In October, I attended the GraphConnect 2014 in San Francisco. GraphConnect is a conference and an event organised by Neo Technology, the company behind Neo4J, one of most important NoSql database.
Neo4j is a graph database, a database that uses graph structures with nodes, edges, and properties to represent and store data. A graph database provides a mechanism for storage and retrieval of data that is modeled in means other than the tabular relations used in relational databases. NoSQL databases can be classified in five categories,
Column: like Accumulo, Cassandra, Druid, HBase
Document: like Clusterpoint, Apache CouchDB, Couchbase, MarkLogic, MongoDB
Key-value: like Dynamo, FoundationDB, MemcacheDB, Redis, Riak, FairCom c-treeACE, Aerospike
Graph: like Allegro, Neo4J, InfiniteGraph, OrientDB, Virtuoso, Stardog
If you are looking for a new technology to learn or to approach, for sure every NoSQL field is cool enough to require attention (and to provide great visibility in the labour market). Among NoSQL databases, graph databases are the coolest technology. As reported during the GraphConnect conference by Emil Eifrem, founder and Ceo of Neo Technology, “Graphs are eating the world”. This sentence is not just a slogan, instead it describes clearly, what is happening. The image reported below (source db-engines.com) confirms that, with no doubts:
The DB-Engines Ranking is a list of database management systems ranked by their current popularity. DB-Engine Ranking algorithms measures the interest to database vendors and database model (as reported in the graph) using: number of mentions on websites, Google Trends, frequency of technical discussions, number of job offers, number of profiles in professional networks, number of Twitter tweets, in which the db system or db model is mentioned. I don’t know how the ranking algorithm works in detail but the graph is clear: graph databases is growing in popularity more than any other NoSQL technologies.
Yesterday I downloaded the APIs for DUMMIES ebook. I really liked this book because it in 2 or 3 hours you can read and learn about best practices of REST api best practices.
This is just what we are doing right now and I found many useful and interesting ideas and suggestions.
I like this kind of book: they are not academic, are free (!) and you can learn about best practice without to spend hours to read and to understand the reason why these are best practices.
Without explanations or more details, for sure “you have to believe” that few pages are correct but, in this case, apigee name guarantee all the readers.
In just 36 pages, they are condensed many important points, like:
Keep your base URL simple and intuitive
Use two base URLs per resource.
Keep verbs out of your base URLs. Use verbs just for responses that don’t involve resources (like calculate, language translation, etc)
Use HTTP verbs to operate on the collections and elements.
(…) keep your API intuitive by simplifying the associations between resources,
and sweeping parameters and other complexities under the rug of the HTTP question
Regarding error and status code: use HTTP status code but not too much…. Start by using the following 3 codes. If you need more, add them. But you shouldn’t need to go beyond 8. • 200 – OK • 400 – Bad Request • 500 – Internal Server Error
If you’re not comfortable reducing all your error conditions to these 3, try picking among these additional 5: • 201 – Created • 304 – Not Modified • 404 – Not Found• 401 – Unauthorized • 403 – Forbidden
Never release an API without a version and make the version mandatory.
Support partial response by adding optional fields in a comma delimited list.
Use limit and offset to make it easy for developers to paginate objects.
Consolidate all API requests under one API subdomain.
The API Façade Pattern
So, if you have a couple of hours and if you like application development tools and techniques, you have to read this ebook!
Another day, another fix: someone can think that Content Server has too much vulnerabilities but for sure during these days EMC is working very hard to make his systems more secure.
I appreciate the way EMC is working on vulnerabilities and if you consider how many products EMC Information Intelligence Group is managing, you will agree that security fix is an hard and long task, just considering all the supported platforms where the fix should be tested.
As usual, in this blog I report all the security bulletins published by EMC. An easy way to know more about security is to subscribe this RSS channel.
Today EMC released a security note identified by the ESA-2014-026 and registered on theCommon Vulnerabilities and Exposures as CVE-2014-2506, CVE-2014-2507 and CVE-2014-2508.
The affected systems are Content Server version 6.7, 7.0 and 7.1. EMC stated that even all the “EMC Software: EMC Documentum Content Server all versions prior to 6.7 SP1″ has the same vulnerabilities but it is not clear if this is valid even for 6.6 and prior versions.
For sure EMC strongly recommends all customers upgrade to one of the versions reported below, at the earliest opportunity:
EMC Documentum Content Server 7.1 P05 and later
EMC Documentum Content Server 7.0 P15 and later
EMC Documentum Content Server 6.7 SP2 P14 and later
EMC Documentum Content Server 6.7 SP1 P28 and later
EMC strongly recommends all customers upgrade to one of the above versions at the earliest opportunity.
Latest patches solve these three problems:
Privilege Escalation (CVE-2014-2506):Authenticated non-privileged users are allowed to create system objects with super user privileges due to improper authorization checks being performed on these objects. This may potentially be exploited by a malicious attacker to gain unauthorized access to data or to perform unauthorized actions on Content Server.
Shell Injection (CVE-2014-2507):Certain methods in Documentum Content Server perform improper validation checks on input arguments. This may potentially be exploited by an authenticated malicious user to conduct shell injection attacks against these methods and perform unauthorized actions on Content Server.
DQL Injection (CVE-2014-2508): Certain DQL hints in Documentum Content Server may potentially be exploited by an authenticated malicious user to conduct DQL injection attacks and perform unauthorized database actions.
Today EMC announced a security fix to address Blind Documentum Query Language (DQL) Injection vulnerability on Documentum Digital Asset Manager (DAM).
The affected versions are:
EMC Software: EMC Documentum Digital Asset Manager 6.5 SP3
EMC Software: EMC Documentum Digital Asset Manager 6.5 SP4
EMC Software: EMC Documentum Digital Asset Manager 6.5 SP5
EMC Software: EMC Documentum Digital Asset Manager 6.5 SP6
The DAM thumbnail proxy server allows unauthenticated users to query objects using a vulnerable URL query string parameter. A malicious attacker may potentially conduct Blind DQL injection attacks using the vulnerable parameter to infer or modify the database contents.
EMC released a hotfix for DAM 6.5 SP3, 6.5 SP4, and 6.5 SP5. For 6.5 SP6, patch P13 and later contains resolution for this issue.
EMC strongly recommends all customers apply the hotfix or upgrade at the earliest opportunity.
You can subscribe the RSS feeds related to the security alerts published on my blog.
Today EMC released a note related to a vulnerability that affect the Documentum D2 client.
The CVE vulnerability identifier is CVE-2014-2504 (score 8.5). The affected products are
EMC Documentum D2 3.1 and patch versions
EMC Documentum D2 3.1SP1 and patch versions
EMC Documentum D2 4.0 and patch versions
EMC Documentum D2 4.1 and patch versions
EMC Documentum D2 4.2 and patch versions
In particular EMC Documentum D2 may be vulnerable to an arbitrary Documentum Query Language (DQL) query execution vulnerability because there are methods and a D2FS web service method that may allow an authenticated user to execute arbitrary DQL queries with superuser privileges. For this reason an upgrade to the latest patch is strongly recommended.
The following products contain the resolution to this issue
Nella sezione ULTIMISSIME di Mac magazine 067, in edicola a Maggio 2014, sono pubblicati i primi articoli che ho tratto dalla partecipazione all’evento Macworld/iWorld 2014, a San Francisco dal 27 al 29 Marzo 2014.
OpenSSL Heartbleed Vulnerability (CVE-2014-0160) does not affect Documentum systems because simply these don’t use OpenSSL! Some concerns just about the on premise edition of Syncplicty.
Due to a missing bounds check in OpenSSL during the TLS heartbeat extension, up to 64k of memory can be revealed to a connected client or server. This may potentially allow an unauthenticated, remote attacker to gain access to sensitive information such as private keys, login passwords, and encryption keys (Secret Keys). As a result of this disclosure of sensitive information, these Secret Keys can potentially be leveraged to decrypt other sensitive information or conduct so-called man-in-the-middle attacks.References:
Today EMC published two security bulletins. The first one, the ESA-2014-026, is a vulnerability I discovered. The second one is related to a standard Jboss vulnerability. Jboss is used for some Documentum component like Documentum Java Method Server and xPlore.
Below the official bulletin.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
EMC Software: All EMC Documentum Content Server versions of 7.0
EMC Software: All EMC Documentum Content Server versions of 6.7 SP2
EMC Software: All EMC Documentum Content Server versions of 6.7 SP1 and earlier
EMC Software: EMC Documentum xPlore versions of 1.2
EMC Software: EMC Documentum xPlore versions of 1.3
EMC Documentum products listed above may be vulnerable to remote code execution vulnerability.
EMC Documentum Content Server and xPlore embed JBoss servlets (JMXInvokerServlet and EJBInvokerServlet). These JBOSS servlets are vulnerable to remote code execution vulnerability. The vulnerability may be exploited to execute remote code with NT AUTHORITY\SYSTEM privileges.Affected JBOSS servlets are not required for either Documentum Content Server or xPlore’s functionality.
See http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0874 for more details.
EMC strongly recommends all customers upgrade to one of the versions listed below or apply the workaround for all other affected versions at the earliest opportunity.The following products contain the resolution to this issue:
EMC Documentum Content Server version 7.1
EMC Documentum Content Server version 7.0 P13 and later
EMC Documentum Content Server version 6.7 SP2 P12
EMC Documentum Content Server version 6.7 SP1 P24
EMC Documentum xPlore version 1.4
EMC Documentum xPlore version 1.2 P25 and later
Workaround for all other affected versions of Documentum Content Server and xPlore:
Stop the “Java Method Server” service.
Open <DOCUMENTUM install dir>\ jboss5.1.0\server\DctmServer_MethodServer\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml.