DFS, Content Server, and eRoom Vulnerabilities

EMC released several ESAs this week for vulnerabilities in the DFS, the Content Server, and eRoom.

ESA-2014-057: EMC Documentum Foundation Services (DFS) XML External Entity (XXE) Vulnerability – This ESA discusses a problem with the way DFS parses incoming XML streams from authenticated users.  The list of affected products is long:

  • Documentum Foundation Services (DFS) 6.6 all service packs and patch versions prior to P39
  • Documentum Foundation Services (DFS) 6.7 SP1 all patch versions prior to P28
  • Documentum Foundation Services (DFS) 6.7 SP2 all patch versions prior to P15
  • My Documentum for Desktop 6.7.2
  • My Documentum for Microsoft Outlook 6.7 SP1, SP2
  • My Documentum for Microsoft Outlook 6.7.3
  • My Documentum for Microsoft Outlook 6.7.1
  • Documentum CenterStage 1.2 SP1, SP2

I find it interesting that TaskSpace and xCP are not on this list.  The remedy is to upgrade to the latest patch levels.  At this time, these patch levels are:

  • DFS 6.6 P39 and later
  • DFS 6.7 SP1 P28 and later
  • DFS 6.7 SP2 P15 and later
  • My Documentum for Desktop 6.7.2 P15 and later
  • My Documentum for Microsoft Outlook 6.7 SP1 P28
  • My Documentum for Microsoft Outlook 6.7 SP2 P15
  • My Documentum for Microsoft Outlook 6.7.1 P29
  • My Documentum for Microsoft Outlook 6.7.3 (Hotfix)
  • Documentum CenterStage 1.2 SP2 P06
  • Documentum CenterStage 1.2 SP1 (Hotfix)

ESA-2014-064: EMC Documentum Content Server Privilege Escalation Vulnerabilities – This ESA seems related to if not similar to ESA-2014-046.  Perhaps the first set of patches wasn’t thorough enough?  To shore up your installation, upgrade to these patch levels:

  • Documentum Content Server version 7.1 P06 and later
  • Documentum Content Server version 7.0 P15 and later
  • Documentum Content Server version 6.7 SP2 P15 and later
  • Documentum Content Server version 6.7 SP1 P28 and later

ESA-2014-060: EMC Documentum eRoom Multiple Cross-Site Scripting Vulnerabilities – This ESA addresses cross-site scripting vulnerabilities in eRoom.  This vulnerability was previously announced and patched last year in ESA-2013-073.  Again, perhaps not completely.  Upgrade to:

  • eRoom 7.4.3 ESA-2014-060 (hot fix)
  • eRoom 7.4.4 P19 and later
  • eRoom 7.4.4 SP1 ESA-2014-060 (hot fix)

As always, thoroughly test any patch or upgrade before deploying it to production.

Advertisements

About Scott
I have been implementing Documentum solutions since 1997. In 2005, I published a book about developing Documentum solutions for the Documentum Desktop Client (ISBN 0595339689). In 2010, I began this blog as a record of interesting and (hopefully) helpful bits of information related to Documentum, and as a creative outlet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: