-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ESA-2011-022: EMC Documentum eRoom Indexing Server HummingBird Client Connector Buffer Overflow Vulnerability EMC Identifier: ESA-2011-022 CVE Identifier: CVE-2011-1741 Severity Rating: CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) Affected products: EMC Documentum eRoom versions 7.x Vulnerability Summary: EMC Documentum eRoom?s Indexing Server contains a buffer overflow vulnerability which can be exploited to cause a denial of service, or possibly, arbitrary code execution. Vulnerability Details: The HummingBird Client Connector (ftserver.exe) used by affected versions of EMC Documentum eRoom?s Indexing Server contains a buffer overflow vulnerability. The vulnerability may allow a remote unauthenticated user to send a specially-crafted message over TCP to cause a denial of service, or possibly, execute arbitrary code. Problem Resolution: The following EMC Documentum eRoom products contain resolutions to this issue. The HummingBird Client Connector has been replaced by a new interface which is not susceptible to this vulnerability. ? EMC Documentum eRoom 7.4.3.f. EMC strongly recommends all customers upgrade at the earliest opportunity. Link to remedies: Registered EMC Powerlink customers can download software from Powerlink. For EMC Documentum eRoom Software, navigate in Powerlink to Home > Support > Software Downloads and Licensing > Downloads D > Documentum eRoom EMC has created an eRoom Sizing Tool with related documentation that helps customers with the eRoom deployment sizing process. EMC strongly recommends that eRoom Administrators read and understand the provided documentation, run the eRoom Sizing Tool and review its results, perform the eRoom 7.4.3 upgrade to a test or staging environment, and complete thorough performance testing in the test or staging environment prior to a production upgrade. Failure to complete these steps may lead to an unplanned eRoom 7.4.3 outage. Refer to EMC ETA esg112401 for the details. Because the view is restricted based on customer agreements, you may not have permission to view certain downloads. Should you not see a software download you believe you should have access to, follow the instructions in EMC Knowledgebase solution emc116045. Credits: EMC would like to thank Stephen Fewer of Harmony Security (www.harmonysecurity.com) working with TippingPoint's Zero Day Initiative (http://www.zerodayinitiative.com) for reporting this issue. For explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends that all customers take into account both the base score and any relevant temporal and environmental scores, which may impact the potential severity associated with particular security vulnerability. EMC Corporation distributes EMC Security Advisories in order to bring to the attention of users of the affected EMC products important security information. EMC recommends all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall EMC or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. EMC Product Security Response Center Security_Alert (at) EMC (dot) com [email concealed] http://www.emc.com/contact-us/contact/product-security-response-center.h tm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Cygwin) iEYEARECAAYFAk4gdTYACgkQtjd2rKp+ALzvwgCfRra9Q2OjDs9Nq2yvDmdR2WqG zWIAn2R1lquLRvn9lbXFVFRbu97dJ58L =j9JX -----END PGP SIGNATURE-----