Another D2 ESA

Short and sweet: By exploiting this vulnerability, remote unauthenticated users may download any document from the Docbase by knowing only the r_object_id of that document.

Resolution: Upgrade to D2 v4.5 patch 15, or D2 v4.6 patch 03.

Here is the link:  ESA-2016-108: EMC Documentum D2 Authentication Bypass Vulnerability


Webtop ESA-2016-088

EMC has posted an ESA for Webtop: ESA-2016-088: EMC Documentum Webtop Unsafe Deserialization Vulnerability.  Here is the text of the ESA:

Documentum Webtop has a java deserialization code which may not validate if the input stream contains any malicious code. This code may be leveraged to exploit the system using malicious payloads with the help of the vulnerable versions of Apache libraries used in WebTop.

The following EMC Documentum Webtop release contains resolutions to these vulnerabilities:

  • EMC Documentum Webtop 6.8.1 P04 and later
  • EMC Documentum Webtop 6.8 P16 and later
  • EMC Documentum Capital Projects 1.9 P25 and later
  • EMC Documentum Capital Projects 1.10 P12 and later

EMC recommends all customers upgrade at the earliest opportunity. In addition, Documentum Engineering is working to validate a code fix for the following product families. This code fix will be available in upcoming maintenance releases:

  • EMC Documentum Administrator 7.2
  • EMC Documentum TaskSpace 6.7

This ESA will be updated as code fixes become available.

This is an interesting ESA in that the vulnerability seems to be with Apache libraries, not Webtop directly, and no resolution or corrective action is given.  Usually, EMC announces ESAs after the issues have been corrected in a patch.

ESA for Documentum D2 Configuration Object Vulnerability

EMC has issued ESA-2016-034: EMC Documentum D2 Configuration Object Vulnerability.

Prior to EMC Documentum D2 4.6, many D2 Configuration object types were not properly protected with ACLs. As a result, an authenticated but unprivileged user could then modify or delete such objects.

EMC recommends that all customers upgrade to D2 4.6 at the earliest opportunity.

Really… that’s all it says.

UPDATE:  See an explanation of the vulnerability and the fix from Yuri Simione.

Documentum Core Stack Security Status

EMC recently sent an email to customers summarizing the current security status of the Documentum core stack (Content Server, xPlore, Webtop).  It is a nice summary of supported versions, current patches, and applicable ESAs.


The list of published security advisories is available here or here.

Documentum Content Server ESAs for September

EMC has released two ESAs and corresponding patches for September:

Fixes are available in the latest patches for Content Server v7.1 and v7.2 (P20 and P04, respectively).  The hotfix for v7.0 is pending and can be requested from EMC.

ESA for D2 Fail Open Vulnerability

EMC just released ESA-2015-132: EMC Documentum D2 Fail Open Vulnerability.  I especially like this one:

“Lockbox is a component of Documentum D2 which securely stores passwords in an encrypted file. Removing the file D2.Lockbox from the Documentum Content Server and/or Application Server causes Documentum D2 to fallback to using a hard coded passphrase to encrypt sensitive admin tickets. An attacker can easily recover this hard coded password and obtain admin tickets by decompiling Documentum D2 jar files.”

The remedy is to upgrade your environments to D2 v4.5.  Happy upgrading!

Latest Documentum ESAs

EMC released ESA-2015-130 and ESA-2015-131 this week describing new vulnerabilities discovered in Webtop and Content Server, respectively.

  • ESA-2015-130 describes a Cross-Site Request Forgery (CSRF) vulnerability in Webtop 6.8 (and Webtop-based apps like DA 7.2) where an attacker may  trick authenticated users to click on  links embedded within an email, web page, or another source, and perform Docbase operations with that user’s privileges. This is apparently the second time this has been fixed, as the previous fix was incomplete.
  • ESA-2015-131 describes several very interesting privilege escalations and information leaks in the Content Server.  Read the ESA for the details.  Content Server versions 6.7 SP1 – 7.2 are affected.

The remedies for all of these vulnerabilities are contained in the latest patch releases for Webtop, DA, and Content Server.

ESA: Webtop Open Redirect Vulnerability

EMC released ESA-2015-123: EMC Documentum WebTop Open Redirect Vulnerability, identifying a vulnerability in Webtop, DA, DAM, WebPub, and TaskSpace (all supported versions).  Patches are available for Webtop and DA (v6.8 P02 and v7.2 P01, respectively).  Patches for the other products are by request only.

Webtop and Webtop-based client products may allow users to be redirected to untrusted websites.  These products contain an open redirect  vulnerability that attackers may exploit by supplying crafted URLs to users of the affected application causing a browser redirect to arbitrary and potentially malicious websites.

Two Documentum ESAs (Webtop and D2)

In case you missed them, EMC released two ESAs last week, one for D2, ESA-2015-108: EMC Documentum D2 Multiple DQL Injection Vulnerabilities, and one for Webtop,ESA-2015-111: EMC Documentum WebTop Client Products Multiple Vulnerabilities.  Nothing terribly dramatic here, although it is interesting that the Webtop vulnerability affects all currently supported WDK-based clients.  To me, that means the vulnerability has been around for a long time.  As always, the announcement of these vulnerabilities coincides with the release of the patches to fix them.

D2 Cross-Site Scripting ESA

EMC released ESA-2015-109: EMC Documentum D2 Cross-Site Scripting Vulnerability detailing a security vulnerability in D2 v4.1, v4.2, and v4.5.  Interestingly, D2 v4.5 (no patch) is the recommended remediation for the vulnerability, though it is also listed as an affected product. Cross-Site Scripting (XSS) still remains one of the most prevalent vulnerabilities in software today, and one of the easiest to fix(*).


* I have no affiliation with Acunetix but found their explanation to be good and thorough.

%d bloggers like this: