Adobe AEM & Marketing Cloud group on Linkedin

Adobe AEM is one of the hottest technologies for websites, mobile apps and forms, the ideal platform to manage your marketing content and assets. The Linkedin group I created some years ago has now more than 5.000 registered members!

LinkedinGroup Announcement 5.000 - Yuri Simione - Next 2U Consullting

Join today the Adobe AEM & Marketing Cloud group on Linkedin https://lnkd.in/e2tTffg and discuss with more than five thousands Adobe AEM subject matter experts (and recruiters) !

 

Posted in Adobe, Frontpage, Press Releases, WCM | Tagged , , , | Leave a comment

EMC Documentum 7.2 migration and Murphy’s laws

This month I completed a Documentum 7.2 migration of an existing Documentum 6.7 architecture. As in every Documentum project, I learned a lot. The first thing is that you can work hard in order to manage all possible risks but you will not cover ALL the risks: it happened the impossible but that is not a great point as well described by one of the Murphy’s Laws…..

If anything simply cannot go wrong, it will anyway.

During the Documentum migration I learned something very simple, basic but really new to me: I discovered that the encrypted bof registry user password is validated as-is, by every Documentum Foundation Classes client, for example Documentum Administrator or Webtop, during every standard authentication process.

Introduction

The Global Registry is a special Documentum repository that is used to manage centrally, information like DFC client registrations, service-based business objects (SBOs), WDK presets and preferences, newtork locations. All Documentum DFC clients use the bof registry user credentials to access the Global Registry repository. Every Documentum client, directly or indirectly, uses DFC, the Documentum Foundation Classes and every DFC application, during the initialisation, reads the dfc.properties file where are defined some parameters. Three of these are related to the Global Registry:

  1. dfc.globalregistry.repository, the name of the repository designated as Global Registry;
  2. dfc.globalregistry.username, the login name of the bof registry user, usually dm_bof_registry;
  3. dfc.globalregistry.password, the password of the bof registry user.

During every Documentum client deployment, you need to share the dfc.properties with system administrators, but you don’t want to share a plain text password, right? As reported in every EMC Documentum manual, the bof registry password can be easily encrypted executing this command:

java -cp dfc.jar com.documentum.fc.tools.RegistryPasswordUtils<password_to_be_encrypted>

Then you should copy the output of this command into the dfc.properties file. Since version 7.x, if needed, everyone can decrypt  the encrypted password just executing:

java -cp dfc.jar com.documentum.fc.tools.RegistryPasswordUpgradeTool -decrypt_password  <encrypted_password> 

For example, let’s encrypt / decrypt the SuperCoolPassword2016 string:

Something new I learned

There is no need to decrypt that password! I do admit: in many years I never tried to use the bof registry user encrypted password as a valid password in a Documentum client but one colleague did it. It worked!  That surprised me because because in my mind, encryption is useless without …. decryption!

Every Documentum developer/consultant knows that behind the scenes DFC libraries decrypt the encrypted password: Documentum clients have to (actually should) “register” the application to the Global Registry during first start-up or just to save information on behalf of the end user (WDK preferences). What I did not know is that DFC decrypts that password also during standard authentication for bof registry user, in every DFC client, so plain text password and the encrypted version are interchangeble, everywhere, in all Documentum clients (apart those based on dmcl).

Words are important and the “encrypted password” term in the dfc.properties file and in standard manuals is misleading, at least to me, but probably that is just my problem! In my opinion, a more correct term could be “client login ticket“, something similar to the standard Documentum login ticket, something that does not need to be decrypted by end users or applications before to use it.

I am thinking about a question again and again: why someone should encrypt a string if everyone can use it, as-it, in every application, without the need to decrypt it? It is more reasonable to use a plain text string instead: everyone can use it, as-is, as the encrypted password but … you do not have to encrypt it, no need to read manuals, no need to to convert password encrypted using DFC 6.7 library for newer DFC 7.x environment. No need to decrypt a forgotten password.

My doubts can be summarized by a new, not pessimistic, Murphy’s Law:

Use Encryption just if Decryption is necessary….

Documentum login tickets could be a valuable alternative to the password encryption for the standard bof registry user: a login ticket  generated by a Documentum superuser (using a new Documentum Administrator feature?), can have a limted time validity and a great advantage: the term “login ticket” instead of the “encrypted password”: more clear (at least to me!).

YURI SIMIONE, dfc.properties, bof registry, dm_bof_registry, encryption, decryption, upgrade, next 2u consulting, consulenza, italia

***

Good news after Documentum 7.2 migration

The new Documentum 7.2 architecture is working very well; better than the older one. At the moment we do not know what really improved performances. Many variables are changed during the migration: the Java runtime (from 1.6 to 1.7), the o.s. (from Solaris 10 to Solaris 11), Sparc CPUs and Documentum (from 6.7 SP2 to 7.2). One should isolate every single variable in order to discover what really changed performances but everybody spends time and money just when things or performances are not going well. I like to think (and I am supposing) that Documentum 7.2 added a great value to the overall architecture performances

Posted in ECM, EMC, Frontpage, Next 2U Consulting | Tagged , , , , , , , , , | Leave a comment

Adobe AEM & Marketing Cloud group on Linkedin

Whit more than 4.500 registered members, the Adobe AEM & Marketing Cloud group on Linkedin I created few years ago, is the fastest growing group about Adobe technologies. Join this group to get just in time news, information about events and references to useful materials to learn more or to solve technical problems. Join your peers now!

ADOBE AEM-Adobe CQ5 - yuri simione- Next 2u Consulting - Consulenza Italia

Posted in Adobe, Next 2U Consulting, Press Releases, WCM | Tagged , , , , | Leave a comment

Managing your content with the Adobe Experience Manager Template Editor on next AEM 6.2

In this workbook, Gabriel Walt, Adobe Product Manager, describes how to manage your content with the Adobe Experience Manager Template Editor, a new feature that will be released with the upcoming Adobe AEM 6.2.

template-editor-6.2-yuri-simione-consulenza-adobe-aem-cq5-italia-roma-next 2u consulting - www.next2u.it

Template editor – Yuri Simione Consulenza Adobe Aem Cq5 Italia Roma, Next 2U Consulting

Posted in Adobe, Consumer, Frontpage, Next 2U Consulting, WCM | Tagged , , , , | Leave a comment

EMC Documentum D2 Vulnerability explained

Last Thrursday EMC released the ESA-2016-034 security bulletin. This is related to a Documentum D2 vulnerability (CVE-2016-0888). As reported in the bulletin by EMC:

Prior to EMC Documentum D2 4.6, many D2 Configuration object types were not properly protected with ACLs. As a result, an authenticated but unprivileged user could then modify or delete such objects.

The severity is high. EMC recommends that all customers should upgrade to D2 4.6 at the earliest opportunity. There is no patch and you have to plan a D2 upgrade to the latest version. The affected versions are all D2 products, from version very old version 3.1 to the more recent version 4.5.

Every upgrade should be planned carefully and you can decide to upgrade your D2 environment later. I strongly advice to complete the D2 upgrade sooner. In next paragraphs I will explain why.

D2 configurations

Documentum D2 is an interesting way to create document management applications based on Documentum, just using configurations. D2 is very, very powerful: it provides many configuration points. With these, a business users can create complex document/content management applications just combining configuration points, virtually without to write a single line of code.

documentum d2 - yuri simione - next 2u consulting - consulenza documentum - italia - romaMy company released some Documentum D2 based applications and we really liked this approach because we configure very complex applications and make our customers satisfied, with a reasonable budget.

The D2 data model, before the version 4.6

One of the easiest ways to learn a new product is to understand how it is implemented. When I started my first Documentum D2 project, I tried to understand the D2 data model and how that works. So, I learned that EMC used a lot of custom object types. I mean, a lot! No wonder: this is a way to work although more than one hundred of custom object types is really a big number!

Most of the D2 and the D2 Plus pack custom object types do not have a supertypeor are not dm_sysobject subtype:

  • This is good because this is an easy way to not inherit useless metadata;
  • This could be really bad, because instances of a custom object type with no supertype cannot be protected using standard ACL.

To create a new custom object type an authenticated user should have a CREATE TYPE privilege or should be a Sysadmin or a Superuser. Only a superuser can create new custom object types with no supertype.

Apart that, every authenticated user could potentially execute DQL queries and discover important information stored in the instances of a object type with no superytpe. Moreover, any authenticated user can execute arbitrary CREATE OBJECT, UPDATE OBJECT or a DELETE OBJECT statements and change what other users created/modified.

One of the most important D2 object types is the d2_documentset_switch: this is the object type that is used to model the configuration matrix where a Documentum D2 developer defines new D2 applications just using a GUI, the Documentum D2 Config application. With Documentum D2 Config, the D2 developer can modify, change the application behavior, adding or removing functionalities to a group of users or for more detailed D2 contexts.

documentum d2 configuration matrix - yuri simione - next 2u consulting - consulenza documentum - italia - roma

The d2_documentset_switch is an example of an object type that has no supertype: instances of this object type cannot be protected with an ACL; every authenticated user can update or delete d2_documentset_switch instances. That has a tremendous security impact: with a simple DELETE d2_documentset_switch OBJECT every user can delete your Documentum D2 applications in few milliseconds. Ok, one can argue that if that happens it will be easy to restore D2 configurations (if the developer exported/saved, of course…). But it is not easy to understand if someone completed one or more more insidious UPDATE d2_documentset_switch OBJECT (…).

The d2_documentset_switch object type is just one of the more than 100 D2 object types and most of them have no supertype or are not a dm_sysobject subtype, so here the problem is the same for all those object types.

documentum d2 object type - yuri simione - next 2u consulting - consulenza documentum - italia - roma

The new D2 data model

The solution to this vulnerability is just one: the D2 4.6 upgrade. A migration tool provided by EMC will help Documentum administrators to migrate the existing data model to the new one. This upgrade is not exactly cheap but you have to consider it as soon as possible. Until then Documentum D2 administrator have only one choice to mitigate this vulnerability: prevent the DQL queries execution by standard users. That is not impossible and this vulnerability could be a business justification to start and complete a Documentum hardening.

Btw, do you have a copy of all D2 configurations?

Posted in ECM, EMC, Frontpage, Next 2U Consulting, Security alert | Tagged , , | 1 Comment

Adobe AEM & Digital Marketing Cloud conferences

adobe-aem-conferences-2016-digtal marketing-yuri simione-cq5- next 2u consulting

The interest on Adobe AEM & Digital Marketing Cloud is growing day by day. That is confirmed by the job posts, by the projects released and shared on GitHub (for example, the fantastic projects released by the Adobe Consulting Services) or to not go too far by the number of the community members I created some years ago: the Adobe AEM & Digital Marketing Cloud group on Linkedin with more than 4.100 registered members.

Another way to discover how the market considers a technology is to find the number and quality of the conferences around the world related to the product or technology. There is a big interest on Adobe AEM & Digital Marketing Cloud: Adobe and independent companies and agencies organize many conferences.

In 2016, Adobe will organize:

The interesting point is that there are many other conferences organized by independent companies and sponsored by Adobe:

  •  Circuit, (July 27 & 28, 2016 Chicago, IL),
  • Evolve, (August 29-31, 2016, San Diego | Hard Rock Hotel),
  • AEM HUB, (to be announced),
  • Connect, formerly known as CQCON, (to be announced),
  • AdaptTo, (to be announced).

Probably I will attend one of these and I will report my experience on my blog, in the Linkedin group or “just” on Linkedin: which conference do you prefer/suggest?

Did I forget other conferences or most important meetup? Let me know in order to update and make this page as a good reference of the Adobe AEM and Adobe Marketing Cloud related events!

You can follow me in Twitter: http://twitter.com/artika4biz ,on Linkedin http//linkedin.com/in/yurisimione or you can subscribe my blog on http://www.artika.biz

Posted in Adobe, Consumer, ECM, Events, Social Networking & Collaboration, WCM | Tagged , , , , , | Leave a comment

QR Code generator component for Adobe AEM / CQ5

I like so much Adobe AEM: it is very easy to customize this product and make our customers happier. Moreover, Adobe AEM is based on a wonderful stack: it is easier to work on a state of art technology: Apache Jackrabbit OAK, Apache Sling, Apache Felix and the most important layer, Adobe AEM are so well integrated and very powerful technologies.

A new customer requirement

A customer asked me to create a new Adobe AEM component to generate on the fly QR Code images. The functional requirement is pretty simple: the author wants to add a QR Code that “renders” the current url page url. Occasionally the author wants to create a QR Code to an external Url or different page. QR Code are very useful because with a Sidekick-Adobe-AEM-Yuri-Simione-Custom component-QR Code--italiano-next 2u-consulenza-next2u.itsmartphone or tablet, everyone can scan the QR Code from a monitor and continue the browsing far from the desktop or far from a digital . In addition, if the end user print the page that contains a QR Code, it will be super fast to scan the QR Code and, again, to continue to surf the same printed information days or months later, without to enter an annoying url. Eventually, QR Code can store more than 4.000 character on a single image:  it is possible to store on a printed page any kind of information, like Sling selectors and parameters used to access the original page, visitor navigation path or detailed information of a specific product showed in the web site.

Why QR Code?

If you think that this is another strange requirement from your digital marketing team, you will probably change idea. QR Code are in some way related to digital marketing because these can connect a casual visitor to a specific page or, better, to a new web site that he or she never knewed or visited before. Think about digital signage in a shop or in a airport. Do you see the point?

digital-signage-qr-code-yuri.simione-adobe-aem--italiano-next 2u-consulenza-next2u.it

 

digital-signage-call-to-action-qr-code

If you are, like me, a digital marketer newbie probably still don’t get the importance of  the QR Code technology. Ok, this is not what you should appreciate or love, this is just a an image but probably your digital marketing team will ask you something similar soon. Adobe Experience Manager is used not just to publish sites or to create cool web applications or Html5 based apps for mobile phones or tablets. With AEM your digital marketing team can engage shoppers in large  in a shopping aisle of a shopping center, in the airport, in a public place, using digital signage or digital kiosks. Evantually, do you know that public administrations are using Adobe AEM? Visitors are not just shoppers, casual visitors could be also citizens that are looking for useful information in few seconds just watching a digital kiosks in a public place.

By the way, did you notice the new “Screen” link in the AEM 6 projects console? There are and there will be more features in AEM that integrate digital experiences in phisical stores.

aem-screen-yuri-simione-adobe-aem-digital.signage--italiano-next 2u-consulenza-next2u.it

The QR Generator component implementation

This is what my customer was asking. It is not more than that, a new component to create a QR Code, to drag and drop directly into the web page (or to statically include in every page):Yuri Simione - custom Adobe Aem Cq5 component

Of course, he wants that the new component works and can be configured via the new Touch UI interface:

blog-qrcode-touch-ui

With libraries like ZXing it is very easy to create a QR Code image from a string.  So, the first thing to do is to import one of these libraries as an OSGI bundle.

The good news is that Adobe already provides a similar bundle in the standard implementation. Adobe is using this bundle to publish the url of the authored mobile apps with a QR Code. In the OSGI system console you can easily find this bundle:

QR CODE GENERATOR - Adobe AEM - Yuri Simione

qrcode-to-crxde-lite-adobe-aem-yuri-simione

The QR Code of the CRX DE Lite url, on your local AEM instance.

The same bundle is in the “active” state in the publish instance so we don’t have to manually activate that.

The bundle implements a simple servlet that renders a QR Code just passing the “url” parameters to the servlet …url. So, for example, to create a QR Code to the Adobe CRX DE Lite application, one can just enter this url: http://localhost:4502/libs/wcm/mobile/qrcode.png?url=http://localhost:4502/crx/de

With this bundle, the implementation required few steps and, litterally, very few lines of Java code. I just created a new component named qrcode-generator. Here, below, the Java code that I wrote for the component logic:

<%@ page import="com.day.cq.commons.Externalizer,
 javax.jcr.Node"%>
<%@ include file="/libs/foundation/global.jsp"%>
<%
 final String CODE = "qrcode"; // the qr code property name
 final String WIDTH = "width";
 Node n = currentNode;
 if(!n.hasProperty(CODE))
 {
 String extension = "." + slingRequest.getRequestPathInfo().getExtension();
 Externalizer externalizer = resourceResolver.adaptTo(Externalizer.class);
 String myExternalizedUrl = externalizer.publishLink(resourceResolver, currentPage.getPath() + extension);
 n.setProperty(CODE,myExternalizedUrl);
 n.setProperty(WIDTH,100); // default width
 n.getSession().save();
 }
%>
<img width="<%=properties.get(WIDTH,"")%>" src="<%= request.getContextPath() %>/libs/wcm/mobile/qrcode.png?url=<%=properties.get(CODE,"")%>"/>

Configuration

I created the component dialogs for both the Classic and the Touch UI, just using the CRX DE Lite:

touch-ui-dialog-adobe-aem-yuri-simione-italiano-next 2u-consulenza-next2u.it

classic-ui-dialog-configuration-adobe-aem-yuri-simione--italiano-next 2u-consulenza-next2u.it

One important point is that the standard bundle generates QR Code just for url (not for any kind of text) and only for the urls that are in a whitelist defined as a regex. Url based on the Externalizer service are automatically whitelisted: that’s why I used the Externalizer in the component logic implementation. The

externalizer.publishLink

creates a link to the Adobe AEM publish instance. If you need to create QR Code for generic text, you have just to modify the component configuration via the Apache Felix Console, using the menu OSGI >> Configuration:

osgi-configuration-adobe-aem-yuri-simione--italiano-next 2u-consulenza-next2u.it

And that’s it. Now the author can create a new QR Code in few seconds! Watch the new component in action on Vimeo.

The component package

I like to share my Adobe AEM experience and it is a pleasure to do that when many other colleagues do the same, daily. I created a new package that contains the custom component and everything needed to use the new component. Just click on the image below, download the package and try it on your environment (you have to install the package and enable the new coomponent in your pages but I am supposing you know how to do that).

package-adobe-aem-yuri-simione-consulenza-italiano-aem-adobe-cq5-next2u

Next steps

It is good to add a configuration to include the Alt text, a Description to the rendered QR Code as per every html <img /> tag. Then it is needed to update the dialogs in order to enable modifications for the new attributes. I am going to complete these changes (just few minutes required usingAEM stack!).

Digital marketing team is composed by “volcanic” people. They are never satisfied and they wants more and more, every day, something diffancy-qr-code-adobe-aem-yuri-simione-generator-custom-component--italiano-next 2u-consulenza-next2u.itferent, something more innovative. In the future they will want someghing like newer and fancy QR Code. We are ready to make our digital marketing team happy because with Adobe AEM you can concentrate “just” on business logic.

If you need more information or if you need a custom AEM implementation, just ask me or to my company, Next 2U Consulting, a consultancy firm based in Rome, Italy.

You can follow me in Twitter: http://twitter.com/artika4biz or on Linkedin http//linkedin.com/in/yurisimione .

Next 2U Consuting - consulenza e formazione EMC Documentum, Adobe AEM CQ5, Roma, Italia, Italiano

Next 2U Consuting - consulenza e formazione EMC Documentum, Adobe AEM CQ5, Roma, Italia, Italiano

Posted in Adobe, WCM | Tagged , , , , , , , | Leave a comment

Content Management repository is a graph – Part I

 

In October, I attended the GraphConnect 2014 in San Francisco. GraphConnect is a conference and an event organised by Neo Technology, the company behind Neo4J, one of most important NoSql database.


Neo4j is a graph database, a database that uses graph structures with nodes, edges, and properties to represent and store data. A graph database provides a mechanism for storage and retrieval of data that is modeled in means other than the tabular relations used in relational databases. NoSQL databases can be classified in five categories,

  • Column: like Accumulo, Cassandra, Druid, HBase
  • Document: like Clusterpoint, Apache CouchDB, Couchbase, MarkLogic, MongoDB
  • Key-value: like Dynamo, FoundationDB, MemcacheDB, Redis, Riak, FairCom c-treeACE, Aerospike
  • Graph: like Allegro, Neo4J, InfiniteGraph, OrientDB, Virtuoso, Stardog

If you are looking for a new technology to learn or to approach, for sure every NoSQL field is cool enough to require attention (and to provide great visibility in the labour market). Among NoSQL databases, graph databases are the coolest technology. As reported during the GraphConnect conference by Emil Eifrem, founder and Ceo of Neo Technology, “Graphs are eating the world”. This sentence is not just a slogan, instead it describes clearly, what is happening. The image reported below (source db-engines.com) confirms that, with no doubts:

The DB-Engines Ranking is a list of database management systems ranked by their current popularity. DB-Engine Ranking algorithms measures the interest to database vendors and database model (as reported in the graph) using: number of mentions on websites, Google Trends, frequency of technical discussions, number of job offers, number of profiles in professional networks, number of Twitter tweets, in which the db system or db model is mentioned. I don’t know how the ranking algorithm works in detail but the graph is clear: graph databases is growing in popularity more than any other NoSQL technologies.

[continue on Linkedin: https://www.linkedin.com/pulse/content-management-repository-graph-part-i-yuri-simione]

Follow me on Twitter and Linkedin.

 

Posted in Analytics, Big data, ECM, Enterprise Search, Frontpage, Technologies | Tagged , , , | Leave a comment

APIs for DUMMIES – eBook review – Apigee special edition

Yesterday I downloaded the APIs for DUMMIES ebook. I really liked this book because it in 2 or 3 hours you can read and learn about best practices of REST api best practices.

This is just what we are doing right now and I found many useful and interesting ideas and suggestions.

I like this kind of book: they are not academic, are free (!) and you can learn about best practice without to spend hours to read and to understand the reason why these are best practices.

Without explanations or more details, for sure “you have to believe” that few pages are correct but, in this case, apigee name guarantee all the readers.

In just 36 pages, they are condensed many important points, like:

  • Keep your base URL simple and intuitive
  • Use two base URLs per resource.
  • Keep verbs out of your base URLs. Use verbs just for responses that don’t involve resources (like calculate, language translation, etc)
  • Use HTTP verbs to operate on the collections and elements.
  • (…) keep your API intuitive by simplifying the associations between resources,
  • and sweeping parameters and other complexities under the rug of the HTTP question
  • Regarding error and status code: use HTTP status code but not too much…. Start by using the following 3 codes. If you need more, add them. But you shouldn’t need to go beyond 8. • 200 – OK • 400 – Bad Request • 500 – Internal Server Error
  • If you’re not comfortable reducing all your error conditions to these 3, try picking among these additional 5: • 201 – Created • 304 – Not Modified • 404 – Not Found• 401 – Unauthorized • 403 – Forbidden
  • Never release an API without a version and make the version mandatory.
  • Support partial response by adding optional fields in a comma delimited list.
  • Use limit and offset to make it easy for developers to paginate objects.
  • Consolidate all API requests under one API subdomain.
  • The API Façade Pattern

So, if you have a couple of hours and if you like application development tools and techniques, you have to read this ebook!

Posted in Consumer, Frontpage, Technologies | Tagged , , , | Leave a comment

ESA-2014-046 – Multiple Content Server vulnerabilities fixed

Doumentum 'Yuri Simione' consultancy certified emcAnother day, another fix: someone can think that Content Server has too much vulnerabilities but for sure during these days EMC is working very hard to make his systems more secure.

I appreciate the way EMC is working on vulnerabilities and if you consider how many products EMC Information Intelligence Group is managing, you will agree that security fix is an hard and long task, just considering all the supported platforms where the fix should be tested.

rss security alert for ecm systems like documentum, opentext, alfresco - From Yuri SimioneAs usual, in this blog I report all the security bulletins published by EMC.  An easy way to know more about security is to subscribe this  RSS channel.

 

Today EMC released a security note identified by the ESA-2014-026 and registered on the Common Vulnerabilities and Exposures as CVE-2014-2506, CVE-2014-2507 and CVE-2014-2508.

 

The affected systems are Content Server version 6.7, 7.0 and 7.1. EMC stated that even all the “EMC Software: EMC Documentum Content Server all versions prior to 6.7 SP1″ has the same vulnerabilities but it is not clear if this is valid even for 6.6 and prior versions.

[June 9th update: as reported in the http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2506 the systems affected by these vulnerabilities are all the Content Server versions, even the 6.6.x, 6.5.x and 6.0.x]

 

For sure EMC strongly recommends all customers upgrade to one of the versions reported below, at the earliest opportunity:

  • EMC Documentum Content Server 7.1 P05 and later
  • EMC Documentum Content Server 7.0 P15 and later
  • EMC Documentum Content Server 6.7 SP2 P14 and later
  • EMC Documentum Content Server 6.7 SP1 P28 and later

EMC strongly recommends all customers upgrade to one of the above versions at the earliest opportunity.

Latest patches solve these three problems:

  • Privilege Escalation  (CVE-2014-2506):Authenticated non-privileged users are allowed to create system objects with super user privileges due to improper authorization checks being performed on these objects. This may potentially be exploited by a malicious attacker to gain unauthorized access to data or to perform unauthorized actions on Content Server.
  • Shell Injection (CVE-2014-2507):Certain methods in Documentum Content Server perform improper validation checks on input arguments. This may potentially be exploited by an authenticated malicious user to conduct shell injection attacks against these methods and perform unauthorized actions on Content Server.
  • DQL Injection (CVE-2014-2508): Certain DQL hints in Documentum Content Server may potentially be exploited by an authenticated malicious user to conduct DQL injection attacks and perform unauthorized database actions.

Posted in ECM, EMC, Frontpage, Security alert | Tagged , | Leave a comment