New Documentum ESAs

EMC released several ESAs for Documentum this week. Here are the links:

  • ESA-2014-079: EMC Documentum Content Server Multiple Vulnerabilities (6.7 SP1 and prior, 6.7 SP2 P16 and prior, 7.0, 7.1 P8 and prior).
    • Arbitrary Code Execution – Authenticated non-privileged users can potentially execute Documentum methods with higher level privileges (up to and including superuser privileges) due to improper authorization checks being performed on user-created system objects.
    • DQL Injection – Certain DQL hints in EMC Documentum Content Server may be potentially exploited by an authenticated non-privileged malicious user to conduct DQL injection attacks and read the database contents. This issue only affects Content Server running on Oracle database.
    • Information Disclosure – Authenticated non-privileged users are allowed to retrieve meta-data of unauthorized system objects due to improper authorization checks being performed on certain RPC commands in Content Server.
    • Multiple OpenSSL vulnerabilities.
  • ESA-2014-073: EMC Documentum Multiple Cross-Site Request Forgery Vulnerabilities.
    • WDK applications (Webtop, DA, WDK, TaskSpace, RM, WebPub, DAM) 6.7 SP1 P28 and prior, 6.7 SP2 P15 and prior
    • DA 7.0 P15 and prior, 7.1 P6 and prior
  • ESA-2014-067: EMC Documentum D2 Privilege Escalation Vulnerability (D2 3.1, 3.1 SP1, 4.0, 4.1, 4.2).
    • D2GetAdminTicketMethod and D2RefreshCacheMethod methods serve a superuser ticket to all requesting parties. A remote authenticated unprivileged user may potentially use these methods to request a superuser ticket and then use that ticket to escalate their privileges.
  • ESA-2014-059: EMC Documentum Multiple Cross-Site Scripting Vulnerabilities.
    • WDK applications (Webtop, DA, RM, TaskSpace) 6.7 SP1, 6.7 SP2
    • DA 7.0, 7.1
    • DAM, WebPub 6.5 SP5, 6.5 SP6

Don’t let the similarity of the titles of these (and other) ESAs lead you to believe they are duplicates.  The ESA numbers indicate they are all separate issues.

 

Advertisements

About Scott
I have been implementing Documentum solutions since 1997. In 2005, I published a book about developing Documentum solutions for the Documentum Desktop Client (ISBN 0595339689). In 2010, I began this blog as a record of interesting and (hopefully) helpful bits of information related to Documentum, and as a creative outlet.

One Response to New Documentum ESAs

  1. Pingback: Documentum Content Server ESAs for September | dm_misc: Miscellaneous Documentum Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: