CVE-2014-2507 consequences

CVE-2014-2507 (actually it’s still not fixed, technically CVE-2014-2506 is not fixed too, surprise!):

Certain methods in Documentum Content Server perform improper validation checks on input arguments. This may potentially be exploited by an authenticated malicious user to conduct shell injection attacks against these methods and perform unauthorized actions on Content Server.

Weird situation, “certain methods” were vulnerable, but fix is related to Content Server, not methods, that forces customers to perform upgrades.

How does fix for CVE-2014-2507 work?

Now Content Server bans certain (16) characters (line feed, carriage return, dollar sign, percent sign, ampersand, parentheses, asterisk, semicolon, less/greater-than signs, question mark, caret, grave accent, vertical bar and tilde) if they occur in arguments for non-jms docbase method:

API> ?,c,execute do_method with method='dm_JMSAdminConsole',arguments='>'
    "The arguments being passed to the method 'dm_JMSAdminConsole' 
    are invalid: arguments contain special characters which are not allowed."

What is the problem in such behaviour?

dm_event_sender docbase method, which is written on dmbasic, is so widely used, that now you may receive random errors in surprising situations. For example, is somebody have subscribed to receive notification about object’s changes and object has special characters in object name, some object operations may fail:

Benign code:

IDfSysObject object = (IDfSysObject) session.newObject("dm_sysobject");
object.setObjectName("test (1)");;
object.registerEvent(null, "dm_unlock", 0, true);


Exception in thread "main" DfException:: THREAD: main; MSG: [DM_METHOD_E_METHOD_ARGS_INVALID]error:  "The arguments being passed to the method 'dm_event_sender' are invalid: arguments contain special characters which are not allowed."; ERRORCODE: 100; NEXT: null
	at com.documentum.fc.client.impl.docbase.DocbaseExceptionMapper.newException(
	at com.documentum.fc.client.impl.connection.docbase.MessageEntry.getException(
	at com.documentum.fc.client.impl.connection.docbase.DocbaseMessageManager.getException(
	at com.documentum.fc.client.impl.connection.docbase.netwise.NetwiseDocbaseRpcClient.checkForMessages(
	at com.documentum.fc.client.impl.connection.docbase.netwise.NetwiseDocbaseRpcClient.applyForBool(
	at com.documentum.fc.client.impl.connection.docbase.DocbaseConnection$1.evaluate(
	at com.documentum.fc.client.impl.connection.docbase.DocbaseConnection.evaluateRpc(
	at com.documentum.fc.client.impl.connection.docbase.DocbaseConnection.applyForBool(
	at com.documentum.fc.client.impl.docbase.DocbaseApi.sysObjUnlock(
	at com.documentum.fc.client.DfSysObject.doCancelCheckout(
	at com.documentum.fc.client.DfSysObject.cancelCheckout(

As well, CS fails to send workflow notifications if name of workflow activity contains “special” characters; if user’s name contains special character that user never receives notification on e-mail; to set ldap password DA uses replicate_setup_methods docbase method, which is written on dmbasic, so “special” characters mentioned above are not allowed in ldap setup; dm_ContentWarning and dm_DBWarning jobs use percent sign in notifications; etc, etc.

6 thoughts on “CVE-2014-2507 consequences

  1. Pingback: E-mail notifications | Documentum in a (nuts)HELL
  2. Pingback: CVE-2014-2507 consequences. Part II | Documentum in a (nuts)HELL
  3. Pingback: What makes api/dmbasic suck | Documentum in a (nuts)HELL
  4. Pingback: D2 remote code execution | Documentum in a (nuts)HELL

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s