Content Server Vulnerability (ESA-2014-156)

EMC just released ESA-2014-156: EMC Documentum Content Server Insecure Direct Object Reference Vulnerability, which details a security vulnerability with ALL versions of the Content Server.  EMC recommends patching Content Server 7.1 to patch 10, and Content Server 6.7 SP2 to patch 19.  Though other versions of the Content Server are effected, these are the only patches provided.  Contact EMC Support for hotfixes to other Content Server versions.

Documentum ESA for Multiple Vulnerabilities

EMC published ESA-2014-105: EMC Documentum Content Server Multiple Vulnerabilities.  The multiple vulnerabilities are:

  • LDAP Authentication Bypass – Documentum Content Server configured with LDAP with the “bind_search_dn” option set as the authentication source may be subject to a potential authentication bypass vulnerability due to improper error handling within LDAP plug-in. A malicious user with knowledge of a valid user name can leverage this vulnerability to access Documentum Content Server.
  • Privilege Escalation – Unprivileged Content Server users may potentially escalate their privileges to become a superuser by creating and performing malicious operations on dm_job and dm_job_request objects. This is due to improper authorization checks being performed on such objects and some of their attributes.
  • Multiple OpenSSL Vulnerabilities – The OpenSSL project released a security advisory on August 6, 2014 disclosing multiple vulnerabilities in OpenSSL that may potentially affect EMC Documentum Content Server customers.

The products affected are:

  • Documentum Content Server versions of 7.1
  • Documentum Content Server versions of 7.0
  • Documentum Content Server versions of 6.7 SP2
  • Documentum Content Server versions of 6.7 SP1
  • Documentum Content Server versions prior to 6.7 SP1

The resolutions are contained in the following patches:

  • EMC Documentum Content Server version 7.1 P09 and later
  • EMC Documentum Content Server version 7.0 P16 and later
  • EMC Documentum Content Server version 6.7 SP2 P18 and later
  • EMC Documentum Content Server version 6.7 SP1 P29 and later

New Documentum ESAs

EMC released several ESAs for Documentum this week. Here are the links:

  • ESA-2014-079: EMC Documentum Content Server Multiple Vulnerabilities (6.7 SP1 and prior, 6.7 SP2 P16 and prior, 7.0, 7.1 P8 and prior).
    • Arbitrary Code Execution – Authenticated non-privileged users can potentially execute Documentum methods with higher level privileges (up to and including superuser privileges) due to improper authorization checks being performed on user-created system objects.
    • DQL Injection – Certain DQL hints in EMC Documentum Content Server may be potentially exploited by an authenticated non-privileged malicious user to conduct DQL injection attacks and read the database contents. This issue only affects Content Server running on Oracle database.
    • Information Disclosure – Authenticated non-privileged users are allowed to retrieve meta-data of unauthorized system objects due to improper authorization checks being performed on certain RPC commands in Content Server.
    • Multiple OpenSSL vulnerabilities.
  • ESA-2014-073: EMC Documentum Multiple Cross-Site Request Forgery Vulnerabilities.
    • WDK applications (Webtop, DA, WDK, TaskSpace, RM, WebPub, DAM) 6.7 SP1 P28 and prior, 6.7 SP2 P15 and prior
    • DA 7.0 P15 and prior, 7.1 P6 and prior
  • ESA-2014-067: EMC Documentum D2 Privilege Escalation Vulnerability (D2 3.1, 3.1 SP1, 4.0, 4.1, 4.2).
    • D2GetAdminTicketMethod and D2RefreshCacheMethod methods serve a superuser ticket to all requesting parties. A remote authenticated unprivileged user may potentially use these methods to request a superuser ticket and then use that ticket to escalate their privileges.
  • ESA-2014-059: EMC Documentum Multiple Cross-Site Scripting Vulnerabilities.
    • WDK applications (Webtop, DA, RM, TaskSpace) 6.7 SP1, 6.7 SP2
    • DA 7.0, 7.1
    • DAM, WebPub 6.5 SP5, 6.5 SP6

Don’t let the similarity of the titles of these (and other) ESAs lead you to believe they are duplicates.  The ESA numbers indicate they are all separate issues.

 

DFS, Content Server, and eRoom Vulnerabilities

EMC released several ESAs this week for vulnerabilities in the DFS, the Content Server, and eRoom.

ESA-2014-057: EMC Documentum Foundation Services (DFS) XML External Entity (XXE) Vulnerability – This ESA discusses a problem with the way DFS parses incoming XML streams from authenticated users.  The list of affected products is long:

  • Documentum Foundation Services (DFS) 6.6 all service packs and patch versions prior to P39
  • Documentum Foundation Services (DFS) 6.7 SP1 all patch versions prior to P28
  • Documentum Foundation Services (DFS) 6.7 SP2 all patch versions prior to P15
  • My Documentum for Desktop 6.7.2
  • My Documentum for Microsoft Outlook 6.7 SP1, SP2
  • My Documentum for Microsoft Outlook 6.7.3
  • My Documentum for Microsoft Outlook 6.7.1
  • Documentum CenterStage 1.2 SP1, SP2

I find it interesting that TaskSpace and xCP are not on this list.  The remedy is to upgrade to the latest patch levels.  At this time, these patch levels are:

  • DFS 6.6 P39 and later
  • DFS 6.7 SP1 P28 and later
  • DFS 6.7 SP2 P15 and later
  • My Documentum for Desktop 6.7.2 P15 and later
  • My Documentum for Microsoft Outlook 6.7 SP1 P28
  • My Documentum for Microsoft Outlook 6.7 SP2 P15
  • My Documentum for Microsoft Outlook 6.7.1 P29
  • My Documentum for Microsoft Outlook 6.7.3 (Hotfix)
  • Documentum CenterStage 1.2 SP2 P06
  • Documentum CenterStage 1.2 SP1 (Hotfix)

ESA-2014-064: EMC Documentum Content Server Privilege Escalation Vulnerabilities – This ESA seems related to if not similar to ESA-2014-046.  Perhaps the first set of patches wasn’t thorough enough?  To shore up your installation, upgrade to these patch levels:

  • Documentum Content Server version 7.1 P06 and later
  • Documentum Content Server version 7.0 P15 and later
  • Documentum Content Server version 6.7 SP2 P15 and later
  • Documentum Content Server version 6.7 SP1 P28 and later

ESA-2014-060: EMC Documentum eRoom Multiple Cross-Site Scripting Vulnerabilities – This ESA addresses cross-site scripting vulnerabilities in eRoom.  This vulnerability was previously announced and patched last year in ESA-2013-073.  Again, perhaps not completely.  Upgrade to:

  • eRoom 7.4.3 ESA-2014-060 (hot fix)
  • eRoom 7.4.4 P19 and later
  • eRoom 7.4.4 SP1 ESA-2014-060 (hot fix)

As always, thoroughly test any patch or upgrade before deploying it to production.

Content Server Vulnerabilities

Another EMC security announcement, this one for multiple vulnerabilities in the Content Server:  ESA-2014-046: EMC Documentum Content Server Multiple Vulnerabilities.

EMC Documentum Content Server may be susceptible to the following vulnerabilities:

  • Privilege Escalation:  Authenticated non-privileged users are allowed to create system objects with super user privileges due to improper authorization checks being performed on these objects. This may potentially be exploited by a malicious attacker to gain unauthorized access to data or to perform unauthorized actions on Content Server.
  • Shell Injection:  Certain methods in Documentum Content Server perform improper validation checks on input arguments. This may potentially be exploited by an authenticated malicious user to conduct shell injection attacks against these methods and perform unauthorized actions on Content Server.
  • DQL Injection:  Certain DQL hints in Documentum Content Server may potentially be exploited by an authenticated malicious user to conduct DQL injection attacks and perform unauthorized database actions.

Affected versions are:

  • Documentum Content Server all versions of 7.1
  • Documentum Content Server all versions of 7.0
  • Documentum Content Server all versions of 6.7 SP
  • Documentum Content Server all versions of 6.7 SP1 and earlier

The remedy is to upgrade the Content Server to the following minimum patch levels:

  • Documentum Content Server 7.1 P05 and later
  • Documentum Content Server 7.0 P15 and later
  • Documentum Content Server 6.7 SP2 P14 and later
  • Documentum Content Server 6.7 SP1 P28 and later

 

Procedure to Change Content Server Installation Owner

I recently had the pleasure(?) of changing the installation owner for a client’s production Documentum environment (v6.6/Win2008 x64/SQL Server). Here are the steps I used, though your mileage may vary depending upon numerous factors.  Note that [text in brackets] denotes variable names you will need to supply for your environment.

  1. Obtain [new install owner] credentials. Validate that the new account has the following privileges:
    • Act as part of the operating system,
    • Create a token object,
    • Increase quotas,
    • Log in as a service,
    • Log in locally,
    • Replace a process‑level token.
  2. Login to DA as dmadmin.  For the [repository] and the [global registry repo]:
    • Click Storage in the navigation tree and select the storage_01 object.
    • Right-click the storage_01 object and select Properties.
    • Note the File System Path.
    • Log out.
  3. Log onto Documentum server as [old install owner].
  4. Stop all Documentum services:
    • Documentum Docbroker Service,
    • Documentum Docbase Service [repository name],
    • Documentum Docbase Service [global registry repo] if necessary,
    • Documentum Java Method Server.
  5. Change the logon user for each Documentum process listed in step 4 to the [new install owner].
    • Open the Services control panel.
    • Right-click the service, and choose Properties.
    • Switch to the Log On tab.
    • Enter new installation owner credentials.
    • Click Apply, and then OK.
  6. Edit the install_owner parameter in the %DOCUMENTUM%\dba\config\[repository name]\server.ini file to reference the new installation owner.

    install_owner = [new install owner]

  7. Repeat step 6 for the [global registry repo] if necessary.
  8. Change permissions on the %DOCUMENTUM% directory and all subdirectories.
    • In Windows Explorer, select the %DOCUMENTUM% directory.
    • Right-click and choose Properties.
    • Switch to Owner tab.
    • Click the ‘Other Users or Groups’ button, add the [new install owner].  Click OK.
    • Select [new install owner], check ‘Replace owner on subcontainers and objects’, and click the Apply button.
    • Switch to the Security tab.
    • Click the Advanced button.
    • Click the Add button, add the [new install owner] and give it Full Control permissions. Click OK.
    • On the Permissions tab, select the [new install owner], check the ‘Replace permission entries on all child objects with entries shown here that apply to child objects’ checkbox, and click the Apply button.
    • Click Yes on the warning dialog.
    • The system will update the security definitions for all files and folders in the %DOCUMENTUM% directory. This could take while.
    • Click OK and close the Properties dialog.
  9. Repeat step 8 for the File System Paths noted in step 2 if they are not included in the %DOCUMENTUM% folder structure.
  10. Update Registry entries.
    • Open the Registry using RegEdit.
    • HKEY_LOCAL_MACHINE\SOFTWARE\Win6432Node\Documentum\Server\6.6
      • Change the value of DM_DMADMIN_USER to [new install owner].
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[repository name]
      • Change the value of ImagePath to contain –install_owner [new install owner].
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[global registry repo]
      • Change the value of ImagePath to contain –install_owner [new install owner].
  11. Change security settings on each of the following Registry keys.
    • For each key under HKEY_LOCAL_MACHINE\SOFTWARE\Wind6432Node\Documentum\DOCBASES
      • Right-click the repository name and choose Permissions….
      • Click the Add button and add [new install owner] to the list of users.
      • Select [new install owner] and give it Full Control.
      • Click the Apply button, and then OK.
    • For key HKEY_LOCAL_MACHINE\SOFTWARE\Documentum\Server\6.6
      • Right-click the repository name and choose Permissions….
      • Click the Add button and add [new install owner] to the list of users.
      • Select [new install owner] and give it Full Control.
      • Click the Apply button, and then OK.
    • For key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Documentum
      • Right-click the repository name and choose Permissions….
      • Click the Add button and add [new install owner] to the list of users.
      • Select [new install owner] and give it Full Control.
      • Click the Apply button, and then OK.
  12. Open database management tool and login as the database administrator.
  13. Run the following SQL query to update the install owner attributes of the server config objects.
    • UPDATE [repository name].[dbo].dm_server_config_s SET r_install_owner = '[new install owner]'
    • UPDATE [global repository repo].[dbo].dm_server_config_s SET r_install_owner = '[new install owner]'
  14. Restart the Documentum services stopped in step 4.
  15. Log into DA as the [new install owner].
    • Ensure the [new install owner] account privileges are identical to [old install owner] account.
    • Select [old install owner] and choose Tools – Reassign User.
    • Select the [new install owner]
    • Configure the job to run Now, to Unlock All objects, and to Save changes and report results.
    • Click OK. This could take a while.
    • Note that this process will remove the [old install owner] account from the Docbase.
    • To monitor the progress of the reassignments, enter the following query in the DQL Editor, and re-run it often. When the result is zero (0), the reassignment is complete.

      select count(*)from dm_sysobject where owner_name = '[old install owner]'

  16. Run the State of the Docbase report and review for anomalies and/or errors.
  17. Run the Consistency Checker and review for anomalies and/or errors. You may have to compare it with a previous report to determine if any reported inconsistencies are due to the changes you made, or were pre-existing.
  18. Publish the Data Dictionary and check for errors.
  19. From DA, checkout/checkin files.

