Vulnerability Note VU#315340
EMC Documentum products contain multiple vulnerabilities
Original Release date: 15 Dec 2014 | Last revised: 17 Dec 2014

Overview
EMC Documentum products including Content Server, D2, and Web Development Kit (WDK) contain multiple vulnerabilities.

Description
EMC Documentum Content Server, D2, and WDK contain numerous vulnerabilities of varying impact. For details, view our spreadsheet.
The CVSS score below reflects use of backdoor credentials (see VU#184360, VU#695112, and VU#982432 in the spreadsheet).

Impact
The severity of impact varies. Specific examples include information disclosure, privilege escalation, authentication bypass, arbitrary code execution, shell command injection, and unauthorized access via backdoor credentials. Worst-case scenarios allow an attacker to take complete control of a vulnerable system.

Solution
Apply an update

EMC has released updates to address many of the issues in question. For information about specific updates, including discussion about their effectiveness, refer to the spreadsheet.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedEMC CorporationAffected25 Apr 201416 Dec 2014If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal
9.0
E:POC/RL:ND/RC:C

Environmental
6.7
CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

https://docs.google.com/spreadsheets/d/1DiiUPCPvmaliWcfwPSc36y2mDvuidkDKQBWqaIuJi0A/edit?usp=sharing
http://www.emc.com/domains/documentum/index.htm

Credit

Thanks to Andrey B. Panfilov for reporting these vulnerabilities.
This document was written by Joel Land.

Other Information

CVE IDs:
CVE-2014-2520
CVE-2014-2518
CVE-2014-4622
CVE-2014-2514
CVE-2014-2507
CVE-2014-2513
CVE-2014-4618
CVE-2014-4626
CVE-2014-2515
CVE-2014-2504
CVE-2014-4629

Date Public:
15 Dec 2014

Date First Published:
15 Dec 2014

Date Last Updated:
17 Dec 2014

Document Revision:
45

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply