[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ESA-2011-016: EMC SourceOne ASP.NET application tracing information disclosure vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ESA-2011-016: EMC SourceOne ASP.NET application tracing information disclosure 
vulnerability.

EMC Identifier: ESA-2011-016

CVE Identifier: CVE-2011-1424

Severity Rating: CVSS v2 Base Score: 6.8 (AV:N/AC:L/Au:S/C:C/I:N/A:N)

Affected products:

EMC SW: EMC SourceOne Email Management for Microsoft Exchange 6.5.2.3668 (SP2 
HF3) and earlier

EMC SW:  EMC SourceOne Email Management for Notes/Domino 6.5.2.3668 (SP2 HF3) 
and earlier

EMC SW: EMC SourceOne Email Management for Microsoft Exchange 6.6.0.1209 (HF1) 
and earlier

EMC SW: EMC SourceOne Email Management for Notes/Domino 6.6.0.1209 (HF1) and 
earlier

NOTE: New installations using SourceOne Email Management 6.6 SP1 and later are 
not affected by this issue.

This ESA applies only to SourceOne customers using the Mobile Services 
component of SourceOne Email Management. The Mobile Services component is 
included in the EMC SourceOne Email Management software kit and is used only in 
the following environments: 
 
EMC SourceOne Email Management
EMC SourceOne for File Systems  

Vulnerability Summary: 
  
EMC SourceOne Email Management may allow the disclosure of 
application-sensitive information using ASP.NET Application Tracing 

Vulnerability Details: 
  
The ASP.NET application trace is enabled in affected versions of EMC SourceOne 
Email Management. This trace file may contain application-sensitive information 
that can be accessed by a remote  user. Authentication is required to access 
the trace file. 

Problem Resolution: 
  
A manual change is required on each Microsoft Windows IIS web server on which 
EMC SourceOne Mobile Services software is installed. This manual change is 
required for all existing installations of affected versions, even if the 
server has been upgraded to a non-affected version. Follow these steps to make 
the required change: 
 
1. Open Windows Explorer and browse to the ExShortcut install directory. By 
default, this directory is the 
SourceOneInstallDrive:\SourceOneInstallDirectory\ExShortcut. 
2. Right click on the Web.config file and click "Open With" then choose 
"Notepad". 
3. Once the document has loaded into Notepad, find the following line:
<trace enabled="true" requestLimit="40" localOnly="false"/>  
4. Change this line so that it is identical to the following:
<trace enabled="false" requestLimit="40" localOnly="true"/>  
5. Save the Web.config document.  

NOTE: New installations using SourceOne Email Management 6.6 SP1 and later are 
not affected by this issue. 
  
At the earliest opportunity, EMC strongly recommends all customers apply the 
mitigation steps above to resolve the issue. 

For an explanation of Severity Ratings, refer to EMC Knowledgebase solution 
emc218831. EMC recommends all customers take into account both the base score 
and any relevant temporal and environmental scores which may impact the 
potential severity associated with particular security vulnerability.

EMC Corporation distributes EMC Security Advisories in order to bring to the 
attention of users of the affected EMC products important security information. 
EMC recommends all users determine the applicability of this information to 
their individual situations and take appropriate action. The information set 
forth herein is provided "as is" without warranty of any kind. EMC disclaims 
all warranties, either express or implied, including the warranties of 
merchantability, fitness for a particular purpose, title and non-infringement. 
In no event shall EMC or its suppliers be liable for any damages whatsoever 
including direct, indirect, incidental, consequential, loss of business profits 
or special damages, even if EMC or its suppliers have been advised of the 
possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for consequential or incidental damages so the 
foregoing limitation may not apply.

EMC Product Security Response Center
Security_Alert@xxxxxxx
http://www.emc.com/contact-us/contact/product-security-response-center.htm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)

iEYEARECAAYFAk3NiMsACgkQtjd2rKp+ALy6CwCgy3v/1iNkOawktuot4qMHLO55
LZUAnRxRz5r34ZR2xIdUWWIV1gMqQ/yF
=sx7o
-----END PGP SIGNATURE-----