| A | B | C | D | E | F | G | H | |
|---|---|---|---|---|---|---|---|---|
1 | VU# ID | Other IDs | Summary | Description | Vendor Status | Researcher Comments | EMC Comments | EMC Update as of 12/22/2016 |
2 | Provided by EMC Corporation For status from the vendor, please visit https://support.emc.com/docu38558 (requires EMC Online Support credentials). Search by CVE ID and/or ESA ID referenced in this spreadsheet. | Provided by Andrey B. Panfilov | Provided by EMC Corporation For status from the vendor, please visit https://support.emc.com/docu38558 (requires EMC Online Support credentials). Search by CVE ID and/or ESA ID referenced in this spreadsheet. | Provided by EMC Corporation | ||||
3 | VU#889944 | CVE-2014-2520 VRF#HUD8DYFU PSRC-2070 ESA-2014-079 | EMC Documentum Content Server does not properly handle RETURN_RANGE hint passed to DQL query. | Attacker may execute any SQL select statement, bypassing ACL restrictions. | THIS HAS BEEN FIXED: EMC Documentum Content Server 7.1 P07 and later EMC Documentum Content Server 7.0: Hotfixes are available for Windows and Linux. Contact EMC Support to obtain them. The hot fixes were rolled into 7.0 P16. For Solaris and AIX, contact EMC Support to open Hotfix requests. EMC Documentum Content Server 6.7 SP2 P16 and later EMC Documentum Content Server 6.7 SP1: Hotfixes are available for Windows and Linux. Contact EMC Support to obtain them. For Solaris and AIX, contact EMC Support to open Hotfix requests. These fixes were rolled into 6.7 SP1 P22 and later. COMMENTS: Both Win-SQL and Linux-Oracle platforms have been fixed. | The status of issue is still not clear. EMC Documentum Content Server supports four RDBMSs: Oracle, MSSQL, Sybase and DB2. What does the EMC’s answer really mean, Sysbase and DB2 builds were not vulnerable or Sysbase and DB2 builds were not remediated? | The fix was done at the common layer. The fix identified in ESA-2014-079 addresses this issue for all supported RDBMSs. PSRC-2070 ESA-2014-079 CVE-2014-2520 Fixed versions: EMC Documentum Content Server 7.1 P07 and later EMC Documentum Content Server 7.0 P16 and later EMC Documentum Content Server 6.7 SP2 P16 and later EMC Documentum Content Server 6.7 SP1 P22 and later | The fix was done at the common layer. The fix identified in ESA-2014-079 addresses this issue for all supported RDBMSs. PSRC-2070 ESA-2014-079 CVE-2014-2520 Fixed versions: EMC Documentum Content Server 7.1 P07 and later EMC Documentum Content Server 7.0 P16 and later EMC Documentum Content Server 6.7 SP2 P16 and later EMC Documentum Content Server 6.7 SP1 P22 and later |
4 | VU#830192 | CVE-2014-2518 VRF#HUDBRX6Q PSRC-2083 ESA-2014-073 | Multiple EMC Documentum WDK applications (Webtop, Taskspace, Documentum Administrator, etc) contain CSRF vulnerabilities. | EMC Documentum WDK applications use the MVC design pattern, where controllers/views could be accessed directly through specific URLs like “/webtop/component/<controller/view name>?<controller/view startup arguments>”. Some controllers/views accept “query” as a startup argument and execute the passed query upon startup, making such controllers/views vulnerable to CSRF attacks. | THIS HAS BEEN FIXED: EMC Documentum Webtop versions 6.7 SP1 P28 or later EMC Documentum Webtop versions 6.7 SP2 P15 or later EMC Documentum Administrator versions 6.7 SP1 P28 or later EMC Documentum Administrator versions 6.7 SP2 P15 or later EMC Documentum Administrator versions 7.0 P15 or later EMC Documentum Administrator versions 7.1 P06 or later EMC Documentum Taskspace versions 6.7 SP1 P28 or later EMC Documentum Taskspace versions 6.7 SP2 P15 or later EMC Documentum Records Manager versions 6.7 SP1 P28 or later EMC Documentum Records Manager versions 6.7 SP2 P15 or later EMC Documentum Web Publisher versions 6.5 SP7 P15 or later EMC Documentum Digital Asset Manager versions 6.5 SP6 P15 or later EMC Documentum Engineering Plant Facilities Management Solution for Documentum 1.7 SP1, supported on WebTop 6.7 SP1 versions patch 13 or later EMC Documentum Capital Projects 1.8, supported on WebTop 6.7 SP1 versions patch 11 or later EMC Documentum Capital Projects 1.8, supported on WebTop 6.7 SP2 versions patch 11 or later EMC Documentum Capital Projects 1.9, supported on WebTop 6.7 SP2 versions patch 01 or later. All instances will be fixed in 6.8 - coming out in Q4. COMMENTS: The fixes published in the ESA only apply to the instances reported originally. A more comprehensive fix will be released with WDK 6.8. | FIX CONTESTED: After extra analysis we can find that following controllers are vulnerable: -auditlist (comes from Documentum