Today EMC published two security bulletins. The first one, the ESA-2014-026, is a vulnerability I discovered. The second one is related to a standard Jboss vulnerability. Jboss is used for some Documentum component like Documentum Java Method Server and xPlore.
Below the official bulletin.
| ESA-2014-023 | |
| CVE-2012-0874 | |
| CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |
| EMC Software: All EMC Documentum Content Server versions of 7.0 EMC Software: All EMC Documentum Content Server versions of 6.7 SP2 EMC Software: All EMC Documentum Content Server versions of 6.7 SP1 and earlier EMC Software: EMC Documentum xPlore versions of 1.2 EMC Software: EMC Documentum xPlore versions of 1.3 |
|
| EMC Documentum products listed above may be vulnerable to remote code execution vulnerability. | |
| EMC Documentum Content Server and xPlore embed JBoss servlets (JMXInvokerServlet and EJBInvokerServlet). These JBOSS servlets are vulnerable to remote code execution vulnerability. The vulnerability may be exploited to execute remote code with NT AUTHORITY\SYSTEM privileges.Affected JBOSS servlets are not required for either Documentum Content Server or xPlore’s functionality.
See http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0874 for more details. |
|
EMC strongly recommends all customers upgrade to one of the versions listed below or apply the workaround for all other affected versions at the earliest opportunity.The following products contain the resolution to this issue:
Workaround for all other affected versions of Documentum Content Server and xPlore:
For example: C:\Documentum\jboss5.1.0\server\DctmServer_MethodServer\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml
|
|
| Registered EMC Online Support customers can download patches and software from support.emc.com at:https://support.emc.com/downloads/2732_Documentum-Server | |