Content Server Build Numbers

Here is a list of build numbers for the Content Server dating all the way back to version 5.2.5.  I have listed the OS/database platform combinations I can confirm.  I suspect in most cases, the build numbers are the same across all OS/database combinations.  However, there are some interesting anomalies,  for example: v5.3 has a separate build for Sun5/Oracle.  My guess is that the 5.3.0.115 code line was recompiled to address a bug/patch in either Sun5 or Oracle.  Then there is the discrepancy with v6.0 and v6.5.  These build numbers vary greatly for identical versions and platforms.  What’s going on here?  I have no explanation (or guess) for these anomalies, but am very curious.

Version Build Number OS/Database Platforms
5.2.5 5.2.5.72 Win32.Oracle/AIX.DB2
5.2.5 SP1 5.2.5.125 SP1 Win32.Oracle/AIX.DB2
5.2.5 SP2 5.2.5.225 SP2 Win32.SQLServer/AIX.Oracle
5.2.5 SP4 5.2.5.414 SP4 Win32.SQLServer
5.3 5.3.0.115
5.3.0.117
Win32.Oracle/Linux.Oracle/Win32.SQLServer
sun5.Oracle
5.3 SP1 5.3.0.143 SP1 Win32.Oracle/Win32.SQLServer/Linux.Oracle
5.3 SP2 5.3.0.214 SP2 sun5.Oracle/AIX.Oracle/HPUX.Oracle/Win32.Oracle/Win32.SQLServer
5.3 SP3 5.3.0.315 SP3 HPUX.Oracle/sun5.Oracle/Win32.Oracle/Win32.SQLServer/Linux.Oracle
5.3 SP4 5.3.0.413 SP4 Win32.Oracle/sun5.Oracle/Win32.SQLServer
5.3 SP5 5.3.0.510 SP5 Win32.SQLServer/sun5.Oracle/Linux.Oracle/AIX.Oracle
5.3 SP6 5.3.0.622 SP6 Win32.SQLServer/Win32.Oracle)
6.0 6.0.0.077
6.0.0.114
6.0.0.172
Win32.SQLServer
Win32.SQLServer
Win32.Oracle
6.0 SP1 6.0.0.116 SP1 AIX.OracleWin32.Oracle
6.5 6.5.0.033
6.5.0.059
Win32.Oracle
Win32.Oracle
6.5 SP1 6.5.0.117 SP1 Win32.SQLServer/Win32.Oracle
6.5 SP2 6.5.0.221 SP2 Win32.SQLServer/Win32.Oracle
6.5 SP3 6.5.0.322 SP3
6.5.0.355 SP3 P1100
HPUX.Oracle
Linux.Oracle
6.6 6.6.0.041 Win32.SQLServer
6.7 SP1 6.7.1000.0038 Win64.SQLServer
6.7 SP1 P10 6.7.1100.0181 Win64.Oracle
6.7 SP1 P11 6.7.1110.0195 Win32.SQLServer
6.7 SP2 6.7.2000.0039 Win32.SQLServer
6.7 SP2 P01 6.7.2010.0046 Win32.SQLServer
7.0 7.0.0000.0510 Win64.SQLServer
7.0 P06 7.0.0060.0557 Win64.SQLServer
7.1 7.1.0000.0151 Linux.Oracle

The table is missing a few entries (e.g., 6.7, and 5.2.5 SP3) as well as some OS/database combinations. If you can help fill out the table I would appreciate it. Send me your confirmed build numbers and OS/database combinations and I will update the table.  (The easiest way to determine the build number of your Content Server is to look at the first few lines of the server log.)

UPDATE:  Here is a link that explains version numbers, patch numbers, and build numbers for Content Server 6.5 SP2 and above:  https://support.emc.com/kb/116462

This is the general heuristic for “decoding” the version numbers.

6.7.1100.0181
6.7 1 100 0181
major.minor version SP patch 10 with right-padded 0 build number
%d bloggers like this: