Two New Documentum Security Issues

Hot on the heels of yesterday’s “HeartBleed” SSL vulnerability announcement comes two more ESAs from EMC, these specific to the Content Server.

ESA-2014-026: EMC Documentum Content Server Information Disclosure Vulnerability – “EMC Documentum Content Server may be vulnerable to an information disclosure vulnerability that may potentially be exploited by malicious users to gain unauthorized access to metadata. This is due to improper authorization checks being performed when trying to access metadata from folders outside of restricted folders configured for Content Server users. This vulnerability is only limited to reading the metadata as the malicious user is not able to gain read/write access to the content itself.”

The resolution is to upgrade to these minimum patch levels:

  • EMC Documentum Content Server version 7.1 P02 and later
  • EMC Documentum Content Server version 7.0 P13 and later
  • EMC Documentum Content Server version 6.7 SP2 P13 and later
  • EMC Documentum Content Server version 6.7 SP1 P26 and later

UPDATE:  Yuri Simione, the vulnerability discoverer, has a detailed explanation of this vulnerability on his blog.

ESA-2014-023: EMC Documentum JBOSS Remote Code Execution Vulnerability – “EMC Documentum Content Server and xPlore embed JBoss servlets (JMXInvokerServlet and EJBInvokerServlet). These JBOSS servlets are vulnerable to remote code execution vulnerability. The vulnerability may be exploited to execute remote code with NT AUTHORITY\SYSTEM privileges. Affected JBOSS servlets are not required for either Documentum Content Server or xPlore’s functionality.”

The resolution is to upgrade to these minimum patch levels:

  • EMC Documentum Content Server version 7.1
  • EMC Documentum Content Server version 7.0 P13 and later
  • EMC Documentum Content Server version 6.7 SP2 P12
  • EMC Documentum Content Server version 6.7 SP1 P24
  • EMC Documentum xPlore version 1.4
  • EMC Documentum xPlore version 1.2 P25 and later

There is also a workaround if you prefer not to patch at this time:

  1. Stop the “Java Method Server” service.
  2. Open ..\ jboss5.1.0\server\DctmServer_MethodServer\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml.
  3. Modify web.xml file to remove definition and mapping for the servlets EJBInvokerServlet and JMXInvokerServlet
  4. Start the “Java Method Server” service.

Happy patching!

Advertisements

About Scott
I have been implementing Documentum solutions since 1997. In 2005, I published a book about developing Documentum solutions for the Documentum Desktop Client (ISBN 0595339689). In 2010, I began this blog as a record of interesting and (hopefully) helpful bits of information related to Documentum, and as a creative outlet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: