) rather than the plain text port 9191.

Q Is PaperCut and associated executable given minimum permission needed for operation? Is the concept of least privilege upheld?

Yes. On Windows, Mac, Novell and Linux PaperCut have been designed to run under non-privileged accounts. Key security processes on Linux that need to be run with elevated privileges such as those used for user authentication are run “out of process” so these higher privileges rights are isolated at the process level. On Windows, PaperCut’s runs its main process as the SYSTEM account with local access only (no network resource access).

Q How can I restrict access to the XML Web Service APIs?

Two levels of access control is provided for the web services APIs. The first is that any call needs to pass a valid authentication token (usually the built-in admin user’s password). All calls not passing this will be rejected. The 2nd level of security is IP address level filtering. By default, PaperCut will only allow calls from localhost (127.0.0.1), and optionally this can be extended to other servers by manually granting that server’s IP address. Valid IP addresses/ranges are defined under the Options section.

Q Are administrator activities audited?

Yes. As a general rule most major operations such as editing printer details, creating/deleting/modifying user accounts are audited. These audit records appear in the App. Log with a date, details and the user who performed the operation. Having said that, a full level system administrator with read/write file access could in theory edit the data files directory to modify the audit trail. Standard limited-rights PaperCut-only administrators access via the web interface can not modify these records.

Q What about the security of any 3rd party libraries and components used by PaperCut?

PaperCut makes use of a number of third party libraries and components. The security of components is actively monitored by our development team and if any are raised, we assess the impact this may have. We take the topic of security for any 3rd component as serious as we do for our own codebase. In some situations, we have worked with the 3rd party vendors to address security issues. Another example of active 3rd party security management is the Ghost Trap project. This initiative was started by PaperCut and aims to bring best of breed security to the Ghostscript PDL interpreters.

Q Do PaperCut NG and PaperCut MF support the use of digital signatures for printed documents?

Our document watermarking functionality can be easily leveraged to inject a digital signature into every printed page. This signature is generated by combining key print job attributes (e.g. time of print, username, printer name, document name) with a secret key, using a cryptographic algorithm to create an encoded string that is unique for each document. Both the MD5 and SHA1 message digest algorithms are available to transform these elements into unique signature strings, allowing the degree of cryptographic security to be configured. The resulting signatures can be used to trace printed pages back to their users of origin, allowing you to follow-up undesired or unlawful transmission of classified content.

As of version 17.1 of PaperCut NG and PaperCut MF, watermarks can be applied across the full page, such that signatures are visible over the entire printed document. This renders the removal of a signature from the printed page impossible.

Q Some areas of the user interface suggest that the software occasionally contacts PaperCut servers to retrieve information; for example, when I click to Check for updates on the About tab in the Admin web interface. Is this outbound communication performed securely?

In the past, contact to PaperCut servers to check for updates, send error reports on user commands, or download news content was performed over regular HTTP. From version 17.2.3 forwards of PaperCut NG and PaperCut MF, all outbound contact is made using HTTPS, minimizing the risk of these communications being intercepted.

Q I’ve noticed that system error pages contain some diagnostic information. Is this anything to be concerned about?

Prior to version 17.3 of PaperCut NG and PaperCut MF, HTML error pages would provide some technical context for the error, in order to aid diagnosis of the cause. Amongst the context provided was basic system information, which for highly secure environments could be considered to be unnecessary exposure. From 17.3 onwards, PaperCut NG and PaperCut MF will default to only outputting stack trace data when generating these error pages, eliding any information which could be considered identifying.

Q Configuring the Web Print feature to support Microsoft Office documents involves installing Office on my Web Print Server/s. Does the submission of documents that contain embedded macros present a security risk?

To establish support for Office documents, we recommend that Web Print be configured in “Sandbox Mode”. This partitions the running of the Web Print service off to one or more Web Print Servers; machines distinct from the key components of the PaperCut MF or PaperCut NG solution architecture, which are minimally configured and wholly dedicated to their task. By doing so, the opening and rendering of Office documents is contained to only these standalone servers, and if one of these machines is then compromised, only transient document data is potentially exposed. The afflicted Web Print Server can then be torn down and restored from a basic system image, removing the threat in the process.

Furthermore, Web Print Servers running version 17.4.2 or later of PaperCut MF and PaperCut NG can disallow the execution of any embedded document macros. This is controlled with the web-print.disable-macros configuration key, accessible via the Config Editor. This should minimise the possibility of document-borne attacks impacting your Web Print setup.

Q Tell me about your security development practices?

More information here: Tell me about PaperCut’s security

Security Standards and Frameworks

Q Is PaperCut certified under security standard XYZ?

PaperCut is developed in line with leading security guidelines and practices (see Tell me about PaperCut’s security). We currently do not hold a formal security certification such as ISO 27001.

With the well-justified increased industry focus on security PaperCut Software is continuously working to formalise our security practices:

  • Our Security Response Team (SRT) led by our Head of Development provides personalised and timely responses by our security specialists to any reported issues.
  • We work with external security consultants to audit our security policies and practices in general, as well as the specific technologies and architectures used to protect customer information in PaperCut NG and MF.
  • PaperCut customers and prospects are regularly PEN testing and auditing our software and we give high priority to fixing any vulnerabilities found.

Q Is PaperCut PCI Certified?

PaperCut itself does not handle any credit card transactions directly and hence PCI certification is not required/not appropriate for PaperCut itself. PaperCut interfaces with 3rd party payment gateways to handle credit card transactions (e.g. PayPal, CyberSource, Authorize.Net, etc.) and all credit card gateways/providers supported by PaperCut are PCI DSS certified. When a user makes a payment they are directed through to the provider’s “hosted pay page” and credit card details are entered on their website directly. Please follow this link for more detail on PaperCut and PCI DSS v3.

Q PaperCut NG and PaperCut MF stores information about my printing users… can the application be compliant with the EU General Data Protection Regulation (GDPR)?

The EU General Data Protection Regulation (GDPR) mandates that users have a Right to Access all stored data associated with them, as well as the Right to be Forgotten; to have all identifiable data related to them which is stored by an organisation permanently removed upon request. This is a significant seachange, reflecting the ever-increasing emphasis placed on securing and protecting personal data within information systems.

As of version 17.2, we have implemented methods that empower an organisation to meet these requirements with respect to their print system. Understanding that total compliance with GDPR is of critical importance to organisations operating within the EU, we’ve also sought to ease the burden of transition by authoring a GDPR Compliance Guide to help you along the way!

For further information, check out our Knowledge Base article on GDPR.

Q I’ve run a security scanner across PaperCut and it’s raised a warning. What does this mean?

PaperCut is in use in tens of thousands of organizations and many of them use various security analysis and scanning tools. If the issue raised is marked as “high”, please raise these with our support team. Many of these systems raise issues not pertinent to PaperCut and its print management application, however, we like to assess all on a case-by-case basis and will let you know if our developers think they require action.

Q Is PaperCut susceptible to SQL Injection attacks?

Our coding standard and design policies are designed to limit this type of attack. All database queries in PaperCut are developed using parameterized SQL. This means that PaperCut never directly builds the SQL statement using data provided by the user (e.g. search terms entered in fields). All SQL parameters are handled by the underlying database library which means that PaperCut is not susceptible to SQL injection attacks.

Q Does the application have protections against CSRF (Cross-Site Request Forgery) attacks?

A number of preventative measures against common CSRF attack vectors are implemented in PaperCut NG and PaperCut MF, seeking to ensure that an individual cannot modify HTTP request content in such a way that grants elevated access to system information or configuration. For example, as of version 17.3, header-based checks are enabled by default, validating the request origin by cross-checking the supplied origin and destination headers, and denying requests with unknown origin.

Q A security analysis tool (e.g. a PCI Compliance Scan) is reporting that PaperCut is configured to accept weak ciphers. How can I address this?

This topic is addressed in detail in the knowledge base article: SSL Cipher Configuration - removing weak ciphers.

More on security at PaperCut


Categories: FAQ , Security and Privacy


Comments

Last updated May 13, 2024