ESA-2014-026: EMC Documentum Content Server Information Disclosure Vulnerability

This January I discovered a security issue that affects some EMC Documentum Content Server engines. EMC resolved this issue and just today released the security bulletin Esa-2014-26.

This is the second credit I received from EMC after the one published on the ESA-2012-009.

I responsibly never publicly disclosed the exploit of my first discovered issue and I will never do that because this security problem affects many Documentum systems not supported (6.5, 6.0 and 5.3 versions) and we know that some customers are still using these versions, right now: for these versions does not exist a solution or a fix and will not exist in the future (and IMHO this security issue is very dangerous).

I decided to publish the exploit related to the new published security alert: I will do that in few weeks to provide enough time to apply the patch in your production environments. I will explain why a Documentum administrator should update their managed systems.

If you like this information, you can subscribe this blog or you can follow me on twitter or you can add my LinkedIn profile on your network.

Below the official bulletin.

 

ESA-2014-026
CVE-2014-0642
CVSS v2 Base Score: 4 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
EMC Software: All EMC Documentum Content Server versions of 7.1
EMC Software: All EMC Documentum Content Server versions of 7.0
EMC Software: All EMC Documentum Content Server versions of 6.7 SP2
EMC Software: All EMC Documentum Content Server versions of 6.7 SP1
EMC Software: All EMC Documentum Content Server versions prior to 6.7 SP1
EMC Documentum Content Server may be vulnerable to an information disclosure vulnerability.
EMC Documentum Content Server may be vulnerable to an information disclosure vulnerability that may potentially be exploited by malicious users to gain unauthorized access to metadata. This is due to improper authorization checks being performed when trying to access metadata from folders outside of restricted folders configured for Content Server users. This vulnerability is only limited to reading the metadata as the malicious user is not able to gain read/write access to the content itself.
EMC recommends all customers upgrade to one of the versions listed below at the earliest opportunity.

  • EMC Documentum Content Server version 7.1 P02 and later
  • EMC Documentum Content Server version 7.0 P13 and later
  • EMC Documentum Content Server version 6.7 SP2 P13 and later
  • EMC Documentum Content Server version 6.7 SP1 P26 and later
Registered EMC Online Support customers can download patches and software from support.emc.com at:https://support.emc.com/downloads/2732_Documentum-Server
Credits: EMC would like to thank Yuri Simione (http://twitter.com/artika4biz) for reporting this issue.
This entry was posted in Blogroll, ECM, EMC, Frontpage, Next 2U Consulting, Security alert, Technologies and tagged , . Bookmark the permalink.

Leave a Reply