Skip to main content

Security vulnerabilities in our products

Several security vulnerabilities have been identified in TA Triumph-Adler and UTAX MFPs and printers. The following is an overview of the issues and how to resolve them. 

I. Overview: Security Vulnerabilities & Impact

  • Apache Commons FileUpload (CVE-2013-0248, CVE-2014-0050, CVE-2016-1000031, CVE-2016-3092, CVE-2023-24998): This OSS is used exclusively for the purpose of uploading certificates via HyPAS Device Online; however, there is a possibility that HyPAS could be exploited maliciously to upload files into the device’s storage.
  • Libpng (CVE-2015-8126, CVE-2015-8472, CVE-2016-3751, CVE-2017-12652): Printing a specific PNG file triggers a system error.
  • Zlib: Heap-based buffer over-read / overflow in inflate when processing large gzip header extra fields (CVE-2022-37434). Undefined behavior in inflateMark due to left shifts of negative integers (CVE-2016-9842).
  • libxml2 (CVE-2022-40303, CVE-2022-40304, CVE-2023-29469): Sending a deliberately crafted XPS file to the device causes a system error.
  • Oracle Java (CVE-2024-20952): It may be subject to attacks that could result in unauthorized operations on data. Setting the device’s TLS to 1.3 can mitigate vulnerability risks.
As of the date of publication of this notice, we have not confirmed any attacks that take advantage of these vulnerabilities.

II. Countermeasures

TA Triumph-Adler and UTAX are providing firmware that addresses these security vulnerabilities. Until the firmware update has been installed on your device, we recommend using firewalls and other IT security measures. If necessary, please contact your direct contact person at TA or UTAX for information about the firmware update.