Worldwide Support Fast. Reliable. Diligent

This section provides an overview of all critical uniFLOW security advisories. For further information regarding these advisories please contact your local Canon office, authorized reseller or NT-ware support representative. Access to the NT-ware Knowledgebase is granted to all local Canon offices and authorized resellers to receive more detailed information and patches.

December 18th 2018 | Security Advisory
The following security advisory has been updated for uniFLOW:

uniFLOW Authentication issue
There is a possibility of gaining unauthorized access where "Username/Password" is used as authentication or the card learning mechanism is utilized. This only affects particular versions of the software, when used with these authentication methods: uniFLOW V5.1 SRx, uniFLOW V5.2 SRx, uniFLOW V5.3 SRx, uniFLOW V5.4 SRx, uniFLOW 2018 LTS SRx, uniFLOW 2018 v-Releases.
An additional issue has been found (affecting the versions from V5.3 SRx onwards) whereby it is possible to access the device Remote User Interface (RUI) when using the Universal Login Manager (ULM).
As both issues have been found in a short time frame we have opted to create a combined installer which applies a hotfix for both issues:
Please find instructions to install the hotfix here.
(as uniFLOW V5.1 SRx & V5.2 SRx are not supported anymore, the hotfix for these versions is available on request from your local Canon office)
If you already have applied the original hotfix, you should still apply the new hotfix to fix the remaining issue. We are committed to providing secure solutions to our customers and apologize for any inconvenience this situation has caused. Should you require further information regarding this advisory, please contact your local Canon office, authorized reseller or Canon support representative. If you notice any suspicious activity, please report these immediately to your account manager and IT department.

May 22nd 2017 | Security Advisory
The following security advisory has been released for all versions of uniFLOW:

Sniffing network packages to webcall.asp possible
- Hotfix available
- Service Release Fix: uniFLOW V5.4 SR9
- Further information on ITS: MOMKB-907

December 09th 2014 | Security Advisory
The following security advisory has been released for all versions of uniFLOW:

"POODLE" exploit (SSL 3.0 vulnerability)
- Hotfix not planned
- Service Release Fix: see MOMKB-759
- Further information on ITS: MOMKB-759

April 11th 2014 | Security Advisory
The following security advisory has been released for uniFLOW V5.1 and V5.2:

Heartbleed Bug (OpenSSL vulnerability)
- Hotfix available for uniFLOW V5.2 SR2
- Service Release Fix will be available for uniFLOW V5.1 SR9 and V5.2 SR3
- Further information on ITS: MOMKB-759

December 4th 2013 | Security Advisory
The following security advisories have been released by NT-ware for uniFLOW V5.2 SR1 and older:

Stored and reflected Cross Site Scripting (XSS)
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-733

Arbitrary command execution
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-734

Inadequate Access Control
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-735

Potential credential stealing on IG
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-736

Use of dangerous functions in the IG code
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-737

Arbitrary file write on IG
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-738

SQL Injection
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-739

Information disclosure through the header response of the IG server
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-740

Weak CAPTCHA security
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-741

Passwords stored in plain text in the IG database
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-742

Arbitrary file delete on uniFLOW server
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-74

Cross site request forgery (uniFLOW server)
- Service Release Fix: uniFLOW V5.2 SR2
- Further information on ITS: MOMKB-744

May 8th 2013 | Security Advisory
The following four security advisories has been released for uniFLOW V5.1.0 – V5.1.6 and uniFLOW V5.2

Authentication with user name and PIN-code on PWCLIENT and PWRQM
- Hotfix availability: in planning
- Service Release Fix: uniFLOW V5.1.7, V5.2 SR1
- Further information on ITS: MOMKB-705

December 8th 2011 | Security Advisory
The following four security advisories have been released for uniFLOW V5.0.5 and uniFLOW V5.1.1

Password in HTML Source
- Hotfix availability: 08/12/2011
- Service Release Fix: uniFLOW V5.0.6, V5.1.2, V5.2
- Further information on ITS: MOMKB-581

SQL Injection
- Hotfix availability: 08/12/2011
- Service Release Fix: uniFLOW V5.0.6, V5.1.2, V5.2
- Further information on ITS: MOMKB-583

Persistent/Stored XSS
- Hotfix availability: 08/12/2011
- Service Release Fix: uniFLOW V5.0.6, V5.1.2, V5.2
- Further information on ITS: MOMKB-584

Unencrypted communication between MEAP Module and RPS
- Hotfix availability: 08/12/2011
- Service Release Fix: uniFLOW V5.0.6, V5.1.2, V5.2
- Further information on ITS: MOMKB-585