Webtop ESA-2016-088

EMC has posted an ESA for Webtop: ESA-2016-088: EMC Documentum Webtop Unsafe Deserialization Vulnerability.  Here is the text of the ESA:

Documentum Webtop has a java deserialization code which may not validate if the input stream contains any malicious code. This code may be leveraged to exploit the system using malicious payloads with the help of the vulnerable versions of Apache libraries used in WebTop.
Resolution

The following EMC Documentum Webtop release contains resolutions to these vulnerabilities:

  • EMC Documentum Webtop 6.8.1 P04 and later
  • EMC Documentum Webtop 6.8 P16 and later
  • EMC Documentum Capital Projects 1.9 P25 and later
  • EMC Documentum Capital Projects 1.10 P12 and later

EMC recommends all customers upgrade at the earliest opportunity. In addition, Documentum Engineering is working to validate a code fix for the following product families. This code fix will be available in upcoming maintenance releases:

  • EMC Documentum Administrator 7.2
  • EMC Documentum TaskSpace 6.7

This ESA will be updated as code fixes become available.

This is an interesting ESA in that the vulnerability seems to be with Apache libraries, not Webtop directly, and no resolution or corrective action is given.  Usually, EMC announces ESAs after the issues have been corrected in a patch.

Advertisements

About Scott
I have been implementing Documentum solutions since 1997. In 2005, I published a book about developing Documentum solutions for the Documentum Desktop Client (ISBN 0595339689). In 2010, I began this blog as a record of interesting and (hopefully) helpful bits of information related to Documentum, and as a creative outlet.

2 Responses to Webtop ESA-2016-088

  1. Scott says:

    Thanks for the details, Andrey. I figured you were on top of this.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: