-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ESA-2014-180: EMC Documentum Web Development Kit Multiple Vulnerabilities

EMC Identifier:  ESA-2014-180

CVE Identifier:  CVE-2014-4635, CVE-2014-4636, CVE-2014-4637, CVE-2014-4638, CVE-2014-4639

Severity Rating: See below for individual scores for each CVE

Affected Products:  

All EMC Documentum Web Development Kit (WDK) based clients bundled with version 6.7 SP2 and earlier:

EMC WebTop 6.7 SP2 and earlier
EMC Documentum Administrator 7.1 and earlier
EMC Records Client 6.7 SP2 and earlier
EMC Digital Assets Manager 6.5 SP6 and earlier
EMC Web Publishers 6.5 SP7 and earlier
EMC Task Space 6.7 SP2 and earlier
EMC Engineering Plant Facilities Management Solution for Documentum  1.7 SP1 and earlier
EMC Capital Projects 1.9 and earlier

Summary:  

EMC Documentum Web Development Kit (WDK) and WDK-based clients contain multiple vulnerabilities that could potentially be exploited by attackers to target the affected systems.

Details:  

The vulnerabilities addressed in Documentum WDK 6.8 are:

1. Cross-Site Scripting (CVE-2014-4635)
EMC Documentum WDK and WDK based clients may be affected by multiple cross-site scripting vulnerabilities that could potentially be exploited by an attacker to inject malicious HTML or scripts. This may lead to execution of malicious code in the context of the authenticated user.
CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

2. Cross-Site Request Forgery (CVE-2014-4636)
EMC Documentum WDK and WDK based clients may be affected by a cross-site request forgery vulnerability. An attacker can potentially exploit this vulnerability to trick authenticated users of the application to click on specially crafted links that are embedded within an email, web page, or other source and perform Docbase operations with that user's privileges.
CVSSv2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

3. URL Redirection (CVE-2014-4637)
EMC Documentum WDK and WDK based clients may be affected by a URL redirection vulnerability that may allow attackers to redirect users to arbitrary web sites and conduct phishing attacks. The attacker can specify the location of the arbitrary site in the un-validated parameter of a crafted URL. If this URL is accessed, the browser is redirected to the arbitrary site specified in the parameter.
CVSSv2 Base Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

4. Frame Injection (CVE-2014-4638)
EMC Documentum WDK and WDK based clients may be affected by a frame injection vulnerability. An attacker can potentially exploit this vulnerability to induce a user to navigate to a web page the attacker controls; the attacker's page loads a third-party page in an HTML frame. This could result in the attacker stealing sensitive information.
CVSSv2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

5. Parameter Generated with Insufficient Randomness (CVE-2014-4639)
EMC Documentum WDK and WDK based clients use a parameter that is being generated with insufficient randomness to reference Webtop components. An attacker can potentially exploit this vulnerability by predicting the parameter, helping the attacker to launch phishing attacks.
CVSSv2 Base Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Resolution:  

EMC Documentum Webtop Version 6.8 contains the resolution to these issues:

This advisory will be updated as EMC certifies other WDK-based clients which bundle WDK 6.8.

Link To Remedies:

Registered EMC Online Support customers can download software for their respective products by navigating to the link below:

EMC Documentum Webtop Versions 6.8  https://emc.subscribenet.com/control/dctm/product?child_plneID=685111

EMC Product Security Response Center
security_alert@emc.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)

iEYEARECAAYFAlSqxTAACgkQtjd2rKp+ALxcNwCeN5QZ8DzN12zhb23k+CPNhnz8
WsMAniIFTTk1FOd+IdkI9A+pdsn/O8r9
=+D8V
-----END PGP SIGNATURE-----