I. Vulnerability summary
Product:
ScannerVision
Description:
A security vulnerability in one of the components used in the processing of PostScript files within the ScannerVision Server application was found:
An exploitable code execution vulnerability exists in the PostScript processing functionality of ScannerVision version 9.10.0.1514 and earlier. A specially crafted PostScript file processed by ScannerVision can result in the execution of code in the payload with the privileges of the ScannerVision Processing Service user. While the processing of PostScript files as ‘source documents’ is only done by a very small percentage of users, the risk of exploiting the vulnerability still exists. The cause of the vulnerability is a third-party library called "Ghostscript" which has a specific version, V9.25, which is used in the ScannerVision processing unit.
ScannerVision
Description:
A security vulnerability in one of the components used in the processing of PostScript files within the ScannerVision Server application was found:
An exploitable code execution vulnerability exists in the PostScript processing functionality of ScannerVision version 9.10.0.1514 and earlier. A specially crafted PostScript file processed by ScannerVision can result in the execution of code in the payload with the privileges of the ScannerVision Processing Service user. While the processing of PostScript files as ‘source documents’ is only done by a very small percentage of users, the risk of exploiting the vulnerability still exists. The cause of the vulnerability is a third-party library called "Ghostscript" which has a specific version, V9.25, which is used in the ScannerVision processing unit.
II. Solution
As a short-term immediate measure, a patch has been created for the affected server version. An updated version of ScannerVision, V9.11, is available immediately for new installations to effectively stop the processing of PostScript files from any capture source. ScannerVision version 9.13 is scheduled for release at the end of September, which will include a full bug fix and allow processing of PostScript files again.