Administrator, not webtop, so this one is not mentioned in previous listing) -search -dqleditor (fixed in previous patches – does not accept “query” argument anymore) -appintxdql (fixed in previous patches – does not accept “query” argument anymore) -historicalactivityreportresults -processdetailreportresults -historicalprocessreportresults -historicaluserreportresults Additionally we should understand that there are controllers which are able to launch another controllers (examples 11, 12), and “actions” which are able to launch vulnerable controllers. | The fix for this depends on PSRC-2003 and it was fixed. ESA-2015-131 CVE-2015-4531 Fixed version: • EMC Documentum Content Server 6.7SP1P32 or later • EMC Documentum Content Server 6.7SP2P25 or later • EMC Documentum Content Server 7.0P19 or later • EMC Documentum Content Server 7.1P16 or later • EMC Documentum Content Server 7.2P02 or later" | The fix for this depends on PSRC-2003 and it was fixed. ESA-2015-131 CVE-2015-4531 Fixed version: EMC Documentum Content Server 7.0P23 and later EMC Documentum Content Server 7.1P27 and later EMC Documentum Content Server 7.2P10 and later ESA-2015-131 has been updated with this information. |
5 | VU#504416 | CVE-2014-4622 VRF#HUDHKNW4 PSRC-2072 ESA-2014-091 | EMC Documentum Content Server: multiple issues in ESA-2012-009 were not properly analyzed and fixed. | 1. Sysadmin is not able to modify dm_superusers_dynamic and dm_superusers system groups (dm_superusers membership grants superuser privileges), but he is able to modify groups that belongs to dm_superusers system group. 2. Sysadmin is able to perform dump and load operations, and may create malicious superusers through load operation. 3. Sysadmin is able to create dm_method objects, so he is able to execute any code on Content Server, thereby elevating privileges. 4. Sysadmin is able to create and modify dm_client_rights objects, which store information about capabilities of remote clients. By creating and modifying dm_client_rights objects, sysadmin is able to elevate privileges. 5. Sysadmin is able to create and modify dmc_module objects that execute code on java-clients such as Documentum Java Method Server, enabling him to execute any code on Documentum Java Method Server and thereby elevate privileges. | THIS HAS BEEN FIXED: EMC Documentum Content Server 7.1 P08 and later EMC Documentum Content Server 7.0 P15: Hotfix is available for Windows and Linux. For Solaris and AIX, contact EMC Support. EMC Documentum Content Server 6.7 SP2 P17 and later EMC Documentum Content Server 7.0: Hotfix is available for Windows and Linux. For Solaris and AIX, contact EMC Support. The fixes are rolled into CS 7.0 P16. | FIX CONTESTED: The first issue (elevating privileges through modifying dcs_privileged_users group) was fixed, other issues were not fixed, also see comment about sysadmin privilege in VRF#HW7M2PO2. | This is being tracked by PSRC-2517. The fix requires updates to scripts provided by third party. Due to external dependancy, it will take some time to fully address the root cause. ETA for fix: Q2’16. | CVE-2014-2507 ESA-2014-046 The third party library vendor is not able to provide the fix to EMC at this point, so we are limited to implementing mitigations on Documentum Content Server layer only. The interim fix with backlisting approach to mitigate known attack vectors was implemented in the following versions: • EMC Documentum Content Server version 7.2 P13 and later • EMC Documentum Content Server version 7.1 P29 and later • EMC Documentum Content Server version 7.0 P24 and later More comprehensive fix using whitelisting approach is being planned for future releases of the product. New security advisory will be released when the fixes are available. |
6 | VU#844536 | CVE-2014-2514 VRF#HUFG9EBA PSRC-2082 ESA-2014-064 | EMC Documentum Content Server: any user is able to elevate privileges using crafted RPC save-commands. | Content Server fails to validate client RPC commands when saved objects have different object types (such as SysObjSave for dm_sysobject, UserSave for dm_user, etc); further, Content Server does not check input arguments for some RPC commands (SAVE_CONT_ATTRS, RelationSave, dmScopeConfigSave). Consequently, a user is able to modify any object in the system using a crafted RPC save-command. | THIS HAS BEEN FIXED: EMC Documentum Content Server version 7.1 P05 and later EMC Documentum Content Server version 7.0 P15 and later EMC Documentum Content Server version 6.7 SP2 P14 and later EMC Documentum Content Server version 6.7 SP1 P28 and later COMMENTS: See VU#160160 below for more details on additional attack vectors after the original fix. | FIX CONTESTED: Why is VRF#HUFG9EBA marked as fixed? | Additional exploits were fixed as part of PSRC-2493/ESA-2015-131/CVE-2015-4533. New exploits were discovered after disclosing PSRC-2493. The latest exploits are tracked via PSRC-3048. ETA for the fix fro PSRC-3048: October, 2015. PSRC-2493 ESA-2015-131 CVE-2015-4533 Fixed versions: • EMC Documentum Content Server 6.7SP1P32 or later • EMC Documentum Content Server 6.7SP2P25 or later • EMC Documentum Content Server 7.0P19 or later • EMC Documentum Content Server 7.1P16 or later • EMC Documentum Content Server 7.2P02 or later | Additional exploits were fixed as part of PSRC-2493/ESA-2015-131/CVE-2015-4533. New exploits were discovered after disclosing PSRC-2493 (tracked via PSRC-3048). All reported exploits are now fixed. ESA-2015-131 has been updated. PSRC-2493 ESA-2015-131 CVE-2015-4533 Fixed versions: • EMC Documentum Content Server 7.0P21 and later • EMC Documentum Content Server 7.1P21 and later • EMC Documentum Content Server 7.2P05 and later |
7 | VU#957616 | CVE-2014-2507 VRF#HUFOKCF1 VRF#HW65RW4O PSRC-2074 ESA-2014-046 | EMC Documentum Content Server: any user is able to execute arbitrary shell commands using some docbase methods | Multiple docbase methods fail to validate user input, leading to shell command injection vulnerabilities. Affected methods include dm_event_sender (multiple fields), pre_erouter*, replicate_setup_methods, and others. | THIS HAS BEEN FIXED: EMC Documentum Content Server version 7.1 P05 and later EMC Documentum Content Server version 7.0 P15 and later EMC Documentum Content Server version 6.7 SP2 P14 and later EMC Documentum Content Server version 6.7 SP1 P28 and later COMMENTS: Status: Partially Fixed Due to a limitation in the product and different customizations developed by customers for Documentum Content Server, the product team remediated the reported vulnerability for the original reported instance only. The researcher now discusses new ways to exploit the vulnerability. The product team is aware of this and have determined that this warrants a longer term approach rather than point fixes which is currently under discussion. | FIX CONTESTED: In CVE-2014-2507 vendor just made changes in dm_event_sender.ebs (applied changes were described in VRF#HUFOKCF1) to prevent attack on "mailScript" parameter, but those changes are not reflected in dm_html_sender.ebs [Applies to PSRC-2074, PSRC-2075] In VRF#HUFOKCF1 the researcher has clearly outlined a vulnerable code. Providing descriptions for all possible attacks is not a researcher’s job. latest EMC fixes completely rollback changes made in CVE-2014-2507 | Regression issues fixed and additional fixes were made to the versions below. ESA-2014-079 has been updated for customers. CVE-2014-4618 PSRC-2076 ESA-2014-079 Fixed versions: EMC Documentum Content Server 6.7SP2P21 or later EMC Documentum Content Server 7.0P17 or later EMC Documentum Content Server 7.1P12 or later EMC Documentum Content Server 7.2 and patch releases | Regression issues fixed and additional fixes were made to the versions below. ESA-2014-079 has been updated for customers. CVE-2014-4618 PSRC-2076 ESA-2014-079 Fixed versions: EMC Documentum Content Server 6.7SP2P21 or later EMC Documentum Content Server 7.0P17 or later EMC Documentum Content Server 7.1P12 or later EMC Documentum Content Server 7.2 and patch releases |
8 | VU#737264 | CVE-2014-2513 VRF#HUFPRMOP PSRC-2075 ESA-2014-064 | EMC Documentum Content Server: arbitrary code execution in dm_bp_transition.ebs docbase method | Arguments of dm_bp_transition are not properly validated, leading to an arbitrary code execution vulnerability. This attack may be combined with a SQL injection to bypass object checking measures. | THIS HAS BEEN FIXED: EMC Documentum Content Server version 7.1 P06 and later EMC Documentum Content Server version 7.0 P15 and later EMC Documentum Content Server version 6.7 SP2 P15 and later EMC Documentum Content Server version 6.7 SP1 P28 and later | FIX CONTESTED: I have tried to reproduce PoC, described in VRF#HUFPRMOP, and got [an] error. … Moreover, the issue is still reproducible because introduced check could be bypassed using SQL injection | These users are created and maintained by WebTop. It is more of a security gap than a security vulnerability. There is an option to specify encrypted passwords in app.xml under webtop for both dmc_wdk_presets_owner and dmc_wdk_preferences_owner users. But, in case the passwords are not specified in app.xml a hard-coded password was being used in earlier versions of webtop (prior to version WebTop 6.8). Customers are allowed to change these passwords once the content server installation is complete. It is more of ‘not-enforcing-password-change’ issue. There is a way to change passwords for these default users in content server and encrypt them in webtop. | These users are created and maintained by WebTop. It is more of a security gap than a security vulnerability. There is an option to specify encrypted passwords in app.xml under webtop for both dmc_wdk_presets_owner and dmc_wdk_preferences_owner users. But, in case the passwords are not specified in app.xml a hard-coded password was being used in earlier versions of webtop (prior to version WebTop 6.8). Customers are allowed to change these passwords once the content server installation is complete. It is more of ‘not-enforcing-password-change’ issue. There is a way to change passwords for these default users in content server and encrypt them in webtop. |
9 | VU#464552 | CVE-2014-4618 VRF#HUFQ8RPH PSRC-2076 ESA-2014-079 | EMC Documentum Content Server: Arbitrary code execution in dm_event_template_sender docbase method | The dm_event_template_sender method fails to check the owner of a mail template object, so any user is able to create their own mail template and execute arbitrary code in Documentum Java Method Server context. | THIS HAS BEEN FIXED: EMC Documentum Content Server 7.1 P07 and later EMC Documentum Content Server 7.0: Hotfixes are available for Windows and Linux. Contact EMC Support to obtain them. For Solaris and AIX, contact EMC Support to open Hotfix requests. EMC Documentum Content Server 6.7 SP2 P16 and later EMC Documentum Content Server 6.7 SP1: Hotfixes are available for Windows and Linux. Contact EMC Support to obtain them. For Solaris and AIX, contact EMC Support to open Hotfix requests. | FIX CONTESTED: It seems that EMC tried to remediate a “quick way” only (i.e. execute do_method with method='dm_event_template_sender' ...) – when I try to execute dm_event_template_sender directly it [results in an] error ... but the main scenario (where Content Server uses dm_event_template_sender as default email engine) is still reproducible. Moreover, after some research I have found another way to exploit a “quick way” | The fix for this depends on PSRC-2003 which was fixed. PSRC-2003 ESA-2015-131 CVE-2015-4531 Fixed version: • EMC Documentum Content Server 6.7SP1P32 or later • EMC Documentum Content Server 6.7SP2P25 or later • EMC Documentum Content Server 7.0P19 or later • EMC Documentum Content Server 7.1P16 or later • EMC Documentum Content Server 7.2P02 or later | The fix for this depends on PSRC-2003 and it was fixed. ESA-2015-131 CVE-2015-4531 Fixed version: EMC Documentum Content Server 7.0P23 and later EMC Documentum Content Server 7.1P27 and later EMC Documentum Content Server 7.2P10 and later ESA-2015-131 has been updated with this information. |
10 | VU#184360 | VRF#HUFQO2I9 PSRC-2077 | EMC Documentum Content Server: backdoors in default installation | While creating the docbase, Documentum installer creates two "internal" accounts (dmc_wdk_presets_owner and dmc_wdk_preferences_owner), and sets their passwords to "webtop." Both accounts are used by EMC Documentum WDK applications (Webtop, Taskspace, Documentum Administrator), and although it's possible that some WDK deployment/administration guides do contain information about such users, the existence of these accounts is not mentioned in the documentation for EMC Documentum Content Server. | EMC rejects this issue as it is more of a security gap than a security vulnerability: There is an option to specify encrypted passwords in app.xml under webtop for both dmc_wdk_presets_owner and dmc_wdk_preferences_owner users. But, in case the passwords are not specified in app.xml a hard-coded password was being used in earlier versions of webtop. Customers are allowed to change these passwords once the content server installation is complete. It is more of ‘not-enforcing-password-change’ issue. There is a way to change passwords for these default users in content server and encrypt them in webtop. | Can’t understand how it is related to EMC Documentum Webtop if these accounts are shipped with EMC Documentum Content Server installation, not Webtop. CWE-798: Use of Hard-coded Credentials | Additional exploited were tracked via PSRC-2494 and PSRC-2966. All known exploits were addressed. PSRC-2966 ESA-2015-144 CVE-2015-4544 Fixed versions: • EMC Documentum Content Server 7.0P21 or later • EMC Documentum Content Server 7.1P20 or later • EMC Documentum Content Server 7.2P04 or later • Customers on EMC Documentum Content Server prior to 7.0 with extended support agreement are requested to raise hotfix requests through EMC Customer Support. | Additional exploited were tracked via PSRC-2494 and PSRC-2966. All known exploits were addressed. PSRC-2966 ESA-2015-144 CVE-2015-4544 Fixed versions: • EMC Documentum Content Server 7.0P21 or later • EMC Documentum Content Server 7.1P20 or later • EMC Documentum Content Server 7.2P04 or later • Customers on EMC Documentum Content Server prior to 7.0 with extended support agreement are requested to raise hotfix requests through EMC Customer Support. |
11 | VU#695112 | VRF#HUFSA94M PSRC-2078 PSRC-2003 | EMC Documentum Content Server: backdoor in default installation | Documentum applications actively use dynamic groups capabilities. Though internal EMC Documentation recommends to set the "is_protected" flag for dynamic groups (this flag prevents unauthorized DFC-clients from using dynamic group capabilities), EMC does not follow these recommendations; while creating a docbase, Documentum installer creates dcs_privileged_users dynamic group, makes it a member of dm_superusers group, and does not set the is_protected flag to true. | This is currently being investigated. COMMENTS: Status: remediation in progress. | Why there is no comment about the fact that discussed group is related to Webtop functionality? | Additional exploited were tracked via PSRC-2494 and PSRC-2966. All known exploits were addressed. PSRC-2966 ESA-2015-144 CVE-2015-4544 Fixed versions: • EMC Documentum Content Server 7.0P21 or later • EMC Documentum Content Server 7.1P20 or later • EMC Documentum Content Server 7.2P04 or later • Customers on EMC Documentum Content Server prior to 7.0 with extended support agreement are requested to raise hotfix requests through EMC Customer Support. | Additional exploited were tracked via PSRC-2494 and PSRC-2966. All known exploits were addressed. PSRC-2966 ESA-2015-144 CVE-2015-4544 Fixed versions: • EMC Documentum Content Server 7.0P21 or later • EMC Documentum Content Server 7.1P20 or later • EMC Documentum Content Server 7.2P04 or later • Customers on EMC Documentum Content Server prior to 7.0 with extended support agreement are requested to raise hotfix requests through EMC Customer Support. |
12 | VU#874632 | CVE-2014-4626 VRF#HUFU6FNP PSRC-2079 ESA-2014-105 | EMC Documentum Content Server: any user is able to elevate privileges, hijack Content Server filesystem, execute any commands by creating malicious dm_job objects | Documentum Content Server includes docbase methods that use special permissions to prevent method invocation by regular users. Users can bypass these restrictions by crafting dm_job objects containing arbitrary commands to be executed and by setting the owner of the object to a privileged user. For more information, including proofs of concept, refer to: http://www.securityfocus.com/archive/1/535893/30/0/threaded | THIS HAS BEEN FIXED: EMC Documentum Content Server version 7.1 P09 and later EMC Documentum Content Server version 7.0 P16 and later EMC Documentum Content Server version 6.7 SP2 P18 and later EMC Documentum Content Server version 6.7 SP1 P29 and later | FIX CONTESTED: Nothing was fixed at all [see VU#147400]. | New RPCs that were tracked under PSRC-2445. See PSRC-2445 below. | New RPCs that were tracked under PSRC-2445. See PSRC-2445 below. |
13 | VU#386056 | CVE-2014-4626 VRF#HUFV0UZN PSRC-2080 ESA-2014-105 | EMC Documentum Content Server: any user is able to elevate privileges by creating malicious dm_job_request objects | Documentum Content Server has two service tasks intended for renaming users and groups: dm_UserRename and dm_GroupRename. Both are triggered when an administrator renames a user or group in Documentum Administrator or when dm_LDAPSynchronization job completes its execution. These jobs poll uncompleted dm_job_request objects and perform corresponding changes. Any user is able to create malicious dm_job_request objects and either rename his group to system group (e.g. dm_superusers) or get unauthorized access to objects. For more information, including proofs of concept, refer to: http://www.securityfocus.com/archive/1/535893/30/0/threaded | THIS HAS BEEN FIXED: EMC Documentum Content Server version 7.1 P09 and later EMC Documentum Content Server version 7.0 P16 and later EMC Documentum Content Server version 6.7 SP2 P18 and later EMC Documentum Content Server version 6.7 SP1 P29 and later | FIX CONTESTED: The vulnerability, described in VRF#HV1RX6I5, is based on ability to create dm_job objects, so this issue is not fixed because VRF#HUFU6FNP is not fixed [see VU#874632]. | PSRC-2445 ESA-2015-131 CVE-2015-4532 Fixed versions: • EMC Documentum Content Server 6.7SP1P32 or later • EMC Documentum Content Server 6.7SP2P25 or later • EMC Documentum Content Server 7.0P19 or later • EMC Documentum Content Server 7.1P16 or later • EMC Documentum Content Server 7.2P02 or later | PSRC-2445 ESA-2015-131 CVE-2015-4532 Fixed versions: • EMC Documentum Content Server 6.7SP1P32 or later • EMC Documentum Content Server 6.7SP2P25 or later • EMC Documentum Content Server 7.0P19 or later • EMC Documentum Content Server 7.1P16 or later • EMC Documentum Content Server 7.2P02 or later |
14 | VU#147400 | CVE-2014-2515 VRF#HV1RX6I5 PSRC-1847 PSRC-2106 ESA-2014-067 | EMC Documentum D2: any user is able to get superuser login ticket using the D2GetAdminTicketMethod docbase method | EMC Documentum D2 by design performs some operations in repository using a privileged session. To acquire a privileged session, D2 creates a c6_method_return object and passes its identifier to docbase method D2GetAdminTicketMethod. This docbase method generates superuser ticket (OTP) and stores it in the “message” attribute of the c6_method_return object. Afterwards, D2 reads the superuser ticket from the c6_method_return object and acquires a superuser session. In an exception case, D2GetAdminTicketMethod stores the exception message in the “error” attribute of the c6_method_return object. Any user is able to execute the D2GetAdminTicketMethod docbase method using Documentum API, generating the superuser ticket. | ThIS HAS BEEN FIXED: EMC Documentum D2 3.1 P24 EMC Documentum D2 3.1 SP1 P02 (hotfix) EMC Documentum D2 4.0 P11 (hotfix) EMC Documentum D2 4.1 P16 EMC Documentum D2 4.2 P05 | See VU#982432 for additional issues derived from the remediation effort of this issue. | PSRC-2707 ESA-2015-110 CVE-2015-0550 Fixed versions: • EMC Documentum Thumbnail Server 6.7 SP1 HFX (install with EMC Documentum Content Server 6.7SP1P32) • EMC Documentum Thumbnail Server 6.7 SP2 HFX (install with EMC Documentum Content Server 6.7SP2P25) • EMC Documentum Thumbnail Server 7.0 HFX (install with EMC Documentum Content Server 7.0P21) due in October 2015 • EMC Documentum Thumbnail Server 7.1 HFX (install with EMC Documentum Content Server 7.1P20) • EMC Documentum Thumbnail Server 7.2 HFX (install with EMC Documentum Content Server 7.2P04) | PSRC-2707 ESA-2015-110 CVE-2015-0550 Fixed versions: • EMC Documentum Thumbnail Server 6.7 SP1 HFX (install with EMC Documentum Content Server 6.7SP1P32) • EMC Documentum Thumbnail Server 6.7 SP2 HFX (install with EMC Documentum Content Server 6.7SP2P25) • EMC Documentum Thumbnail Server 7.0 HFX (install with EMC Documentum Content Server 7.0P21) due in October 2015 • EMC Documentum Thumbnail Server 7.1 HFX (install with EMC Documentum Content Server 7.1P20) • EMC Documentum Thumbnail Server 7.2 HFX (install with EMC Documentum Content Server 7.2P04) |
15 | VU#143528 | VRF#HV1RX6I5 PSRC-2105 | EMC Documentum D2: D2UpdateChildACLMethod docbase method allows any user to manipulate system ACLs | This is currently being investigated. COMMENTS: Status: remediation in progress. | PSRC-2550 ESA-2015-131 CVE-2015-4535 Fixed versions: • EMC Documentum Content Server 6.7SP1P32 or later • EMC Documentum Content Server 6.7SP2P25 or later • EMC Documentum Content Server 7.0P19 or later • EMC Documentum Content Server 7.1P16 or later • EMC Documentum Content Server 7.2P02 or later | PSRC-2550 ESA-2015-131 CVE-2015-4535 Fixed versions: • EMC Documentum Content Server 6.7SP1P32 or later • EMC Documentum Content Server 6.7SP2P25 or later • EMC Documentum Content Server 7.0P19 or later • EMC Documentum Content Server 7.1P16 or later • EMC Documentum Content Server 7.2P02 or later | ||
16 | VU#907456 | CVE-2014-2504 CVE-2015-0518 VRF#HV1RX6I5 PSRC-1988 PSRC-2050 PSRC-2515 ESA-2014-045 ESA-2015-010 | EMC Documentum D2: Any user is able to gain superuser privileges using D2 webservices | ThIS HAS BEEN FIXED: EMC Documentum D2 3.1P20 EMC Documentum D2 3.1SP1P02 EMC Documentum D2 4.0P10 EMC Documentum D2 4.1P13 EMC Documentum D2 4.2P01 | It’s not possible to be fixed in D2 4.2P01 because it was reported against D2 4.2P01, moreover, I have found out that described webservice changes password of any user without checking caller privileges. | PSRC-2551 ESA-2015-131 CVE-2015-4534 Fixed versions: • EMC Documentum Content Server 6.7SP1P32 or later • EMC Documentum Content Server 6.7SP2P25 or later • EMC Documentum Content Server 7.0P19 or later • EMC Documentum Content Server 7.1P16 or later • EMC Documentum Content Server 7.2P02 or later | PSRC-2551 ESA-2015-131 CVE-2015-4534 Fixed versions: • EMC Documentum Content Server 6.7SP1P32 or later • EMC Documentum Content Server 6.7SP2P25 or later • EMC Documentum Content Server 7.0P19 or later • EMC Documentum Content Server 7.1P16 or later • EMC Documentum Content Server 7.2P02 or later | |
17 | VU#241208 | VRF#HX5OLZ0F PSRC-2445 | EMC Documentum Content Server does not check input arguments for some RPC commands. | RPC command input arguments can be used to elevate privileges using the same technique as described in VRF#HUFG9EBA [see VU#844536]. The only difference is that save operations are performed against new objects, i.e. attacker is able to create new malicious docbase methods or users with superuser privilege [applies to PSRC-2075, see VU#737264] | COMMENTS: Status: investigating VRF#HX5OLZ0F has been confirmed. A few more RPC's don't have checks and are currently being investigated. The new attack vectors are being tracked by PSRC-2445 | PSRC-2236 ESA-2014-156 CVE-2014-4629 Fixed versions: • EMC Documentum Content Server 6.7SP1P30 or later • EMC Documentum Content Server 6.7SP2P19 or later • EMC Documentum Content Server 7.0P17 or later • EMC Documentum Content Server 7.1P10 or later • EMC Documentum Content Server 7.2 and it's patch releases | PSRC-2236 ESA-2014-156 CVE-2014-4629 Fixed versions: • EMC Documentum Content Server 6.7SP1P30 or later • EMC Documentum Content Server 6.7SP2P19 or later • EMC Documentum Content Server 7.0P17 or later • EMC Documentum Content Server 7.1P10 or later • EMC Documentum Content Server 7.2 and it's patch releases | |
18 | VU#160160 | CVE-2014-4629 VRF#HX5RU3J4 PSRC-2236 | EMC Documentum Content Server allows unprivileged users to hijack any text file from the Content Server filesystem [see VU#874632]. | In VRF#HUFU6FNP [VU#874632], a vulnerability that allows non-privileged user to hijack any text file from Content Server filesystem is described. In VRF#HUFOKCF1 [VU#957616], vulnerabilities are described related to improper neutralization of user input in dm_event_sender docbase method, which also executes dm_mailwrapper.sh. | COMMENTS: Status: remediation in progress VRF#HX5RU3J4 was already reported by a customer and being tracked by PSRC-2236. The fixes are tentatively planned to be released in the November 30 patch. | Due to the complexity of this issue, this is tentatively targeted to be fixed in 2H 2015. | This is tracked via PSRC-2105 and it is fixed. It will not be backported to earlier versions due to complexity of the changes made. PSRC-2105 CVE-2016-0888 ESA-2016-034 Fixed versions: EMC Documentum D2 4.6 | |
19 | VU#982432 | CVE-2015-0517 VRF#HZ1YVUNQ PSRC-2484 PSRC-2485 PSRC-2558 ESA-2015-010 | EMC Documentum D2: the patch for the VRF#HV1RX6I5 vulnerability [VU#147400] introduces backdoors. | EMC Documentum D2: VRF#HV1RX6I5 [VU#147400] contains a description of vulnerability in D2GetAdminTicketMethod docbase method. The vendor released a patch for this vulnerability in August 2014 (http://archives.neohapsis.com/archives/bugtraq/2014-08/att-0093/ESA-2014-067.txt) that introduces at least four backdoors. | Comments: 3 our of the 4 issues are rejected. Issue # 2 is a low priority and will be considered for removal in future releases. See the next column for notes. See our responses below for each of the 4 issues the researcher has mentioned in the report: 1. Backdoor in com.emc.common.java.crypto.D2LockboxProperties class. Remedy in progress. 2. D2 code prints MD5 hash of passphrase into log files available to regular user (see previous description and VRF#HV1RX6I5). Remedy in progress. 3. Backdoor in com.emc.common.dctm.methods.D2MethodContext and com.emc.d2.api.methods.D2Method. EMC is not aware of any practical attack vector to exploit this issue. 4. Backdoor in used security storage (i.e. Lockbox). This is under investigation. | 1. At first, to exploit this vulnerability it’s enough to delete Lockbox file from Content Server only, after that CS starts encrypting tickets using default passphrase known to attacker. At second, I do know how to remove arbitrary file from D2’s filesystem, but this is another vulnerability not related to current discussion. 2. No comment. 3. Request D2_4.2_patchnotes.htm from EMC, the related fix is mentioned in P06 patch. 4. No comment. | The original issue was fixed in ESA-2014-067. New exploits are tracked via PSRC-2484 PSRC-2485 PSRC-2558 See current status under PSRC-2484 PSRC-2485 PSRC-2558 | The original issue was fixed in ESA-2014-067. New exploits are tracked via PSRC-2484 PSRC-2485 PSRC-2558 See current status under PSRC-2484 PSRC-2485 PSRC-2558 |
20 | VU#116072 | CVE-2015-0550 ESA-2015-110 | EMC Documentum Thumbnail Server fails to verify URL parameters which allows attacker to hijack abitrary files from Content Server's filesystem and gain superuser privileges. | For more information, including proofs of concept, refer to: http://blog.documentum.pro/2015/02/25/beware-of-thumbnail-server | http://seclists.org/bugtraq/2015/Jun/att-114/ESA-2015-110.txt | The reported instances tracked by PSRC-1988 and PSRC-2050 were fixed. During further investigation, a new vulnerable web service API was discovered. This is being tracked under PSRC-2515 and was fixed. ESA-2015-010 CVE-2015-0518 Fixed versions: EMC Documentum D2 4.1 P22 EMC Documentum D2 4.2 P11 | The reported instances tracked by PSRC-1988 and PSRC-2050 were fixed. During further investigation, a new vulnerable web service API was discovered. This is being tracked under PSRC-2515 and was fixed. ESA-2015-010 CVE-2015-0518 Fixed versions: EMC Documentum D2 4.1 P22 EMC Documentum D2 4.2 P11 | |
21 | VU#913972 | VRF#I3N7J2A3 PSRC-2550 | EMC Documentum Content Server Java Method Server (JMS) logs sensitive information when the __debug_trace__ parameter is enabled. | EMC Documentum Content Server delegates execution of business logic to an embedded java application server called "Java Method Server" (JMS). JMS logs login tickets in certain instances when processing the __debug_trace__ parameter. By executing any docbase method using __debug_trace__, an attacker capable of hijacking Content Server logs may be able to obtain superuser tickets and privileges. | 1. This is being tracked by PSRC-2484 and fixed. PSRC-2484 ESA-2015-132 CVE-2015-4537 Fixed versions: EMC Docomentum D2 4.5 2. This is being tracked by PSRC-2485 and fixed. PSRC-2485 ESA-2015-010 CVE-2015-0517 Fixed versions: EMC Documentum D2 4.1 P22 and later EMC Documentum D2 4.2 P11 and later 3. This is being tracked by PSRC-2558. EMC is not aware of any practical attack vector to exploit this issue. D2MethodContext and use of thread local storage have been removed altogether in EMC Documentum D2 4.2 P12 and 4.5 (and subsequent patch releases). There is no plan to issue ESA and CVE for this issue. 4. This is related to #2 above so the same plan applies here. EMC reiterates that there is no issue with Lockbox per se here. If an attacker can determine the encryption key used by D2 to encrypt admin login tickets from its MD5 hash, they can essentially bypass Lockbox and decrypt an encrypted login ticket. | 1. This is being tracked by PSRC-2484 and fixed. PSRC-2484 ESA-2015-132 CVE-2015-4537 Fixed versions: EMC Docomentum D2 4.5 2. This is being tracked by PSRC-2485 and fixed. PSRC-2485 ESA-2015-010 CVE-2015-0517 Fixed versions: EMC Documentum D2 4.1 P22 and later EMC Documentum D2 4.2 P11 and later 3. This is being tracked by PSRC-2558. EMC is not aware of any practical attack vector to exploit this issue. D2MethodContext and use of thread local storage have been removed altogether in EMC Documentum D2 4.2 P12 and 4.5 (and subsequent patch releases). There is no plan to issue ESA and CVE for this issue. 4. This is related to #2 above so the same plan applies here. EMC reiterates that there is no issue with Lockbox per se here. If an attacker can determine the encryption key used by D2 to encrypt admin login tickets from its MD5 hash, they can essentially bypass Lockbox and decrypt an encrypted login ticket. | ||
22 | VU#868828 | VRF#I3TGW88K PSRC-2551 | EMC Documentum Content Server Java Method Server (JMS) fails to properly validate digital signatures, leading to the possibility of arbitrary code execution. | EMC Documentum Content Server Java Method Server (JMS) implements the following digital signature validation algorithm: it parses the __signature_params__ parameter, reconstructs the query string using parameters listed in __signature_params__, and validates the signature of the reconstructed query. An attacker capable of crafting a digital signature for a query string without the method_verb parameter may be able to execute arbitrary code in JMS context, depending on Java classes present in the classloader. | New exploits were identified and were being tracked by PSRC-2677. Additional exploits were addressed. PSRC-2677 ESA-2015-130 CVE-2015-4530 Fixed versions: • EMC Documentum WebTop 6.8P01 or later • EMC Documentum Administrator 7.2 or later | New exploits were identified and were being tracked by PSRC-2677. Additional exploits were addressed. PSRC-2677 ESA-2015-130 CVE-2015-4530 Fixed versions: • EMC Documentum WebTop 6.8P01 or later • EMC Documentum Administrator 7.2 or later | ||
23 |