[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
OpenText Brava! Enterprise and Brava! Server Components Sensitive Data Exposure
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: OpenText Brava! Enterprise and Brava! Server Components Sensitive Data Exposure
- From: luke.bailiff@xxxxxxxxx
- Date: Wed, 31 Oct 2018 19:18:37 GMT
Vulnerable Application: Brava! Enterprise and Brava! Server Components
Affected Versions: Brava! Enterprise and Brava! Server Components have this as
the default configuration, from Brava! 7.5 to the latest Brava! 16.4 on Windows.
Not Affected Versions: Linux installs do not automatically create the share.
Potential Security Impact: Sensitive Data Exposure
If the files within your implementation are sensitive, this may expose
sensitive data to unauthorized users. Limiting SMB access will help mitigate
this vulnerability as well.
Since the default permissions allow for modify access of the files, there is
some potential against the integrity of the file as the user is viewing it, but
this has not been explored.
Vulnerability Description: During the installation of Brava! Enterprise and
Brava! Server Components, a file share is created on the windows server called
"displaylistcache" with full read and write permissions for the everyone group
at both the NTFS and Share levels. The share is used to retrieve documents for
processing, and to store processed documents for display in the browser. This
is the default behavior of the install. The only required share level access is
read/write by the JobProcessor service account. At the local filesystem level,
the only additional required permissions would be read/write from the servlet
engine (typically Tomcat). The affected server components are not installed
with Content Server by default, and must be installed separately.
Remediation: Review your OpenText install to see if you are affected. If
affected, update permissions on the displaylistcache share and local level to
allow only the servlet engine (typically tomcat) and the JobProcessor service
accounts access.
Vendor declined to update the installer behavior, but has updated their
documentation.
Vendor comment:
Our default Brava! Enterprise/Brava! Server Components installer is intended to
be used as a starting point for implementation within your environment. We do
provide guidelines within our documentation on how to harden the Brava!
Enterprise web application/server and expect that the documentation be reviewed
during installation and configuration. Our documentation does include
information on the requirements of the displaylistcache share, but because each
customer will have different infrastructure-based considerations, which would
be overwhelming to thoroughly document, we only offer general guidance. We
continually evaluate our documentation over time and lately have updated our
"Security Considerations" documentation to add more clarity around the
requirements of a displaylistcache configuration.