ESA-2014-180: EMC Documentum Web Development Kit Multiple Vulnerabilities

[Security Alert <Security_Alert@xxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ESA-2014-180: EMC Documentum Web Development Kit Multiple Vulnerabilities

EMC Identifier: ESA-2014-180

CVE Identifier: CVE-2014-4635, CVE-2014-4636, CVE-2014-4637, CVE-2014-4638, 
CVE-2014-4639

Severity Rating: See below for individual scores for each CVE

Affected Products:      

All EMC Documentum Web Development Kit (WDK) based clients bundled with version 
6.7 SP2 and earlier:

EMC WebTop 6.7 SP2 and earlier
EMC Documentum Administrator 7.1 and earlier
EMC Records Client 6.7 SP2 and earlier
EMC Digital Assets Manager 6.5 SP6 and earlier
EMC Web Publishers 6.5 SP7 and earlier
EMC Task Space 6.7 SP2 and earlier
EMC Engineering Plant Facilities Management Solution for Documentum  1.7 SP1 
and earlier
EMC Capital Projects 1.9 and earlier

Summary:        

EMC Documentum Web Development Kit (WDK) and WDK-based clients contain multiple 
vulnerabilities that could potentially be exploited by attackers to target the 
affected systems.

Details:        

The vulnerabilities addressed in Documentum WDK 6.8 are:

1. Cross-Site Scripting (CVE-2014-4635)
EMC Documentum WDK and WDK based clients may be affected by multiple cross-site 
scripting vulnerabilities that could potentially be exploited by an attacker to 
inject malicious HTML or scripts. This may lead to execution of malicious code 
in the context of the authenticated user.
CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

2. Cross-Site Request Forgery (CVE-2014-4636)
EMC Documentum WDK and WDK based clients may be affected by a cross-site 
request forgery vulnerability. An attacker can potentially exploit this 
vulnerability to trick authenticated users of the application to click on 
specially crafted links that are embedded within an email, web page, or other 
source and perform Docbase operations with that user's privileges.
CVSSv2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

3. URL Redirection (CVE-2014-4637)
EMC Documentum WDK and WDK based clients may be affected by a URL redirection 
vulnerability that may allow attackers to redirect users to arbitrary web sites 
and conduct phishing attacks. The attacker can specify the location of the 
arbitrary site in the un-validated parameter of a crafted URL. If this URL is 
accessed, the browser is redirected to the arbitrary site specified in the 
parameter.
CVSSv2 Base Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

4. Frame Injection (CVE-2014-4638)
EMC Documentum WDK and WDK based clients may be affected by a frame injection 
vulnerability. An attacker can potentially exploit this vulnerability to induce 
a user to navigate to a web page the attacker controls; the attacker's page 
loads a third-party page in an HTML frame. This could result in the attacker 
stealing sensitive information.
CVSSv2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

5. Parameter Generated with Insufficient Randomness (CVE-2014-4639)
EMC Documentum WDK and WDK based clients use a parameter that is being 
generated with insufficient randomness to reference Webtop components. An 
attacker can potentially exploit this vulnerability by predicting the 
parameter, helping the attacker to launch phishing attacks.
CVSSv2 Base Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Resolution:     

EMC Documentum Webtop Version 6.8 contains the resolution to these issues:

This advisory will be updated as EMC certifies other WDK-based clients which 
bundle WDK 6.8.

Link To Remedies:

Registered EMC Online Support customers can download software for their 
respective products by navigating to the link below:

EMC Documentum Webtop Versions 6.8      
https://emc.subscribenet.com/control/dctm/product?child_plneID=685111

EMC Product Security Response Center
security_alert@xxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)

iEYEARECAAYFAlSqxTAACgkQtjd2rKp+ALxcNwCeN5QZ8DzN12zhb23k+CPNhnz8
WsMAniIFTTk1FOd+IdkI9A+pdsn/O8r9
=+D8V
-----END PGP SIGNATURE-----