Another day, another fix: someone can think that Content Server has too much vulnerabilities but for sure during these days EMC is working very hard to make his systems more secure.
I appreciate the way EMC is working on vulnerabilities and if you consider how many products EMC Information Intelligence Group is managing, you will agree that security fix is an hard and long task, just considering all the supported platforms where the fix should be tested.
As usual, in this blog I report all the security bulletins published by EMC. An easy way to know more about security is to subscribe this RSS channel.
Today EMC released a security note identified by the ESA-2014-026 and registered on the Common Vulnerabilities and Exposures as CVE-2014-2506, CVE-2014-2507 and CVE-2014-2508.
The affected systems are Content Server version 6.7, 7.0 and 7.1. EMC stated that even all the “EMC Software: EMC Documentum Content Server all versions prior to 6.7 SP1″ has the same vulnerabilities but it is not clear if this is valid even for 6.6 and prior versions.
[June 9th update: as reported in the http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2506 the systems affected by these vulnerabilities are all the Content Server versions, even the 6.6.x, 6.5.x and 6.0.x]
For sure EMC strongly recommends all customers upgrade to one of the versions reported below, at the earliest opportunity:
- EMC Documentum Content Server 7.1 P05 and later
- EMC Documentum Content Server 7.0 P15 and later
- EMC Documentum Content Server 6.7 SP2 P14 and later
- EMC Documentum Content Server 6.7 SP1 P28 and later
EMC strongly recommends all customers upgrade to one of the above versions at the earliest opportunity.
Latest patches solve these three problems:
- Privilege Escalation (CVE-2014-2506):Authenticated non-privileged users are allowed to create system objects with super user privileges due to improper authorization checks being performed on these objects. This may potentially be exploited by a malicious attacker to gain unauthorized access to data or to perform unauthorized actions on Content Server.
- Shell Injection (CVE-2014-2507):Certain methods in Documentum Content Server perform improper validation checks on input arguments. This may potentially be exploited by an authenticated malicious user to conduct shell injection attacks against these methods and perform unauthorized actions on Content Server.
- DQL Injection (CVE-2014-2508): Certain DQL hints in Documentum Content Server may potentially be exploited by an authenticated malicious user to conduct DQL injection attacks and perform unauthorized database actions.