EMC Documentum products contain multiple vulnerabilities

Overview

EMC Documentum products including Content Server, D2, and Web Development Kit (WDK) contain multiple vulnerabilities.

Description

EMC Documentum Content Server, D2, and WDK contain numerous vulnerabilities of varying impact. For details, view our spreadsheet. For status from the vendor, please visit <https://support.emc.com/docu38558&gt; (requires EMC Online Support credentials). Search by CVE ID and/or ESA ID referenced in the spreadsheet.

The CVSS score below reflects use of backdoor credentials (see VU#184360, VU#695112, and VU#982432 in the spreadsheet).

---

Impact

The severity of impact varies. Specific examples include information disclosure, privilege escalation, authentication bypass, arbitrary code execution, shell command injection, and unauthorized access via backdoor credentials. Worst-case scenarios allow an attacker to take complete control of a vulnerable system.

---

Solution

Apply an update

EMC has released updates to address many of the issues in question. For information about specific updates, including discussion about their effectiveness, refer to the spreadsheet.

---

Vendor Information

315340

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

EMC Corporation __ Affected

Notified: April 25, 2014 Updated: December 16, 2014

Statement Date: December 16, 2014

Status

Affected

Vendor Statement

EMC has been working with CERT on the issues announced in their recent advisory. We have released updates to address many of the issues in question and are investigating others. We will continue to create our remediation plans for open vulnerabilities and provide remedies via security advisories. We encourage our customers to refer to <http://support.emc.com> for the latest EMC Security Advisories: <https://support.emc.com/docu38558&gt; and follow the steps identified in them to protect themselves. Please contact EMC Support for all other questions.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <https://support.emc.com/docu38558&gt;
• <http://support.emc.com>

CVSS Metrics

Group	Score	Vector
Base	10	AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal	9	E:POC/RL:ND/RC:C
Environmental	6.7	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

• <https://docs.google.com/spreadsheets/d/1DiiUPCPvmaliWcfwPSc36y2mDvuidkDKQBWqaIuJi0A/edit?usp=sharing&gt;
• <http://www.emc.com/domains/documentum/index.htm&gt;
• <https://support.emc.com/docu38558&gt;

Acknowledgements

Thanks to Andrey B. Panfilov for reporting these vulnerabilities.

This document was written by Joel Land.

Other Information

CVE IDs:	CVE-2014-2520, CVE-2014-2518, CVE-2014-4622, CVE-2014-2514, CVE-2014-2507, CVE-2014-2513, CVE-2014-4618, CVE-2014-4626, CVE-2014-2515, CVE-2014-2504, CVE-2014-4629
Date Public:	2014-12-15 Date First Published: