Content Server Vulnerabilities

Another EMC security announcement, this one for multiple vulnerabilities in the Content Server:  ESA-2014-046: EMC Documentum Content Server Multiple Vulnerabilities.

EMC Documentum Content Server may be susceptible to the following vulnerabilities:

  • Privilege Escalation:  Authenticated non-privileged users are allowed to create system objects with super user privileges due to improper authorization checks being performed on these objects. This may potentially be exploited by a malicious attacker to gain unauthorized access to data or to perform unauthorized actions on Content Server.
  • Shell Injection:  Certain methods in Documentum Content Server perform improper validation checks on input arguments. This may potentially be exploited by an authenticated malicious user to conduct shell injection attacks against these methods and perform unauthorized actions on Content Server.
  • DQL Injection:  Certain DQL hints in Documentum Content Server may potentially be exploited by an authenticated malicious user to conduct DQL injection attacks and perform unauthorized database actions.

Affected versions are:

  • Documentum Content Server all versions of 7.1
  • Documentum Content Server all versions of 7.0
  • Documentum Content Server all versions of 6.7 SP
  • Documentum Content Server all versions of 6.7 SP1 and earlier

The remedy is to upgrade the Content Server to the following minimum patch levels:

  • Documentum Content Server 7.1 P05 and later
  • Documentum Content Server 7.0 P15 and later
  • Documentum Content Server 6.7 SP2 P14 and later
  • Documentum Content Server 6.7 SP1 P28 and later

 

Advertisements

About Scott
I have been implementing Documentum solutions since 1997. In 2005, I published a book about developing Documentum solutions for the Documentum Desktop Client (ISBN 0595339689). In 2010, I began this blog as a record of interesting and (hopefully) helpful bits of information related to Documentum, and as a creative outlet.

One Response to Content Server Vulnerabilities

  1. Pingback: Content Server and DFS Vulnerabilities | dm_misc: Miscellaneous Documentum Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: