Another D2 ESA

Short and sweet: By exploiting this vulnerability, remote unauthenticated users may download any document from the Docbase by knowing only the r_object_id of that document.

Resolution: Upgrade to D2 v4.5 patch 15, or D2 v4.6 patch 03.

Here is the link:  ESA-2016-108: EMC Documentum D2 Authentication Bypass Vulnerability


Webtop ESA-2016-088

EMC has posted an ESA for Webtop: ESA-2016-088: EMC Documentum Webtop Unsafe Deserialization Vulnerability.  Here is the text of the ESA:

Documentum Webtop has a java deserialization code which may not validate if the input stream contains any malicious code. This code may be leveraged to exploit the system using malicious payloads with the help of the vulnerable versions of Apache libraries used in WebTop.

The following EMC Documentum Webtop release contains resolutions to these vulnerabilities:

  • EMC Documentum Webtop 6.8.1 P04 and later
  • EMC Documentum Webtop 6.8 P16 and later
  • EMC Documentum Capital Projects 1.9 P25 and later
  • EMC Documentum Capital Projects 1.10 P12 and later

EMC recommends all customers upgrade at the earliest opportunity. In addition, Documentum Engineering is working to validate a code fix for the following product families. This code fix will be available in upcoming maintenance releases:

  • EMC Documentum Administrator 7.2
  • EMC Documentum TaskSpace 6.7

This ESA will be updated as code fixes become available.

This is an interesting ESA in that the vulnerability seems to be with Apache libraries, not Webtop directly, and no resolution or corrective action is given.  Usually, EMC announces ESAs after the issues have been corrected in a patch.

ESA for Documentum D2 Configuration Object Vulnerability

EMC has issued ESA-2016-034: EMC Documentum D2 Configuration Object Vulnerability.

Prior to EMC Documentum D2 4.6, many D2 Configuration object types were not properly protected with ACLs. As a result, an authenticated but unprivileged user could then modify or delete such objects.

EMC recommends that all customers upgrade to D2 4.6 at the earliest opportunity.

Really… that’s all it says.

UPDATE:  See an explanation of the vulnerability and the fix from Yuri Simione.

Documentum Core Stack Security Status

EMC recently sent an email to customers summarizing the current security status of the Documentum core stack (Content Server, xPlore, Webtop).  It is a nice summary of supported versions, current patches, and applicable ESAs.


The list of published security advisories is available here or here.

Documentum Content Server ESAs for September

EMC has released two ESAs and corresponding patches for September:

Fixes are available in the latest patches for Content Server v7.1 and v7.2 (P20 and P04, respectively).  The hotfix for v7.0 is pending and can be requested from EMC.

Does Documentum Enforce Least Privilege?

I was asked this question recently and was pretty sure the answer was ‘Yes’, but I set out to prove it anyway.

So, what is ‘least privilege’ you ask?  Least privilege is the practice of giving users only the minimal permissions and capabilities they need to complete a task.

The situation presented to me was that a user was a member of a group which was assigned ‘Version’ capability on an object, as well as being directly listed in the ACL with ‘Read’ capability.  How does the Documentum security model reconcile such conflicts?  What capabilities would the user actually have on the object?  Could they check out/check in the object or not?  Could they change properties on the object?  How would these capabilities change if the user was the owner of the object?

I set up a quick test.  Here are my results:

  • With the user as a member of a group with ‘Version’ capability as well as being assigned ‘Read’ capability directly in the ACL, the user had ‘Read’ capability only (i.e., they could not check out the object or modify the properties).  This would confirm Least Privilege.
  • If I made the user the owner of the object (with ‘Delete’ capability), then the user had full access to the object (i.e., checkout, checkin, overwrite, delete, etc.) regardless of their group’s capability or their direct assignment in the ACL.  This is a unique feature of being the owner of an object and does not conform to Least Privilege.   This is briefly discussed in the EMC Documentum Content Server Version 7.2 Fundamentals Guide on p. 91.
  • However, when I changed dm_owner’s capability to ‘Read’ in the ACL, the user/owner then had ‘Read’ capability only.  This would seem to indicate that object owners only have ‘Delete’ capability on the objects they own because of the default construction of the ACL (i.e., dm_owner=delete by default).

Least Privilege holds true in the Documentum security model with the exception of the object owner’s privilege, which trumps the ACL privileges, even when it might enforce a downgrade in capability.  Now you know.

UPDATE:  For a really thorough response to this post, see here.

ESA for D2 Fail Open Vulnerability

EMC just released ESA-2015-132: EMC Documentum D2 Fail Open Vulnerability.  I especially like this one:

“Lockbox is a component of Documentum D2 which securely stores passwords in an encrypted file. Removing the file D2.Lockbox from the Documentum Content Server and/or Application Server causes Documentum D2 to fallback to using a hard coded passphrase to encrypt sensitive admin tickets. An attacker can easily recover this hard coded password and obtain admin tickets by decompiling Documentum D2 jar files.”

The remedy is to upgrade your environments to D2 v4.5.  Happy upgrading!

Latest Documentum ESAs

EMC released ESA-2015-130 and ESA-2015-131 this week describing new vulnerabilities discovered in Webtop and Content Server, respectively.

  • ESA-2015-130 describes a Cross-Site Request Forgery (CSRF) vulnerability in Webtop 6.8 (and Webtop-based apps like DA 7.2) where an attacker may  trick authenticated users to click on  links embedded within an email, web page, or another source, and perform Docbase operations with that user’s privileges. This is apparently the second time this has been fixed, as the previous fix was incomplete.
  • ESA-2015-131 describes several very interesting privilege escalations and information leaks in the Content Server.  Read the ESA for the details.  Content Server versions 6.7 SP1 – 7.2 are affected.

The remedies for all of these vulnerabilities are contained in the latest patch releases for Webtop, DA, and Content Server.

ESA: Webtop Open Redirect Vulnerability

EMC released ESA-2015-123: EMC Documentum WebTop Open Redirect Vulnerability, identifying a vulnerability in Webtop, DA, DAM, WebPub, and TaskSpace (all supported versions).  Patches are available for Webtop and DA (v6.8 P02 and v7.2 P01, respectively).  Patches for the other products are by request only.

Webtop and Webtop-based client products may allow users to be redirected to untrusted websites.  These products contain an open redirect  vulnerability that attackers may exploit by supplying crafted URLs to users of the affected application causing a browser redirect to arbitrary and potentially malicious websites.

Two Documentum ESAs (Webtop and D2)

In case you missed them, EMC released two ESAs last week, one for D2, ESA-2015-108: EMC Documentum D2 Multiple DQL Injection Vulnerabilities, and one for Webtop,ESA-2015-111: EMC Documentum WebTop Client Products Multiple Vulnerabilities.  Nothing terribly dramatic here, although it is interesting that the Webtop vulnerability affects all currently supported WDK-based clients.  To me, that means the vulnerability has been around for a long time.  As always, the announcement of these vulnerabilities coincides with the release of the patches to fix them.

%d bloggers like this: