ESA for D2 Fail Open Vulnerability

EMC just released ESA-2015-132: EMC Documentum D2 Fail Open Vulnerability.  I especially like this one:

“Lockbox is a component of Documentum D2 which securely stores passwords in an encrypted file. Removing the file D2.Lockbox from the Documentum Content Server and/or Application Server causes Documentum D2 to fallback to using a hard coded passphrase to encrypt sensitive admin tickets. An attacker can easily recover this hard coded password and obtain admin tickets by decompiling Documentum D2 jar files.”

The remedy is to upgrade your environments to D2 v4.5.  Happy upgrading!

Advertisements

ESA: Webtop Open Redirect Vulnerability

EMC released ESA-2015-123: EMC Documentum WebTop Open Redirect Vulnerability, identifying a vulnerability in Webtop, DA, DAM, WebPub, and TaskSpace (all supported versions).  Patches are available for Webtop and DA (v6.8 P02 and v7.2 P01, respectively).  Patches for the other products are by request only.

Webtop and Webtop-based client products may allow users to be redirected to untrusted websites.  These products contain an open redirect  vulnerability that attackers may exploit by supplying crafted URLs to users of the affected application causing a browser redirect to arbitrary and potentially malicious websites.

D2 Cross-Site Scripting ESA

EMC released ESA-2015-109: EMC Documentum D2 Cross-Site Scripting Vulnerability detailing a security vulnerability in D2 v4.1, v4.2, and v4.5.  Interestingly, D2 v4.5 (no patch) is the recommended remediation for the vulnerability, though it is also listed as an affected product. Cross-Site Scripting (XSS) still remains one of the most prevalent vulnerabilities in software today, and one of the easiest to fix(*).

 

* I have no affiliation with Acunetix but found their explanation to be good and thorough.

ESA for Content Server AEK

ESA-2015-013: EMC Documentum Content Server Improper Storage of Sensitive Keys Vulnerability – The root encryption key (i.e., the Application Encryption Key – AEK) on the Content Server is stored on the file system without proper security measures. An authenticated malicious user with access to the local file system could access this encryption key and retrieve sensitive application information.  This vulnerability affects all versions of the Content Server prior to v7.2.  Documentum Content Server v7.2 uses RSA’s Lockbox technology to protect this (and other) crypto keys on the Content Server.

EMC recommends upgrading to Documentum Content Server v7.2 ASAP.

UPDATE:  This ESA was updated to include a best practice: All customers are strongly advised to change the default passphrase that is used to encrypt AEK using dm_crypto_change_passphrase.

Content Server Vulnerabilities

Another EMC security announcement, this one for multiple vulnerabilities in the Content Server:  ESA-2014-046: EMC Documentum Content Server Multiple Vulnerabilities.

EMC Documentum Content Server may be susceptible to the following vulnerabilities:

  • Privilege Escalation:  Authenticated non-privileged users are allowed to create system objects with super user privileges due to improper authorization checks being performed on these objects. This may potentially be exploited by a malicious attacker to gain unauthorized access to data or to perform unauthorized actions on Content Server.
  • Shell Injection:  Certain methods in Documentum Content Server perform improper validation checks on input arguments. This may potentially be exploited by an authenticated malicious user to conduct shell injection attacks against these methods and perform unauthorized actions on Content Server.
  • DQL Injection:  Certain DQL hints in Documentum Content Server may potentially be exploited by an authenticated malicious user to conduct DQL injection attacks and perform unauthorized database actions.

Affected versions are:

  • Documentum Content Server all versions of 7.1
  • Documentum Content Server all versions of 7.0
  • Documentum Content Server all versions of 6.7 SP
  • Documentum Content Server all versions of 6.7 SP1 and earlier

The remedy is to upgrade the Content Server to the following minimum patch levels:

  • Documentum Content Server 7.1 P05 and later
  • Documentum Content Server 7.0 P15 and later
  • Documentum Content Server 6.7 SP2 P14 and later
  • Documentum Content Server 6.7 SP1 P28 and later

 

DAM DQL ESA

EMC has issued ESA-2014-024: EMC Documentum Digital Asset Manager DQL Injection Vulnerability. 

The DAM thumbnail proxy server allows unauthenticated users to query objects using a vulnerable URL query string parameter. A malicious attacker may potentially conduct Blind DQL injection attacks using the vulnerable parameter to infer or modify the database contents.

Affected products are:

  • Documentum Digital Asset Manager 6.5 SP3
  • Documentum Digital Asset Manager 6.5 SP4
  • Documentum Digital Asset Manager 6.5 SP5
  • Documentum Digital Asset Manager 6.5 SP6

A hot fix is available for DAM 6.5 SP3 – SP5. A patch is available for DAM 6.5 SP6.
The hotfix for DAM 6.5 SP3 – SP5 can be downloaded from:

The patch, DAM 6.5 SP6 P13, can be downloaded from:

D2 and D2FS DQL Vulnerability

EMC just announced a vulnerability and patch to correct a security issue in D2.  ESA-2014-045: EMC Documentum D2 Arbitrary DQL Query Execution Vulnerability states that unpatched versions of D2 and D2FS can allow authenticated user to execute arbitrary DQL queries with superuser privileges.

Affected versions of D2 and D2FS are:

  • D2 3.1 and patched versions
  • D2 3.1SP1 and patched versions
  • D2 4.0 and patched versions
  • D2 4.1 and patched versions
  • D2 4.2 and patched versions

The resolution is to upgrade to the following versions:

  • D2 3.1 P20
  • D2 3.1SP1 P02
  • D2 4.0 P10
  • D2 4.1 P13
  • D2 4.2 P01

DFS Vulnerbility Announced (and Fixed)

EMC issued ESA-2014-005: EMC Documentum Foundation Services (DFS) Content Access Vulnerability last night.  This is not related to the HeartBleed bug.  The problem is the DFS server is vulnerable to malicious attacks that may allow access to content on the DFS file system. This is due to the way the DFS web service is used to upload content.

Affected versions of the DFS are:

  • Documentum Foundation Services (DFS) 6.5, 6.6, 6.7, 7.0, 7.1 with all service packs and patches
  • My Documentum for Desktop 6.7.2 with all service packs and patches
  • My Documentum for Microsoft Outlook 6.7 SP1, 6.7 SP2, 6.7.1 with all patches
  • CenterStage 1.0, 1.1, 1.2, 1.2 SP1 (with all patches), 1.2 SP2 P01 and P02

The remedy, of course, is to upgrade to the latest patched releases.  Note that unsupported product version (DFS 6.5, 6.6, CenterStage 1.0, 1.1) are directly patched.  These products will require true upgrades.

  • DFS 6.7 SP1 P22
  • DFS 6.7 SP2 P08
  • DFS 7.0 P12
  • DFS 7.1 P01 and later versions
  • My Documentum for Desktop 6.7.2 P11
  • My Documentum for Microsoft Outlook 6.7 SP2 P09
  • My Documentum for Microsoft Outlook 6.7.1 P22
  • My Documentum for Microsoft Outlook 6.7 SP1-Hotfix
  • CenterStage 1.2 SP2 P03

The ESA contains links directly to each product’s patch. See the ESA for more details.

Content Server HeartBleed Update

EMC issued an ESA last night announcing patches for Content Server to remedy the HeartBleed vulnerability.  You should upgrade your Content Servers to the following patch levels to be safe:

  • EMC Documentum Content Server (All Platforms) version 7.1 P04 and later,
  • EMC Documentum Content Server Linux version 7.0 P14 and later,
  • EMC Documentum Content Server Linux version 6.7 SP2 P13 and later,
  • EMC Documentum Content Server Linux version 6.7 SP1 P27 and later.

After the upgrade, EMC recommends that you:

  • Renew certificates,
  • Revoke old certificates,
  • Change passwords for CAS user accounts.

EMC’s running laundry list of impacted and non-impacted products is here.

P.S.  I love this XKCD illustration of how HeartBleed works.

Two New Documentum Security Issues

Hot on the heels of yesterday’s “HeartBleed” SSL vulnerability announcement comes two more ESAs from EMC, these specific to the Content Server.

ESA-2014-026: EMC Documentum Content Server Information Disclosure Vulnerability – “EMC Documentum Content Server may be vulnerable to an information disclosure vulnerability that may potentially be exploited by malicious users to gain unauthorized access to metadata. This is due to improper authorization checks being performed when trying to access metadata from folders outside of restricted folders configured for Content Server users. This vulnerability is only limited to reading the metadata as the malicious user is not able to gain read/write access to the content itself.”

The resolution is to upgrade to these minimum patch levels:

  • EMC Documentum Content Server version 7.1 P02 and later
  • EMC Documentum Content Server version 7.0 P13 and later
  • EMC Documentum Content Server version 6.7 SP2 P13 and later
  • EMC Documentum Content Server version 6.7 SP1 P26 and later

UPDATE:  Yuri Simione, the vulnerability discoverer, has a detailed explanation of this vulnerability on his blog.

ESA-2014-023: EMC Documentum JBOSS Remote Code Execution Vulnerability – “EMC Documentum Content Server and xPlore embed JBoss servlets (JMXInvokerServlet and EJBInvokerServlet). These JBOSS servlets are vulnerable to remote code execution vulnerability. The vulnerability may be exploited to execute remote code with NT AUTHORITY\SYSTEM privileges. Affected JBOSS servlets are not required for either Documentum Content Server or xPlore’s functionality.”

The resolution is to upgrade to these minimum patch levels:

  • EMC Documentum Content Server version 7.1
  • EMC Documentum Content Server version 7.0 P13 and later
  • EMC Documentum Content Server version 6.7 SP2 P12
  • EMC Documentum Content Server version 6.7 SP1 P24
  • EMC Documentum xPlore version 1.4
  • EMC Documentum xPlore version 1.2 P25 and later

There is also a workaround if you prefer not to patch at this time:

  1. Stop the “Java Method Server” service.
  2. Open ..\ jboss5.1.0\server\DctmServer_MethodServer\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml.
  3. Modify web.xml file to remove definition and mapping for the servlets EJBInvokerServlet and JMXInvokerServlet
  4. Start the “Java Method Server” service.

Happy patching!

%d bloggers like this: