[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ESA-2014-024: EMC Documentum Digital Asset Manager Blind DQL Injection Vulnerability

To: "'bugtraq@xxxxxxxxxxxxxxxxx'" <bugtraq@xxxxxxxxxxxxxxxxx>, "'dm@xxxxxxxxxxxxxxxxx'" <dm@xxxxxxxxxxxxxxxxx>
Subject: ESA-2014-024: EMC Documentum Digital Asset Manager Blind DQL Injection Vulnerability
From: Security Alert <Security_Alert@xxxxxxx>
Date: Wed, 4 Jun 2014 15:55:36 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ESA-2014-024: EMC Documentum Digital Asset Manager Blind DQL Injection 
Vulnerability

EMC Identifier: ESA-2014-024 

CVE Identifier: CVE-2014-2503

Severity Rating: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Affected products:  

?       EMC Documentum Digital Asset Manager 6.5 SP3
?       EMC Documentum Digital Asset Manager 6.5 SP4
?       EMC Documentum Digital Asset Manager 6.5 SP5
?       EMC Documentum Digital Asset Manager 6.5 SP6


Summary: 

EMC Documentum Digital Asset Manager (DAM) announces a security fix to address 
Blind DQL (Documentum Query Language) Injection vulnerability. 

Details:  

The DAM thumbnail proxy server allows unauthenticated users to query objects 
using a vulnerable URL query string parameter. A malicious attacker can 
potentially conduct Blind DQL injection attacks using the vulnerable parameter 
to infer or modify the database contents.

Resolution: 
   
Customers using EMC DAM 6.5 SP3, 6.5 SP4 and 6.5 SP5 should apply the hotfix 
from the link given under ?Link to remedies?.

Customers using EMC DAM 6.5 SP6 should upgrade to 6.5 SP6 P13 and later as this 
contains the resolution for this issue.

EMC strongly recommends all customers apply the hotfix or upgrade at the 
earliest opportunity.  

Link to remedies:

?       The hotfix for EMC DAM 6.5 SP3, 6.5 SP4 and 6.5 SP5 can be downloaded 
from:
https://emc.subscribenet.com/control/dctm/download?element=3888781
File Name: DQL_Injection_with_DAM_Proxy_Server_HotFix.zip. 
Installation instructions are available in the zip file.
?       EMC DAM 6.5 SP6 P13 and later can be downloaded from:
https://emc.subscribenet.com/control/dctm/download?element=4772311



Read and use the information in this EMC Security Advisory to assist in 
avoiding any situation that might arise from the problems described herein. If 
you have any questions regarding this product alert, contact EMC Software 
Technical Support at 1-877-534-2867.

Product Security Response Center [security_alert@xxxxxxx]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)

iEYEARECAAYFAlOPQPQACgkQtjd2rKp+ALwnKACfcDgdR3ezraBQEkGZDGkov/ir
XLUAoJRWVI9447Xns5IRHc7w+9e/yv8C
=efNd
-----END PGP SIGNATURE-----

Prev by Date: Re: [oss-security] Bug in bash <= 4.3 [security feature bypassed]
Next by Date: [SECURITY] [DSA 2947-1] libav security update
Previous by thread: [CVE-2014-2577] XSS on Transform Foundation Server 4.3.1 and 5.2 from Bottomline Technologies
Next by thread: [SECURITY] [DSA 2947-1] libav security update
Index(es):
- Date
- Thread