Documentum Core Stack Security Status

EMC recently sent an email to customers summarizing the current security status of the Documentum core stack (Content Server, xPlore, Webtop).  It is a nice summary of supported versions, current patches, and applicable ESAs.

DCTM-versions-patches

The list of published security advisories is available here or here.

A Qualitative Assessment of the 2012 Internet Census

Remember the 2012 Internet Census published in March 2013?  Some ACM researchers have conducted a qualitative assessment of the census’s data set and have some interesting conclusions, including that the data set is real but unverifiable, and the collection methodology was undoubtedly unethical.  Well, that part was apparent from the beginning.

Here is a PDF of the paper.  Here is the Slashdot post with some additional comments and links.

Documentum and HeartBleed SSL Bug

In case you haven’t heard, most EMC products are NOT susceptible to the HeartBleed SSL vulnerability.  See the explanation and list in this KB article: OpenSSL Heartbeat Vulnerability (Heartbleed) in EMC products, https://support.emc.com/kb/185965.

So, the two Documentum products listed, D2 and eRoom, say they are “Not Impacted”; however, the details state “In progress”.  Does that mean testing is in progress, or a fix is in progress?  And what about other Documentum products like Content Server, Java Method Server, Webtop, Business Process Engine, xPlore…?  We already know that Syncplicity is affected, that ESA was issued yesterday, https://support.emc.com/kb/185966.

Stay tuned to the KB, EMC has promised updates.

UPDATE:  EMC has updated the list of non-impacted products in this KB article to include a much larger collection of Documentum products; none of which use OpenSSL and therefore are not vulnerable.

 

TaskSpace Security Vulnerabilities Patched

EMC just issued ESA-2014-012 for EMC Documentum TaskSpace security vulnerabilities.  The vulnerabilities listed are a Privilege Escalation vulnerability and an Arbitrary File Retrieval vulnerability.  The ESA contains a simple work around for the Privilege Escalation vulnerability.  Both problems are corrected in the following patches:

  • TaskSpace 6.7 SP1 P25
  • TaskSpace 6.7 SP2 P11

Click here for a list of all EMC Security Advisories.

New Documentum Security Vulnerabilities Announced

On Monday, EMC announced it had identified and corrected two new security vulnerabilities in the Documentum family of products; both are of the Cross-Site Scripting variety.

The first involves eRoom 7.4.4 prior to P11.  Here is the announcement:  ESA-2013-073: EMC Documentum eRoom Multiple Cross Site Scripting Vulnerabilities.

The second vulnerability affects the 6.7 SP web client products.  Specifically:

  • Documentum Webtop prior to 6.7 SP2 P07
  • Documentum WDK prior to 6.7 SP2 P07
  • Documentum Taskspace prior to 6.7 SP2 P07
  • Documentum Records Manager prior to 6.7 SP2 P07
  • Documentum Web Publisher prior to 6.5 SP7
  • Documentum Digital Asset Manager prior to 6.5 SP6
  • Documentum Administrator prior to 6.7 SP2 P07
  • Documentum Capital Projects prior to 1.8 P01

Here is the announcement: ESA-2013-070: EMC Documentum Cross Site Scripting Vulnerability.

Please read the ESA’s for remedy details, but in most cases, applying the noted patches corrects the problems.

The Internet Census (2012)

I stumbled upon the Internet Census (2012) the other day and found it fascinating; maybe it’s old news to you, but I thought I would share it anyway.  The author of this paper describes how he created a BotNet and “infected” 420,000 hosts in order to measure the Internet.  His conclusion:  1.3 billion IP addresses in use.

His methodology is interesting and impressive, but perhaps more interesting are some of his findings (e.g., the number of open and unprotected ports).  The raw results are available here for download (586GB).  Is your IP range or domain name included?

I’m glad this guy wore a “white hat” and was a competent programmer, because it seems to me that he could have easily brought the Internet to a halt either maliciously or accidentally.

Here is a link to previous, but not as impressive (IMHO) surveys.

UPDATE:  An after-the-fact qualitative assessment of the census data.

Documentum Security Best Practices Update

Late last week (6/6/2013), EMC released a security advisory (ESA) for all versions of Documentum Content Server using ACS and BOCS.  The advisory is an update to Documentum security best practices for securing communications between browser clients and the Documentum Content Server.  The advisory applies to all consumers of ACS/BOCS URLS including Taskspace and Webtop.  The ESA can be found here.  The recommended “fix” can be found here.

The gist of the fix is to enable the URL validation filter, which allows an ACS/BOCS URL to be used only once.  This setting (in the web.xml file of the acs.war and boc.war) is disabled by default for better backward compatibility.

After making this configuration change, you will need to upgrade all of your UCF clients to support this new security configuration.  Minimum upgrades are:

  • Documentum 7.0 Patch 05,
  • Documentum 6.6 Patch 32,
  • Documentum 6.7 SP1 Patch 15, or
  • Documentum 6.7 SP2
%d bloggers like this: