Documentum Content Server ESAs for September

EMC has released two ESAs and corresponding patches for September:

Fixes are available in the latest patches for Content Server v7.1 and v7.2 (P20 and P04, respectively).  The hotfix for v7.0 is pending and can be requested from EMC.

Latest Documentum ESAs

EMC released ESA-2015-130 and ESA-2015-131 this week describing new vulnerabilities discovered in Webtop and Content Server, respectively.

  • ESA-2015-130 describes a Cross-Site Request Forgery (CSRF) vulnerability in Webtop 6.8 (and Webtop-based apps like DA 7.2) where an attacker may  trick authenticated users to click on  links embedded within an email, web page, or another source, and perform Docbase operations with that user’s privileges. This is apparently the second time this has been fixed, as the previous fix was incomplete.
  • ESA-2015-131 describes several very interesting privilege escalations and information leaks in the Content Server.  Read the ESA for the details.  Content Server versions 6.7 SP1 – 7.2 are affected.

The remedies for all of these vulnerabilities are contained in the latest patch releases for Webtop, DA, and Content Server.

Two Documentum ESAs (Webtop and D2)

In case you missed them, EMC released two ESAs last week, one for D2, ESA-2015-108: EMC Documentum D2 Multiple DQL Injection Vulnerabilities, and one for Webtop,ESA-2015-111: EMC Documentum WebTop Client Products Multiple Vulnerabilities.  Nothing terribly dramatic here, although it is interesting that the Webtop vulnerability affects all currently supported WDK-based clients.  To me, that means the vulnerability has been around for a long time.  As always, the announcement of these vulnerabilities coincides with the release of the patches to fix them.

ESA for “POODLE” Vulnerability

EMC has released ESA-2015-092: EMC Documentum Content Server Security Update for Multiple Embedded Component Vulnerabilities which addresses “POODLE” vulnerabilities with the SSL implementation in the Content Server.  The following patches will correct these vulnerabilities (Note:  the patch for Content Server 7.0 will not be available until Q3 2015):

  • Documentum Content Server 7.0 P20
  • Documentum Content Server 7.1 P17
  • Documentum Content Server 7.2 P01


ESA for Documentum Content Server and JRE

EMC published ESA-2015-016: EMC Documentum Content Server Security Update for Oracle Java Runtime Environment (JRE).  The vulnerabilities described here are the same as described in ESA-2015-017: EMC Documentum Foundation Services (DFS) Security Update for Oracle Java Runtime Environment (JRE) published last week.  Why they couldn’t cover all vulnerabilities — especial those all dealing with the JRE and having the same remedy — in one ESA, I don’t know.

DFS ESA for Java Vulnerabilities

EMC published ESA-2015-017: EMC Documentum Foundation Services (DFS) Security Update for Oracle Java Runtime Environment (JRE) recommending an upgrade to Java JRE 7u72 on the DFS server and client machines.  The vulnerabilities addressed by this update are described at Oracle CPU for October 2014.

I find this ESA puzzling.  First, the ESA suggests upgrading DFS to v7.2.  I can’t find DFS v7.2, can you?  (DFS v7.1 patch 13 was issued in Jan 2015.)  It is unclear whether DFS must be upgraded to the (mythical) v7.2 to work with Java JRE 7u72 or is simply upgrading the JRE sufficient to address the vulnerabilities.  Second, Java 7u75 is the latest Java version, why doesn’t the ESA recommend updating to Java 7u75?

Can anyone shed some light on this?

Note, the end of public updates for Java 7 is scheduled for April 2015.  At that point, I suspect EMC will provide ESAs or ETAs recommending upgrading to Java 8 and issuing the requisite patches for their products.

UPDATE: ESA-2015-016: EMC Documentum Content Server Security Update for Oracle Java Runtime Environment (JRE) covers essentially the same vulnerabilities for the Content Server platform.

D2 ESA for Information Disclosure and Privilege Escalation Vulnerability

EMC released ESA-2015-010: EMC Documentum D2 Multiple Vulnerabilities detailing two important vulnerabilities of the D2 platform corrected by their most recent patches (D2 v4.1 P22 and D2 v4.2 P11).  The first vulnerability could allow an MD5 hash of important user and system credentials to be retrieved from log files by a low-privileged user.  This hash could potentially be reverse-engineered to recover credentials.  The second vulnerability could allow a low-privileged user to gain superuser status through group manipulation via a flaw in D2FS.

In addition, if you use Microsoft Explorer, you need to know about this vulnerability which could allow an attacker to steal your login credentials.



CERT Vulnerability Info for Documentum Products

I stumbled upon this Tweet today and found it to be interesting. It links to a vulnerability database entry, Vulnerability Note VU#315340: EMC Documentum products contain multiple vulnerabilities, at the Carnegie Mellon University’s Software Engineering Institute’s CERT site.  The real gem in this database entry is in the linked spreadsheet.  The spreadsheet contains  researcher’s and EMC’s notes on vulnerabilities documented in ESAs.  The notes provide additional insight into each vulnerability and fix than the ESAs do.  Check it out!

The CERT database entry and the notes are credited to Andrey Panfilov, check out his blog:


Content Server Vulnerability (ESA-2014-156)

EMC just released ESA-2014-156: EMC Documentum Content Server Insecure Direct Object Reference Vulnerability, which details a security vulnerability with ALL versions of the Content Server.  EMC recommends patching Content Server 7.1 to patch 10, and Content Server 6.7 SP2 to patch 19.  Though other versions of the Content Server are effected, these are the only patches provided.  Contact EMC Support for hotfixes to other Content Server versions.

Documentum ESA for Multiple Vulnerabilities

EMC published ESA-2014-105: EMC Documentum Content Server Multiple Vulnerabilities.  The multiple vulnerabilities are:

  • LDAP Authentication Bypass – Documentum Content Server configured with LDAP with the “bind_search_dn” option set as the authentication source may be subject to a potential authentication bypass vulnerability due to improper error handling within LDAP plug-in. A malicious user with knowledge of a valid user name can leverage this vulnerability to access Documentum Content Server.
  • Privilege Escalation – Unprivileged Content Server users may potentially escalate their privileges to become a superuser by creating and performing malicious operations on dm_job and dm_job_request objects. This is due to improper authorization checks being performed on such objects and some of their attributes.
  • Multiple OpenSSL Vulnerabilities – The OpenSSL project released a security advisory on August 6, 2014 disclosing multiple vulnerabilities in OpenSSL that may potentially affect EMC Documentum Content Server customers.

The products affected are:

  • Documentum Content Server versions of 7.1
  • Documentum Content Server versions of 7.0
  • Documentum Content Server versions of 6.7 SP2
  • Documentum Content Server versions of 6.7 SP1
  • Documentum Content Server versions prior to 6.7 SP1

The resolutions are contained in the following patches:

  • EMC Documentum Content Server version 7.1 P09 and later
  • EMC Documentum Content Server version 7.0 P16 and later
  • EMC Documentum Content Server version 6.7 SP2 P18 and later
  • EMC Documentum Content Server version 6.7 SP1 P29 and later
%d bloggers like this: