OpenSSL Heartbleed Vulnerability (CVE-2014-0160) does not affect Documentum systems

OpenSSL Heartbleed Vulnerability (CVE-2014-0160) does not affect Documentum systems because simply these don’t use OpenSSL! Some concerns just about the on premise edition of Syncplicty.

Due to a missing bounds check in OpenSSL during the TLS heartbeat extension, up to 64k of memory can be revealed to a connected client or server. This may potentially allow an unauthenticated, remote attacker to gain access to sensitive information such as private keys, login passwords, and encryption keys (Secret Keys). As a result of this disclosure of sensitive information, these Secret Keys can potentially be leveraged to decrypt other sensitive information or conduct so-called man-in-the-middle attacks.References:

  • Original disclosure: http://heartbleed.com/
  • US CERT: http://www.kb.cert.org/vuls/id/720951
  • NVD: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160&cid=2
Non-Impacted Products:

 
Documentum ApplicationXtender Does not use OpenSSL
Documentum Content Application (ACS, BOCS, DMS, UCF) Does not use OpenSSL
Documentum D2 Does not use OpenSSL
Documentum DFS Does not use OpenSSL
Documentum eRoom Does not use OpenSSL
Documentum InfoArchive Does not use OpenSSL
Documentum REST Services Does not use OpenSSL
Documentum xPression Does not use OpenSSL
Syncplicity Enterprise Edition On-Premise All See ESA-2014-030 for details: : https://support.emc.com/kb/185966
This entry was posted in EMC, Frontpage, Security alert and tagged , , . Bookmark the permalink.

Leave a Reply