ESA-2014-024: EMC Documentum Digital Asset Manager Blind DQL Injection Vulnerability
EMC Identifier: ESA-2014-024
CVE Identifier: CVE-2014-2503
Severity Rating: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Affected products:
EMC Documentum Digital Asset Manager 6.5 SP3
EMC Documentum Digital Asset Manager 6.5 SP4
EMC Documentum Digital Asset Manager 6.5 SP5
EMC Documentum Digital Asset Manager 6.5 SP6
Summary:
EMC Documentum Digital Asset Manager (DAM) announces a security fix to address Blind DQL (Documentum Query Language) Injection vulnerability.
Details:
The DAM thumbnail proxy server allows unauthenticated users to query objects using a vulnerable URL query string parameter. A malicious attacker can potentially conduct Blind DQL injection attacks using the vulnerable parameter to infer or modify the database contents.
Resolution:
Customers using EMC DAM 6.5 SP3, 6.5 SP4 and 6.5 SP5 should apply the hotfix from the link given under Link to remedies.
Customers using EMC DAM 6.5 SP6 should upgrade to 6.5 SP6 P13 and later as this contains the resolution for this issue.
EMC strongly recommends all customers apply the hotfix or upgrade at the earliest opportunity.
Link to remedies:
The hotfix for EMC DAM 6.5 SP3, 6.5 SP4 and 6.5 SP5 can be downloaded from:
https://emc.subscribenet.com/control/dctm/download?element=3888781
File Name: DQL_Injection_with_DAM_Proxy_Server_HotFix.zip.
Installation instructions are available in the zip file.
EMC DAM 6.5 SP6 P13 and later can be downloaded from:
https://emc.subscribenet.com/control/dctm/download?element=4772311
Read and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867.
Product Security Response Center [security_alert@emc.com]