VU#315340
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
 
ABCDEFGH
1
VU# IDOther IDsSummaryDescriptionVendor StatusResearcher CommentsEMC CommentsEMC Update as of 12/22/2016
2
Provided by EMC Corporation
For status from the vendor, please visit https://support.emc.com/docu38558 (requires EMC Online Support credentials). Search by CVE ID and/or ESA ID referenced in this spreadsheet.
Provided by Andrey B. PanfilovProvided by EMC Corporation
For status from the vendor, please visit https://support.emc.com/docu38558 (requires EMC Online Support credentials). Search by CVE ID and/or ESA ID referenced in this spreadsheet.
Provided by EMC Corporation
3
VU#889944CVE-2014-2520
VRF#HUD8DYFU
PSRC-2070
ESA-2014-079
EMC Documentum Content Server does not properly handle RETURN_RANGE hint passed to DQL query.Attacker may execute any SQL select statement, bypassing ACL restrictions.THIS HAS BEEN FIXED:
EMC Documentum Content Server 7.1 P07 and later
EMC Documentum Content Server 7.0: Hotfixes are available for Windows and Linux. Contact EMC Support to obtain them. The hot fixes were rolled into 7.0 P16. For Solaris and AIX, contact EMC Support to open Hotfix requests. EMC Documentum Content Server 6.7 SP2 P16 and later
EMC Documentum Content Server 6.7 SP1: Hotfixes are available for Windows and Linux. Contact EMC Support to obtain them. For Solaris and AIX, contact EMC Support to open Hotfix requests. These fixes were rolled into 6.7 SP1 P22 and later.

COMMENTS:
Both Win-SQL and Linux-Oracle platforms have been fixed.
The status of issue is still not clear. EMC Documentum Content Server supports four RDBMSs: Oracle, MSSQL, Sybase and DB2. What does the EMC’s answer really mean, Sysbase and DB2 builds were not vulnerable or Sysbase and DB2 builds were not remediated?The fix was done at the common layer. The fix identified in ESA-2014-079 addresses this issue for all supported RDBMSs.

PSRC-2070
ESA-2014-079
CVE-2014-2520

Fixed versions:
EMC Documentum Content Server 7.1 P07 and later
EMC Documentum Content Server 7.0 P16 and later EMC Documentum Content Server 6.7 SP2 P16 and later
EMC Documentum Content Server 6.7 SP1 P22 and later
The fix was done at the common layer. The fix identified in ESA-2014-079 addresses this issue for all supported RDBMSs.

PSRC-2070
ESA-2014-079
CVE-2014-2520

Fixed versions:
EMC Documentum Content Server 7.1 P07 and later
EMC Documentum Content Server 7.0 P16 and later EMC Documentum Content Server 6.7 SP2 P16 and later
EMC Documentum Content Server 6.7 SP1 P22 and later
4
VU#830192CVE-2014-2518
VRF#HUDBRX6Q
PSRC-2083
ESA-2014-073
Multiple EMC Documentum WDK applications (Webtop, Taskspace, Documentum Administrator, etc) contain CSRF vulnerabilities.EMC Documentum WDK applications use the MVC design pattern, where controllers/views could be accessed directly through specific URLs like “/webtop/component/<controller/view name>?<controller/view startup arguments>”. Some controllers/views accept “query” as a startup argument and execute the passed query upon startup, making such controllers/views vulnerable to CSRF attacks.THIS HAS BEEN FIXED:
EMC Documentum Webtop versions 6.7 SP1 P28 or later
EMC Documentum Webtop versions 6.7 SP2 P15 or later
EMC Documentum Administrator versions 6.7 SP1 P28 or later
EMC Documentum Administrator versions 6.7 SP2 P15 or later
EMC Documentum Administrator versions 7.0 P15 or later
EMC Documentum Administrator versions 7.1 P06 or later
EMC Documentum Taskspace versions 6.7 SP1 P28 or later
EMC Documentum Taskspace versions 6.7 SP2 P15 or later
EMC Documentum Records Manager versions 6.7 SP1 P28 or later
EMC Documentum Records Manager versions 6.7 SP2 P15 or later
EMC Documentum Web Publisher versions 6.5 SP7 P15 or later
EMC Documentum Digital Asset Manager versions 6.5 SP6 P15 or later
EMC Documentum Engineering Plant Facilities Management Solution for Documentum 1.7 SP1, supported on WebTop 6.7 SP1 versions patch 13 or later
EMC Documentum Capital Projects 1.8, supported on WebTop 6.7 SP1 versions patch 11 or later
EMC Documentum Capital Projects 1.8, supported on WebTop 6.7 SP2 versions patch 11 or later
EMC Documentum Capital Projects 1.9, supported on WebTop 6.7 SP2 versions patch 01 or later. All instances will be fixed in 6.8 - coming out in Q4.

COMMENTS:
The fixes published in the ESA only apply to the instances reported originally. A more comprehensive fix will be released with WDK 6.8.
FIX CONTESTED:
After extra analysis we can find that following controllers are vulnerable:
-auditlist (comes from Documentum Administrator, not webtop, so this one is not mentioned in previous listing)
-search
-dqleditor (fixed in previous patches – does not accept “query” argument anymore)
-appintxdql (fixed in previous patches – does not accept “query” argument anymore)
-historicalactivityreportresults
-processdetailreportresults
-historicalprocessreportresults
-historicaluserreportresults
Additionally we should understand that there are controllers which are able to launch another controllers (examples 11, 12), and “actions” which are able to launch vulnerable controllers.
The fix for this depends on PSRC-2003 and it was fixed.
ESA-2015-131
CVE-2015-4531

Fixed version:
• EMC Documentum Content Server 6.7SP1P32 or later
• EMC Documentum Content Server 6.7SP2P25 or later
• EMC Documentum Content Server 7.0P19 or later
• EMC Documentum Content Server 7.1P16 or later
• EMC Documentum Content Server 7.2P02 or later"
The fix for this depends on PSRC-2003 and it was fixed.
ESA-2015-131
CVE-2015-4531

Fixed version:

EMC Documentum Content Server 7.0P23 and later
EMC Documentum Content Server 7.1P27 and later
EMC Documentum Content Server 7.2P10 and later

ESA-2015-131 has been updated with this information.
5
VU#504416CVE-2014-4622
VRF#HUDHKNW4
PSRC-2072
ESA-2014-091
EMC Documentum Content Server: multiple issues in ESA-2012-009 were not properly analyzed and fixed.1. Sysadmin is not able to modify dm_superusers_dynamic and dm_superusers system groups (dm_superusers membership grants superuser privileges), but he is able to modify groups that belongs to dm_superusers system group.
2. Sysadmin is able to perform dump and load operations, and may create malicious superusers through load operation.
3. Sysadmin is able to create dm_method objects, so he is able to execute any code on Content Server, thereby elevating privileges.
4. Sysadmin is able to create and modify dm_client_rights objects, which store information about capabilities of remote clients. By creating and modifying dm_client_rights objects, sysadmin is able to elevate privileges.
5. Sysadmin is able to create and modify dmc_module objects that execute code on java-clients such as Documentum Java Method Server, enabling him to execute any code on Documentum Java Method Server and thereby elevate privileges.
THIS HAS BEEN FIXED:
EMC Documentum Content Server 7.1 P08 and later
EMC Documentum Content Server 7.0 P15: Hotfix is available for Windows and Linux. For Solaris and AIX, contact EMC Support.
EMC Documentum Content Server 6.7 SP2 P17 and later
EMC Documentum Content Server 7.0: Hotfix is available for Windows and Linux. For Solaris and AIX, contact EMC Support. The fixes are rolled into CS 7.0 P16.
FIX CONTESTED:
The first issue (elevating privileges through modifying dcs_privileged_users group) was fixed, other issues were not fixed, also see comment about sysadmin privilege in VRF#HW7M2PO2.
This is being tracked by PSRC-2517. The fix requires updates to scripts provided by third party. Due to external dependancy, it will take some time to fully address the root cause. ETA for fix: Q2’16.
CVE-2014-2507
ESA-2014-046

The third party library vendor is not able to provide the fix to EMC at this point, so we are limited to implementing mitigations on Documentum Content Server layer only. The interim fix with backlisting approach to mitigate known attack vectors was implemented in the following versions:

• EMC Documentum Content Server version 7.2 P13 and later
• EMC Documentum Content Server version 7.1 P29 and later
• EMC Documentum Content Server version 7.0 P24 and later

More comprehensive fix using whitelisting approach is being planned for future releases of the product. New security advisory will be released when the fixes are available.
6
VU#844536CVE-2014-2514
VRF#HUFG9EBA
PSRC-2082
ESA-2014-064
EMC Documentum Content Server: any user is able to elevate privileges using crafted RPC save-commands.Content Server fails to validate client RPC commands when saved objects have different object types (such as SysObjSave for dm_sysobject, UserSave for dm_user, etc); further, Content Server does not check input arguments for some RPC commands (SAVE_CONT_ATTRS, RelationSave, dmScopeConfigSave). Consequently, a user is able to modify any object in the system using a crafted RPC save-command.
THIS HAS BEEN FIXED:
EMC Documentum Content Server version 7.1 P05 and later
EMC Documentum Content Server version 7.0 P15 and later
EMC Documentum Content Server version 6.7 SP2 P14 and later
EMC Documentum Content Server version 6.7 SP1 P28 and later

COMMENTS:
See VU#160160 below for more details on additional attack vectors after the original fix.
FIX CONTESTED:
Why is VRF#HUFG9EBA marked as fixed?
Additional exploits were fixed as part of PSRC-2493/ESA-2015-131/CVE-2015-4533.

New exploits were discovered after disclosing PSRC-2493. The latest exploits are tracked via PSRC-3048. ETA for the fix fro PSRC-3048: October, 2015.

PSRC-2493
ESA-2015-131
CVE-2015-4533

Fixed versions:

• EMC Documentum Content Server 6.7SP1P32 or later
• EMC Documentum Content Server 6.7SP2P25 or later
• EMC Documentum Content Server 7.0P19 or later
• EMC Documentum Content Server 7.1P16 or later
• EMC Documentum Content Server 7.2P02 or later
Additional exploits were fixed as part of PSRC-2493/ESA-2015-131/CVE-2015-4533.

New exploits were discovered after disclosing PSRC-2493 (tracked via PSRC-3048). All reported exploits are now fixed. ESA-2015-131 has been updated.

PSRC-2493
ESA-2015-131
CVE-2015-4533

Fixed versions:
• EMC Documentum Content Server 7.0P21 and later
• EMC Documentum Content Server 7.1P21 and later
• EMC Documentum Content Server 7.2P05 and later
7
VU#957616CVE-2014-2507
VRF#HUFOKCF1
VRF#HW65RW4O
PSRC-2074
ESA-2014-046
EMC Documentum Content Server: any user is able to execute arbitrary shell commands using some docbase methodsMultiple docbase methods fail to validate user input, leading to shell command injection vulnerabilities. Affected methods include dm_event_sender (multiple fields), pre_erouter*, replicate_setup_methods, and others.THIS HAS BEEN FIXED:
EMC Documentum Content Server version 7.1 P05 and later
EMC Documentum Content Server version 7.0 P15 and later
EMC Documentum Content Server version 6.7 SP2 P14 and later
EMC Documentum Content Server version 6.7 SP1 P28 and later

COMMENTS:
Status: Partially Fixed

Due to a limitation in the product and different customizations developed by customers for Documentum Content Server, the product team remediated the reported vulnerability for the original reported instance only. The researcher now discusses new ways to exploit the vulnerability.

The product team is aware of this and have determined that this warrants a longer term approach rather than point fixes which is currently under discussion.
FIX CONTESTED:
In CVE-2014-2507 vendor just made changes in dm_event_sender.ebs (applied changes were described in VRF#HUFOKCF1) to prevent attack on "mailScript" parameter, but those changes are not reflected in dm_html_sender.ebs [Applies to PSRC-2074, PSRC-2075]

In VRF#HUFOKCF1 the researcher has clearly outlined a vulnerable code. Providing descriptions for all possible attacks is not a researcher’s job.

latest EMC fixes completely
rollback changes made in CVE-2014-2507
Regression issues fixed and additional fixes were made to the versions below. ESA-2014-079 has been updated for customers.

CVE-2014-4618
PSRC-2076
ESA-2014-079

Fixed versions:
EMC Documentum Content Server 6.7SP2P21 or later
EMC Documentum Content Server 7.0P17 or later
EMC Documentum Content Server 7.1P12 or later
EMC Documentum Content Server 7.2 and patch releases
Regression issues fixed and additional fixes were made to the versions below. ESA-2014-079 has been updated for customers.

CVE-2014-4618
PSRC-2076
ESA-2014-079

Fixed versions:
EMC Documentum Content Server 6.7SP2P21 or later
EMC Documentum Content Server 7.0P17 or later
EMC Documentum Content Server 7.1P12 or later
EMC Documentum Content Server 7.2 and patch releases
8
VU#737264CVE-2014-2513
VRF#HUFPRMOP
PSRC-2075
ESA-2014-064
EMC Documentum Content Server: arbitrary code execution in dm_bp_transition.ebs docbase methodArguments of dm_bp_transition are not properly validated, leading to an arbitrary code execution vulnerability. This attack may be combined with a SQL injection to bypass object checking measures.THIS HAS BEEN FIXED:
EMC Documentum Content Server version 7.1 P06 and later
EMC Documentum Content Server version 7.0 P15 and later
EMC Documentum Content Server version 6.7 SP2 P15 and later
EMC Documentum Content Server version 6.7 SP1 P28 and later
FIX CONTESTED:
I have tried to reproduce PoC, described in VRF#HUFPRMOP, and got [an] error. … Moreover, the issue is still reproducible because introduced check could be bypassed using SQL injection
These users are created and maintained by WebTop. It is more of a security gap than a security vulnerability. There is an option to specify encrypted passwords in app.xml under webtop for both dmc_wdk_presets_owner and dmc_wdk_preferences_owner users. But, in case the passwords are not specified in app.xml a hard-coded password was being used in earlier versions of webtop (prior to version WebTop 6.8). Customers are allowed to change these passwords once the content server installation is complete.
It is more of ‘not-enforcing-password-change’ issue. There is a way to change passwords for these default users in content server and encrypt them in webtop.
These users are created and maintained by WebTop. It is more of a security gap than a security vulnerability. There is an option to specify encrypted passwords in app.xml under webtop for both dmc_wdk_presets_owner and dmc_wdk_preferences_owner users. But, in case the passwords are not specified in app.xml a hard-coded password was being used in earlier versions of webtop (prior to version WebTop 6.8). Customers are allowed to change these passwords once the content server installation is complete.
It is more of ‘not-enforcing-password-change’ issue. There is a way to change passwords for these default users in content server and encrypt them in webtop.
9
VU#464552CVE-2014-4618
VRF#HUFQ8RPH
PSRC-2076
ESA-2014-079
EMC Documentum Content Server: Arbitrary code execution in dm_event_template_sender docbase methodThe dm_event_template_sender method fails to check the owner of a mail template object, so any user is able to create their own mail template and execute arbitrary code in Documentum Java Method Server context.THIS HAS BEEN FIXED:
EMC Documentum Content Server 7.1 P07 and later
EMC Documentum Content Server 7.0: Hotfixes are available for Windows and Linux. Contact EMC Support to obtain them. For Solaris and AIX, contact EMC Support to open Hotfix requests.
EMC Documentum Content Server 6.7 SP2 P16 and later
EMC Documentum Content Server 6.7 SP1: Hotfixes are available for Windows and Linux. Contact EMC Support to obtain them. For Solaris and AIX, contact EMC Support to open Hotfix requests.
FIX CONTESTED:
It seems that EMC tried to remediate a “quick way” only (i.e. execute do_method with method='dm_event_template_sender' ...) – when I try to execute dm_event_template_sender directly it [results in an] error ... but the main scenario (where Content Server uses dm_event_template_sender as default email engine) is still reproducible. Moreover, after some research I have found another way to exploit a “quick way”
The fix for this depends on PSRC-2003 which was fixed.


PSRC-2003
ESA-2015-131
CVE-2015-4531

Fixed version:
• EMC Documentum Content Server 6.7SP1P32 or later
• EMC Documentum Content Server 6.7SP2P25 or later
• EMC Documentum Content Server 7.0P19 or later
• EMC Documentum Content Server 7.1P16 or later
• EMC Documentum Content Server 7.2P02 or later
The fix for this depends on PSRC-2003 and it was fixed.
ESA-2015-131
CVE-2015-4531

Fixed version:

EMC Documentum Content Server 7.0P23 and later
EMC Documentum Content Server 7.1P27 and later
EMC Documentum Content Server 7.2P10 and later

ESA-2015-131 has been updated with this information.
10
VU#184360VRF#HUFQO2I9
PSRC-2077
EMC Documentum Content Server: backdoors in default installationWhile creating the docbase, Documentum installer creates two "internal" accounts (dmc_wdk_presets_owner and dmc_wdk_preferences_owner), and sets their passwords to "webtop."

Both accounts are used by EMC Documentum WDK applications (Webtop, Taskspace, Documentum Administrator), and although it's possible that some WDK deployment/administration guides do contain information about such users, the existence of these accounts is not mentioned in the documentation for EMC Documentum Content Server.
EMC rejects this issue as it is more of a security gap than a security vulnerability:
There is an option to specify encrypted passwords in app.xml under webtop for both dmc_wdk_presets_owner and dmc_wdk_preferences_owner users. But, in case the passwords are not specified in app.xml a hard-coded password was being used in earlier versions of webtop. Customers are allowed to change these passwords once the content server installation is complete.
It is more of ‘not-enforcing-password-change’ issue. There is a way to change passwords for these default users in content server and encrypt them in webtop.
Can’t understand how it is related to EMC Documentum Webtop if these accounts are shipped with EMC Documentum Content Server installation, not Webtop. CWE-798: Use of Hard-coded Credentials
Additional exploited were tracked via PSRC-2494 and PSRC-2966. All known exploits were addressed.

PSRC-2966
ESA-2015-144
CVE-2015-4544

Fixed versions:
• EMC Documentum Content Server 7.0P21 or later
• EMC Documentum Content Server 7.1P20 or later
• EMC Documentum Content Server 7.2P04 or later
• Customers on EMC Documentum Content Server prior to 7.0 with extended support agreement are requested to raise hotfix requests through EMC Customer Support.
Additional exploited were tracked via PSRC-2494 and PSRC-2966. All known exploits were addressed.

PSRC-2966
ESA-2015-144
CVE-2015-4544

Fixed versions:
• EMC Documentum Content Server 7.0P21 or later
• EMC Documentum Content Server 7.1P20 or later
• EMC Documentum Content Server 7.2P04 or later
• Customers on EMC Documentum Content Server prior to 7.0 with extended support agreement are requested to raise hotfix requests through EMC Customer Support.


11
VU#695112VRF#HUFSA94M
PSRC-2078
PSRC-2003
EMC Documentum Content Server: backdoor in default installationDocumentum applications actively use dynamic groups capabilities. Though internal EMC Documentation recommends to set the "is_protected" flag for dynamic groups (this flag prevents unauthorized DFC-clients from using dynamic group capabilities), EMC does not follow these recommendations; while creating a docbase, Documentum installer creates dcs_privileged_users dynamic group, makes it a member of dm_superusers group, and does not set the is_protected flag to true.
This is currently being investigated.

COMMENTS:
Status: remediation in progress.
Why there is no comment about the fact that discussed group is related to Webtop functionality?
Additional exploited were tracked via PSRC-2494 and PSRC-2966. All known exploits were addressed.

PSRC-2966
ESA-2015-144
CVE-2015-4544

Fixed versions:
• EMC Documentum Content Server 7.0P21 or later
• EMC Documentum Content Server 7.1P20 or later
• EMC Documentum Content Server 7.2P04 or later
• Customers on EMC Documentum Content Server prior to 7.0 with extended support agreement are requested to raise hotfix requests through EMC Customer Support.
Additional exploited were tracked via PSRC-2494 and PSRC-2966. All known exploits were addressed.

PSRC-2966
ESA-2015-144
CVE-2015-4544

Fixed versions:
• EMC Documentum Content Server 7.0P21 or later
• EMC Documentum Content Server 7.1P20 or later
• EMC Documentum Content Server 7.2P04 or later
• Customers on EMC Documentum Content Server prior to 7.0 with extended support agreement are requested to raise hotfix requests through EMC Customer Support.


12
VU#874632CVE-2014-4626
VRF#HUFU6FNP
PSRC-2079
ESA-2014-105
EMC Documentum Content Server: any user is able to elevate privileges, hijack Content Server filesystem, execute any commands by creating malicious dm_job objectsDocumentum Content Server includes docbase methods that use special permissions to prevent method invocation by regular users. Users can bypass these restrictions by crafting dm_job objects containing arbitrary commands to be executed and by setting the owner of the object to a privileged user.

For more information, including proofs of concept, refer to: http://www.securityfocus.com/archive/1/535893/30/0/threaded
THIS HAS BEEN FIXED:
EMC Documentum Content Server version 7.1 P09 and later
EMC Documentum Content Server version 7.0 P16 and later
EMC Documentum Content Server version 6.7 SP2 P18 and later
EMC Documentum Content Server version 6.7 SP1 P29 and later
FIX CONTESTED:
Nothing was fixed at all [see VU#147400].
New RPCs that were tracked under PSRC-2445. See PSRC-2445 below.New RPCs that were tracked under PSRC-2445. See PSRC-2445 below.
13
VU#386056CVE-2014-4626
VRF#HUFV0UZN
PSRC-2080
ESA-2014-105
EMC Documentum Content Server: any user is able to elevate privileges by creating malicious dm_job_request objectsDocumentum Content Server has two service tasks intended for renaming users and groups: dm_UserRename and dm_GroupRename. Both are triggered when an administrator renames a user or group in Documentum Administrator or when dm_LDAPSynchronization job completes its execution. These jobs poll uncompleted dm_job_request objects and perform corresponding changes. Any user is able to create malicious dm_job_request objects and either rename his group to system group (e.g. dm_superusers) or get unauthorized access to objects.

For more information, including proofs of concept, refer to: http://www.securityfocus.com/archive/1/535893/30/0/threaded
THIS HAS BEEN FIXED:
EMC Documentum Content Server version 7.1 P09 and later
EMC Documentum Content Server version 7.0 P16 and later
EMC Documentum Content Server version 6.7 SP2 P18 and later
EMC Documentum Content Server version 6.7 SP1 P29 and later
FIX CONTESTED:
The vulnerability, described in VRF#HV1RX6I5, is based on ability to create dm_job objects, so this issue is not fixed because VRF#HUFU6FNP is not fixed [see VU#874632].
PSRC-2445
ESA-2015-131
CVE-2015-4532

Fixed versions:

• EMC Documentum Content Server 6.7SP1P32 or later
• EMC Documentum Content Server 6.7SP2P25 or later
• EMC Documentum Content Server 7.0P19 or later
• EMC Documentum Content Server 7.1P16 or later
• EMC Documentum Content Server 7.2P02 or later
PSRC-2445
ESA-2015-131
CVE-2015-4532

Fixed versions:

• EMC Documentum Content Server 6.7SP1P32 or later
• EMC Documentum Content Server 6.7SP2P25 or later
• EMC Documentum Content Server 7.0P19 or later
• EMC Documentum Content Server 7.1P16 or later
• EMC Documentum Content Server 7.2P02 or later
14
VU#147400CVE-2014-2515
VRF#HV1RX6I5
PSRC-1847
PSRC-2106
ESA-2014-067
EMC Documentum D2: any user is able to get superuser login ticket using the D2GetAdminTicketMethod docbase methodEMC Documentum D2 by design performs some operations in repository using a privileged session. To acquire a privileged session, D2 creates a c6_method_return object and passes its identifier to docbase method D2GetAdminTicketMethod. This docbase method generates superuser ticket (OTP) and stores it in the “message” attribute of the c6_method_return object. Afterwards, D2 reads the superuser ticket from the c6_method_return object and acquires a superuser session. In an exception case, D2GetAdminTicketMethod stores the exception message in the “error” attribute of the c6_method_return object. Any user is able to execute the D2GetAdminTicketMethod docbase method using Documentum API, generating the superuser ticket.ThIS HAS BEEN FIXED:
EMC Documentum D2 3.1 P24
EMC Documentum D2 3.1 SP1 P02 (hotfix)
EMC Documentum D2 4.0 P11 (hotfix)
EMC Documentum D2 4.1 P16
EMC Documentum D2 4.2 P05
See VU#982432 for additional issues derived from the remediation effort of this issue.
PSRC-2707
ESA-2015-110
CVE-2015-0550

Fixed versions:

• EMC Documentum Thumbnail Server 6.7 SP1 HFX (install with EMC Documentum Content Server 6.7SP1P32)
• EMC Documentum Thumbnail Server 6.7 SP2 HFX (install with EMC Documentum Content Server 6.7SP2P25)
• EMC Documentum Thumbnail Server 7.0 HFX (install with EMC Documentum Content Server 7.0P21) due in October 2015
• EMC Documentum Thumbnail Server 7.1 HFX (install with EMC Documentum Content Server 7.1P20)
• EMC Documentum Thumbnail Server 7.2 HFX (install with EMC Documentum Content Server 7.2P04)
PSRC-2707
ESA-2015-110
CVE-2015-0550

Fixed versions:

• EMC Documentum Thumbnail Server 6.7 SP1 HFX (install with EMC Documentum Content Server 6.7SP1P32)
• EMC Documentum Thumbnail Server 6.7 SP2 HFX (install with EMC Documentum Content Server 6.7SP2P25)
• EMC Documentum Thumbnail Server 7.0 HFX (install with EMC Documentum Content Server 7.0P21) due in October 2015
• EMC Documentum Thumbnail Server 7.1 HFX (install with EMC Documentum Content Server 7.1P20)
• EMC Documentum Thumbnail Server 7.2 HFX (install with EMC Documentum Content Server 7.2P04)
15
VU#143528VRF#HV1RX6I5
PSRC-2105
EMC Documentum D2: D2UpdateChildACLMethod docbase method allows any user to manipulate system ACLs This is currently being investigated.

COMMENTS:
Status: remediation in progress.
PSRC-2550
ESA-2015-131
CVE-2015-4535

Fixed versions:

• EMC Documentum Content Server 6.7SP1P32 or later
• EMC Documentum Content Server 6.7SP2P25 or later
• EMC Documentum Content Server 7.0P19 or later
• EMC Documentum Content Server 7.1P16 or later
• EMC Documentum Content Server 7.2P02 or later

PSRC-2550
ESA-2015-131
CVE-2015-4535

Fixed versions:

• EMC Documentum Content Server 6.7SP1P32 or later
• EMC Documentum Content Server 6.7SP2P25 or later
• EMC Documentum Content Server 7.0P19 or later
• EMC Documentum Content Server 7.1P16 or later
• EMC Documentum Content Server 7.2P02 or later
16
VU#907456CVE-2014-2504
CVE-2015-0518
VRF#HV1RX6I5
PSRC-1988
PSRC-2050
PSRC-2515
ESA-2014-045
ESA-2015-010
EMC Documentum D2: Any user is able to gain superuser privileges using D2 webservicesThIS HAS BEEN FIXED:
EMC Documentum D2 3.1P20
EMC Documentum D2 3.1SP1P02
EMC Documentum D2 4.0P10
EMC Documentum D2 4.1P13
EMC Documentum D2 4.2P01
It’s not possible to be fixed in D2 4.2P01 because it was reported against D2 4.2P01, moreover, I have found out that described webservice changes password of any user without checking caller privileges.PSRC-2551
ESA-2015-131
CVE-2015-4534

Fixed versions:

• EMC Documentum Content Server 6.7SP1P32 or later
• EMC Documentum Content Server 6.7SP2P25 or later
• EMC Documentum Content Server 7.0P19 or later
• EMC Documentum Content Server 7.1P16 or later
• EMC Documentum Content Server 7.2P02 or later
PSRC-2551
ESA-2015-131
CVE-2015-4534

Fixed versions:

• EMC Documentum Content Server 6.7SP1P32 or later
• EMC Documentum Content Server 6.7SP2P25 or later
• EMC Documentum Content Server 7.0P19 or later
• EMC Documentum Content Server 7.1P16 or later
• EMC Documentum Content Server 7.2P02 or later
17
VU#241208VRF#HX5OLZ0F
PSRC-2445
EMC Documentum Content Server does not check input arguments for some RPC commands.
RPC command input arguments can be used to elevate privileges using the same technique as described in VRF#HUFG9EBA [see VU#844536]. The only difference is that save operations are performed against new objects, i.e. attacker is able to create new malicious docbase methods or users with superuser privilege [applies to PSRC-2075, see VU#737264]
COMMENTS:
Status: investigating

VRF#HX5OLZ0F has been confirmed. A few more RPC's don't have checks and are currently being investigated. The new attack vectors are being tracked by PSRC-2445
PSRC-2236
ESA-2014-156
CVE-2014-4629

Fixed versions:

• EMC Documentum Content Server 6.7SP1P30 or later
• EMC Documentum Content Server 6.7SP2P19 or later
• EMC Documentum Content Server 7.0P17 or later
• EMC Documentum Content Server 7.1P10 or later
• EMC Documentum Content Server 7.2 and it's patch releases
PSRC-2236
ESA-2014-156
CVE-2014-4629

Fixed versions:

• EMC Documentum Content Server 6.7SP1P30 or later
• EMC Documentum Content Server 6.7SP2P19 or later
• EMC Documentum Content Server 7.0P17 or later
• EMC Documentum Content Server 7.1P10 or later
• EMC Documentum Content Server 7.2 and it's patch releases
18
VU#160160CVE-2014-4629
VRF#HX5RU3J4
PSRC-2236
EMC Documentum Content Server allows unprivileged users to hijack any text file from the Content Server filesystem [see VU#874632].In VRF#HUFU6FNP [VU#874632], a vulnerability that allows non-privileged user to hijack any text file from Content Server filesystem is described. In VRF#HUFOKCF1 [VU#957616], vulnerabilities are described related to improper neutralization of user input in dm_event_sender docbase method, which also executes dm_mailwrapper.sh.COMMENTS:
Status: remediation in progress

VRF#HX5RU3J4 was already reported by a customer and being tracked by PSRC-2236. The fixes are tentatively planned to be released in the November 30 patch.
Due to the complexity of this issue, this is tentatively targeted to be fixed in 2H 2015.This is tracked via PSRC-2105 and it is fixed. It will not be backported to earlier versions due to complexity of the changes made.

PSRC-2105
CVE-2016-0888
ESA-2016-034

Fixed versions:
EMC Documentum D2 4.6
19
VU#982432CVE-2015-0517
VRF#HZ1YVUNQ
PSRC-2484
PSRC-2485
PSRC-2558
ESA-2015-010
EMC Documentum D2: the patch for the VRF#HV1RX6I5 vulnerability [VU#147400] introduces backdoors.EMC Documentum D2: VRF#HV1RX6I5 [VU#147400] contains a description of vulnerability in D2GetAdminTicketMethod docbase method. The vendor released a patch for this vulnerability in August 2014 (http://archives.neohapsis.com/archives/bugtraq/2014-08/att-0093/ESA-2014-067.txt) that introduces at least four backdoors.Comments:
3 our of the 4 issues are rejected. Issue # 2 is a low priority and will be considered for removal in future releases. See the next column for notes.

See our responses below for each of the 4 issues the researcher has mentioned in the report:

1. Backdoor in com.emc.common.java.crypto.D2LockboxProperties class.

Remedy in progress.

2. D2 code prints MD5 hash of passphrase into log files available to regular user (see previous description and VRF#HV1RX6I5).

Remedy in progress.

3. Backdoor in com.emc.common.dctm.methods.D2MethodContext and com.emc.d2.api.methods.D2Method.

EMC is not aware of any practical attack vector to exploit this issue.

4. Backdoor in used security storage (i.e. Lockbox).

This is under investigation.
1. At first, to exploit this vulnerability it’s enough to delete Lockbox file from Content Server only, after that CS starts encrypting tickets using default passphrase known to attacker. At second, I do know how to remove arbitrary file from D2’s filesystem, but this is another vulnerability not related to current discussion.

2. No comment.

3. Request D2_4.2_patchnotes.htm from EMC, the related fix is mentioned in P06 patch.

4. No comment.
The original issue was fixed in ESA-2014-067. New exploits are tracked via PSRC-2484
PSRC-2485
PSRC-2558

See current status under

PSRC-2484
PSRC-2485
PSRC-2558
The original issue was fixed in ESA-2014-067. New exploits are tracked via PSRC-2484
PSRC-2485
PSRC-2558

See current status under

PSRC-2484
PSRC-2485
PSRC-2558
20
VU#116072CVE-2015-0550
ESA-2015-110
EMC Documentum Thumbnail Server fails to verify URL parameters which allows attacker to hijack abitrary files from Content Server's filesystem and gain superuser privileges.For more information, including proofs of concept, refer to: http://blog.documentum.pro/2015/02/25/beware-of-thumbnail-serverhttp://seclists.org/bugtraq/2015/Jun/att-114/ESA-2015-110.txtThe reported instances tracked by PSRC-1988 and PSRC-2050 were fixed. During further investigation, a new vulnerable web service API was discovered. This is being tracked under PSRC-2515 and was fixed.

ESA-2015-010
CVE-2015-0518

Fixed versions:
EMC Documentum D2 4.1 P22
EMC Documentum D2 4.2 P11
The reported instances tracked by PSRC-1988 and PSRC-2050 were fixed. During further investigation, a new vulnerable web service API was discovered. This is being tracked under PSRC-2515 and was fixed.

ESA-2015-010
CVE-2015-0518

Fixed versions:
EMC Documentum D2 4.1 P22
EMC Documentum D2 4.2 P11
21
VU#913972VRF#I3N7J2A3
PSRC-2550
EMC Documentum Content Server Java Method Server (JMS) logs sensitive information when the __debug_trace__ parameter is enabled.EMC Documentum Content Server delegates execution of business logic to an embedded java application server called "Java Method Server" (JMS). JMS logs login tickets in certain instances when processing the __debug_trace__ parameter. By executing any docbase method using __debug_trace__, an attacker capable of hijacking Content Server logs may be able to obtain superuser tickets and privileges.
1. This is being tracked by PSRC-2484 and fixed.

PSRC-2484
ESA-2015-132
CVE-2015-4537

Fixed versions: EMC Docomentum D2 4.5



2. This is being tracked by PSRC-2485 and fixed.

PSRC-2485
ESA-2015-010
CVE-2015-0517

Fixed versions:
EMC Documentum D2 4.1 P22 and later
EMC Documentum D2 4.2 P11 and later



3. This is being tracked by PSRC-2558. EMC is not aware of any practical attack vector to exploit this issue. D2MethodContext and use of thread local storage have been removed altogether in EMC Documentum D2 4.2 P12 and 4.5 (and subsequent patch releases). There is no plan to issue ESA and CVE for this issue.

4. This is related to #2 above so the same plan applies here. EMC reiterates that there is no issue with Lockbox per se here. If an attacker can determine the encryption key used by D2 to encrypt admin login tickets from its MD5 hash, they can essentially bypass Lockbox and decrypt an encrypted login ticket.
1. This is being tracked by PSRC-2484 and fixed.

PSRC-2484
ESA-2015-132
CVE-2015-4537

Fixed versions: EMC Docomentum D2 4.5

2. This is being tracked by PSRC-2485 and fixed.

PSRC-2485
ESA-2015-010
CVE-2015-0517

Fixed versions:
EMC Documentum D2 4.1 P22 and later
EMC Documentum D2 4.2 P11 and later

3. This is being tracked by PSRC-2558. EMC is not aware of any practical attack vector to exploit this issue. D2MethodContext and use of thread local storage have been removed altogether in EMC Documentum D2 4.2 P12 and 4.5 (and subsequent patch releases). There is no plan to issue ESA and CVE for this issue.

4. This is related to #2 above so the same plan applies here. EMC reiterates that there is no issue with Lockbox per se here. If an attacker can determine the encryption key used by D2 to encrypt admin login tickets from its MD5 hash, they can essentially bypass Lockbox and decrypt an encrypted login ticket.
22
VU#868828VRF#I3TGW88K
PSRC-2551
EMC Documentum Content Server Java Method Server (JMS) fails to properly validate digital signatures, leading to the possibility of arbitrary code execution.EMC Documentum Content Server Java Method Server (JMS) implements the following digital signature validation algorithm: it parses the __signature_params__ parameter, reconstructs the query string using parameters listed in __signature_params__, and validates the signature of the reconstructed query. An attacker capable of crafting a digital signature for a query string without the method_verb parameter may be able to execute arbitrary code in JMS context, depending on Java classes present in the classloader.New exploits were identified and were being tracked by PSRC-2677. Additional exploits were addressed.

PSRC-2677
ESA-2015-130
CVE-2015-4530

Fixed versions:
• EMC Documentum WebTop 6.8P01 or later
• EMC Documentum Administrator 7.2 or later
New exploits were identified and were being tracked by PSRC-2677. Additional exploits were addressed.

PSRC-2677
ESA-2015-130
CVE-2015-4530

Fixed versions:
• EMC Documentum WebTop 6.8P01 or later
• EMC Documentum Administrator 7.2 or later
23
Loading...