[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ESA-2012-003: EMC SourceOne Web Search Sensitive Information Disclosure Vulnerability.
- To: <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: ESA-2012-003: EMC SourceOne Web Search Sensitive Information Disclosure Vulnerability.
- From: <Security_Alert@xxxxxxx>
- Date: Tue, 17 Jan 2012 12:58:14 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ESA-2012-003: EMC SourceOne Web Search Sensitive Information Disclosure
Vulnerability.
EMC Identifier: ESA-2012-003
CVE Identifier: CVE-2011-4142
Severity Rating: CVSS v2 Base Score: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C)
Affected products:
EMC SourceOne Email Management 6.5 (6.5.2.3668) (SP2 HF3) and earlier
EMC SourceOne Email Management 6.6 (6.6.1.2108) (SP1 HF1) and earlier
EMC SourceOne Email Management 6.7 (6.7.2.0017) (SP2) and earlier
Notes: New or upgraded installations using versions 6.8 and later are not
affected by this issue.
Vulnerability Summary:
A vulnerability exists in EMC SourceOne Web Search in which sensitive user
credential information may be exposed.
Vulnerability Details:
EMC SourceOne Web Search contains a vulnerability that may, under certain
circumstances, log sensitive user credential information in plain text to the
OS log of the web server. This can potentially be exploited by an unprivileged
user with access to log information to gain access to the protected SourceOne
components.
Resolution:
The following EMC SourceOne products contain resolutions to this issue:
EMC SourceOne Web Security Patch 6.5.2.4033
EMC SourceOne Web Security Patch 6.6.1.2194
EMC SourceOne Web Security Patch 6.7.2.2033
A patch, for the appropriate version of the software listed above, should be
downloaded from Powerlink and applied to each IIS web server in a customer's
deployment. The download includes directions for applying the patch to an IIS
web server, depending on which SourceOne components are installed.
EMC strongly recommends all customers download and apply these patches at the
earliest opportunity.
Link to remedies:
Registered EMC Powerlink customers can download software from Powerlink. Select
Home > Support > Software Downloads and Licensing > Downloads S> SourceOne
Email Management.
Because the view is restricted based on customer agreements, you may not have
permission to view certain downloads. Should you not see a software download
you believe you should have access to, follow the instructions in EMC
Knowledgebase solution emc116045.
For an explanation of Severity Ratings, refer to EMC Knowledgebase solution
emc218831. EMC recommends all customers take into account both the base score
and any relevant temporal and environmental scores which may impact the
potential severity associated with particular security vulnerability.
EMC Corporation distributes EMC Security Advisories in order to bring to the
attention of users of the affected EMC products important security information.
EMC recommends all users determine the applicability of this information to
their individual situations and take appropriate action. The information set
forth herein is provided "as is" without warranty of any kind. EMC disclaims
all warranties, either express or implied, including the warranties of
merchantability, fitness for a particular purpose, title and non-infringement.
In no event shall EMC or its suppliers be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits
or special damages, even if EMC or its suppliers have been advised of the
possibility of such damages. Some states do not allow the exclusion or
limitation of liability for consequential or incidental damages so the
foregoing limitation may not apply.
EMC Product Security Response Center
Security_Alert@xxxxxxx
http://www.emc.com/contact-us/contact/product-security-response-center.htm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
iEYEARECAAYFAk8VtfEACgkQtjd2rKp+ALyOdACgu+VlRdZbfzCWVDfXMqGTUoud
5nMAn0azNEfvDeV0/mAM7yuAPXmGNvsJ
=CqDF
-----END PGP SIGNATURE-----