ESA-2014-045 Documentum D2 Vulnerability

Today EMC released a note related to a vulnerability that affect the Documentum D2 client.

The CVE vulnerability identifier is CVE-2014-2504 (score 8.5). The affected products are

  • EMC Documentum D2 3.1 and patch versions
  • EMC Documentum D2 3.1SP1 and patch versions
  • EMC Documentum D2 4.0 and patch versions
  • EMC Documentum D2 4.1 and patch versions
  • EMC Documentum D2 4.2 and patch versions

In particular EMC Documentum D2 may be vulnerable to an arbitrary Documentum Query Language (DQL) query execution vulnerability because there are methods and a D2FS web service method that may allow an authenticated user to execute arbitrary DQL queries with superuser privileges. For this reason an upgrade to the latest patch is strongly recommended.

The following products contain the resolution to this issue

  • EMC Documentum D2 3.1P20
  • EMC Documentum D2 3.1SP1P02
  • EMC Documentum D2 4.0P10
  • EMC Documentum D2 4.1P13
  • EMC Documentum D2 4.2P01
This entry was posted in EMC, Security alert and tagged , , . Bookmark the permalink.

Leave a Reply