DFS ESA for Java Vulnerabilities

EMC published ESA-2015-017: EMC Documentum Foundation Services (DFS) Security Update for Oracle Java Runtime Environment (JRE) recommending an upgrade to Java JRE 7u72 on the DFS server and client machines.  The vulnerabilities addressed by this update are described at Oracle CPU for October 2014.

I find this ESA puzzling.  First, the ESA suggests upgrading DFS to v7.2.  I can’t find DFS v7.2, can you?  (DFS v7.1 patch 13 was issued in Jan 2015.)  It is unclear whether DFS must be upgraded to the (mythical) v7.2 to work with Java JRE 7u72 or is simply upgrading the JRE sufficient to address the vulnerabilities.  Second, Java 7u75 is the latest Java version, why doesn’t the ESA recommend updating to Java 7u75?

Can anyone shed some light on this?

Note, the end of public updates for Java 7 is scheduled for April 2015.  At that point, I suspect EMC will provide ESAs or ETAs recommending upgrading to Java 8 and issuing the requisite patches for their products.

UPDATE: ESA-2015-016: EMC Documentum Content Server Security Update for Oracle Java Runtime Environment (JRE) covers essentially the same vulnerabilities for the Content Server platform.

Advertisements

DFS, Content Server, and eRoom Vulnerabilities

EMC released several ESAs this week for vulnerabilities in the DFS, the Content Server, and eRoom.

ESA-2014-057: EMC Documentum Foundation Services (DFS) XML External Entity (XXE) Vulnerability – This ESA discusses a problem with the way DFS parses incoming XML streams from authenticated users.  The list of affected products is long:

  • Documentum Foundation Services (DFS) 6.6 all service packs and patch versions prior to P39
  • Documentum Foundation Services (DFS) 6.7 SP1 all patch versions prior to P28
  • Documentum Foundation Services (DFS) 6.7 SP2 all patch versions prior to P15
  • My Documentum for Desktop 6.7.2
  • My Documentum for Microsoft Outlook 6.7 SP1, SP2
  • My Documentum for Microsoft Outlook 6.7.3
  • My Documentum for Microsoft Outlook 6.7.1
  • Documentum CenterStage 1.2 SP1, SP2

I find it interesting that TaskSpace and xCP are not on this list.  The remedy is to upgrade to the latest patch levels.  At this time, these patch levels are:

  • DFS 6.6 P39 and later
  • DFS 6.7 SP1 P28 and later
  • DFS 6.7 SP2 P15 and later
  • My Documentum for Desktop 6.7.2 P15 and later
  • My Documentum for Microsoft Outlook 6.7 SP1 P28
  • My Documentum for Microsoft Outlook 6.7 SP2 P15
  • My Documentum for Microsoft Outlook 6.7.1 P29
  • My Documentum for Microsoft Outlook 6.7.3 (Hotfix)
  • Documentum CenterStage 1.2 SP2 P06
  • Documentum CenterStage 1.2 SP1 (Hotfix)

ESA-2014-064: EMC Documentum Content Server Privilege Escalation Vulnerabilities – This ESA seems related to if not similar to ESA-2014-046.  Perhaps the first set of patches wasn’t thorough enough?  To shore up your installation, upgrade to these patch levels:

  • Documentum Content Server version 7.1 P06 and later
  • Documentum Content Server version 7.0 P15 and later
  • Documentum Content Server version 6.7 SP2 P15 and later
  • Documentum Content Server version 6.7 SP1 P28 and later

ESA-2014-060: EMC Documentum eRoom Multiple Cross-Site Scripting Vulnerabilities – This ESA addresses cross-site scripting vulnerabilities in eRoom.  This vulnerability was previously announced and patched last year in ESA-2013-073.  Again, perhaps not completely.  Upgrade to:

  • eRoom 7.4.3 ESA-2014-060 (hot fix)
  • eRoom 7.4.4 P19 and later
  • eRoom 7.4.4 SP1 ESA-2014-060 (hot fix)

As always, thoroughly test any patch or upgrade before deploying it to production.

DFS Vulnerbility Announced (and Fixed)

EMC issued ESA-2014-005: EMC Documentum Foundation Services (DFS) Content Access Vulnerability last night.  This is not related to the HeartBleed bug.  The problem is the DFS server is vulnerable to malicious attacks that may allow access to content on the DFS file system. This is due to the way the DFS web service is used to upload content.

Affected versions of the DFS are:

  • Documentum Foundation Services (DFS) 6.5, 6.6, 6.7, 7.0, 7.1 with all service packs and patches
  • My Documentum for Desktop 6.7.2 with all service packs and patches
  • My Documentum for Microsoft Outlook 6.7 SP1, 6.7 SP2, 6.7.1 with all patches
  • CenterStage 1.0, 1.1, 1.2, 1.2 SP1 (with all patches), 1.2 SP2 P01 and P02

The remedy, of course, is to upgrade to the latest patched releases.  Note that unsupported product version (DFS 6.5, 6.6, CenterStage 1.0, 1.1) are directly patched.  These products will require true upgrades.

  • DFS 6.7 SP1 P22
  • DFS 6.7 SP2 P08
  • DFS 7.0 P12
  • DFS 7.1 P01 and later versions
  • My Documentum for Desktop 6.7.2 P11
  • My Documentum for Microsoft Outlook 6.7 SP2 P09
  • My Documentum for Microsoft Outlook 6.7.1 P22
  • My Documentum for Microsoft Outlook 6.7 SP1-Hotfix
  • CenterStage 1.2 SP2 P03

The ESA contains links directly to each product’s patch. See the ESA for more details.

DFS Security Advisory

Last night, EMC published a security advisory (ESA) for DFS.  The issues is:

“The DFS server may be vulnerable to malicious attacks that may allow access to content on the DFS file system. This is due to the way the DFS web service is used to upload content.”

This vulnerability is present in all versions of DFS v6.5 – v7.1.  The remedy is to apply one of the patches listed in the ESA.  Interesting that all the patches mentioned for DFS v6.x are a few versions out of date.

%d bloggers like this: