ESA-2014-023: EMC Documentum JBOSS Remote Code Execution Vulnerability

Today EMC published two security bulletins. The first one, the ESA-2014-026, is a vulnerability I discovered. The second one is related to a standard Jboss vulnerability. Jboss is used for some Documentum component like Documentum Java Method Server and xPlore.

Below the official bulletin.

ESA-2014-023
CVE-2012-0874
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
EMC Software: All EMC Documentum Content Server versions of 7.0
EMC Software: All EMC Documentum Content Server versions of 6.7 SP2
EMC Software: All EMC Documentum Content Server versions of 6.7 SP1 and earlier
EMC Software: EMC Documentum xPlore versions of 1.2
EMC Software: EMC Documentum xPlore versions of 1.3
EMC Documentum products listed above may be vulnerable to remote code execution vulnerability.
EMC Documentum Content Server and xPlore embed JBoss servlets (JMXInvokerServlet and EJBInvokerServlet). These JBOSS servlets are vulnerable to remote code execution vulnerability. The vulnerability may be exploited to execute remote code with NT AUTHORITY\SYSTEM privileges.Affected JBOSS servlets are not required for either Documentum Content Server or xPlore’s functionality.

See http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0874 for more details.

EMC strongly recommends all customers upgrade to one of the versions listed below or apply the workaround for all other affected versions at the earliest opportunity.The following products contain the resolution to this issue:

  • EMC Documentum Content Server version 7.1
  • EMC Documentum Content Server version 7.0 P13 and later
  • EMC Documentum Content Server version 6.7 SP2 P12
  • EMC Documentum Content Server version 6.7 SP1 P24
  • EMC Documentum xPlore version 1.4
  • EMC Documentum xPlore version 1.2 P25 and later

Workaround for all other affected versions of Documentum Content Server and xPlore:

  1. Stop the “Java Method Server” service.
  1. Open <DOCUMENTUM install dir>\ jboss5.1.0\server\DctmServer_MethodServer\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml.

For example:

C:\Documentum\jboss5.1.0\server\DctmServer_MethodServer\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml

  1. Modify web.xml file to remove definition and mapping for the servlets EJBInvokerServlet and JMXInvokerServlet
  1. Start the “Java Method Server” service.
Registered EMC Online Support customers can download patches and software from support.emc.com at:https://support.emc.com/downloads/2732_Documentum-Server
This entry was posted in Blogroll, ECM, EMC, Frontpage, Security alert, Technologies, Uncategorized and tagged , . Bookmark the permalink.

Leave a Reply