[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ESA-2011-022: EMC Documentum eRoom Indexing Server HummingBird Client Connector Buffer Overflow Vulnerability

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: ESA-2011-022: EMC Documentum eRoom Indexing Server HummingBird Client Connector Buffer Overflow Vulnerability
From: <Security_Alert@xxxxxxx>
Date: Fri, 15 Jul 2011 13:18:22 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ESA-2011-022: EMC Documentum eRoom Indexing Server HummingBird Client Connector 
Buffer Overflow Vulnerability 

EMC Identifier: ESA-2011-022 

CVE Identifier: CVE-2011-1741

Severity Rating: CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Affected products:
EMC Documentum eRoom versions 7.x

Vulnerability Summary:
EMC Documentum eRoom?s Indexing Server contains a buffer overflow vulnerability 
which can be exploited to cause a denial of service, or possibly, arbitrary 
code execution.

Vulnerability Details:
The HummingBird Client Connector (ftserver.exe) used by affected versions of 
EMC Documentum eRoom?s Indexing Server contains a buffer overflow 
vulnerability. The vulnerability may allow a remote unauthenticated user to 
send a specially-crafted message over TCP to cause a denial of service, or 
possibly, execute arbitrary code. 

Problem Resolution: 
The following EMC Documentum eRoom products contain resolutions to this issue. 
The HummingBird Client Connector has been replaced by a new interface which is 
not susceptible to this vulnerability.
?       EMC Documentum eRoom  7.4.3.f.

EMC strongly recommends all customers upgrade at the earliest opportunity.

Link to remedies:
Registered EMC Powerlink customers can download software from Powerlink.
For EMC Documentum eRoom Software, navigate in Powerlink to Home > Support > 
Software Downloads and Licensing > Downloads D > Documentum eRoom

EMC has created an eRoom Sizing Tool with related documentation that helps 
customers with the eRoom deployment sizing process. EMC strongly recommends 
that eRoom Administrators read and understand the provided documentation, run 
the eRoom Sizing Tool and review its results, perform the eRoom 7.4.3 upgrade 
to a test or staging environment, and complete thorough performance testing in 
the test or staging environment prior to a production upgrade. Failure to 
complete these steps may lead to an unplanned eRoom 7.4.3 outage. Refer to EMC 
ETA esg112401 for the details.

Because the view is restricted based on customer agreements, you may not have 
permission to view certain downloads. Should you not see a software download 
you believe you should have access to, follow the instructions in EMC 
Knowledgebase solution emc116045.

Credits:
EMC would like to thank Stephen Fewer of Harmony Security 
(www.harmonysecurity.com)  working with TippingPoint's Zero Day Initiative 
(http://www.zerodayinitiative.com) for reporting this issue.

For explanation of Severity Ratings, refer to EMC Knowledgebase solution 
emc218831. EMC recommends that all customers take into account both the base 
score and any relevant temporal and environmental scores, which may impact the 
potential severity associated with particular security vulnerability. 

EMC Corporation distributes EMC Security Advisories in order to bring to the 
attention of users of the affected EMC products important security information. 
EMC recommends all users determine the applicability of this information to 
their individual situations and take appropriate action. The information set 
forth herein is provided "as is" without warranty of any kind. EMC disclaims 
all warranties, either express or implied, including the warranties of 
merchantability, fitness for a particular purpose, title and non-infringement. 
In no event shall EMC or its suppliers be liable for any damages whatsoever 
including direct, indirect, incidental, consequential, loss of business profits 
or special damages, even if EMC or its suppliers have been advised of the 
possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for consequential or incidental damages so the 
foregoing limitation may not apply. 

EMC Product Security Response Center
Security_Alert@xxxxxxx
http://www.emc.com/contact-us/contact/product-security-response-center.htm




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)

iEYEARECAAYFAk4gdTYACgkQtjd2rKp+ALzvwgCfRra9Q2OjDs9Nq2yvDmdR2WqG
zWIAn2R1lquLRvn9lbXFVFRbu97dJ58L
=j9JX
-----END PGP SIGNATURE-----

Prev by Date: [slackware-security] seamonkey (SSA:2011-195-01)
Next by Date: APPLE-SA-2011-07-15-2 iOS 4.2.9 Software Update for iPhone
Previous by thread: [slackware-security] seamonkey (SSA:2011-195-01)
Next by thread: APPLE-SA-2011-07-15-2 iOS 4.2.9 Software Update for iPhone
Index(es):
- Date
- Thread