search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

EMC Documentum products contain multiple vulnerabilities

Vulnerability Note VU#315340

Original Release Date: 2014-12-15 | Last Revised: 2017-01-06

Overview

EMC Documentum products including Content Server, D2, and Web Development Kit (WDK) contain multiple vulnerabilities.

Description

EMC Documentum Content Server, D2, and WDK contain numerous vulnerabilities of varying impact. For details, view our spreadsheet. For status from the vendor, please visit https://support.emc.com/docu38558 (requires EMC Online Support credentials). Search by CVE ID and/or ESA ID referenced in the spreadsheet.

The CVSS score below reflects use of backdoor credentials (see VU#184360, VU#695112, and VU#982432 in the spreadsheet).

Impact

The severity of impact varies. Specific examples include information disclosure, privilege escalation, authentication bypass, arbitrary code execution, shell command injection, and unauthorized access via backdoor credentials. Worst-case scenarios allow an attacker to take complete control of a vulnerable system.

Solution

Apply an update

EMC has released updates to address many of the issues in question. For information about specific updates, including discussion about their effectiveness, refer to the spreadsheet.

Vendor Information

315340
 
Expand all

EMC Corporation Affected

Notified:  April 25, 2014 Updated: December 16, 2014

Statement Date:   December 16, 2014

Status

Affected

Vendor Statement

EMC has been working with CERT on the issues announced in their recent advisory. We have released updates to address many of the issues in question and are investigating others. We will continue to create our remediation plans for open vulnerabilities and provide remedies via security advisories. We encourage our customers to refer to http://support.emc.com for the latest EMC Security Advisories: https://support.emc.com/docu38558 and follow the steps identified in them to protect themselves. Please contact EMC Support for all other questions.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base 10 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 9 E:POC/RL:ND/RC:C
Environmental 6.7 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Andrey B. Panfilov for reporting these vulnerabilities.

This document was written by Joel Land.

Other Information

CVE IDs: CVE-2014-2520, CVE-2014-2518, CVE-2014-4622, CVE-2014-2514, CVE-2014-2507, CVE-2014-2513, CVE-2014-4618, CVE-2014-4626, CVE-2014-2515, CVE-2014-2504, CVE-2014-4629
Date Public: 2014-12-15
Date First Published: 2014-12-15
Date Last Updated: 2017-01-06 15:45 UTC
Document Revision: 50

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis