ESA-2015-013. EMC continues kidding

After my last post ESA-2015-013 got a completely new text:

Affected Products

  • EMC Software: All EMC Documentum Content Server versions of 7.2
  • EMC Software: All EMC Documentum Content Server versions of 7.1
  • EMC Software: All EMC Documentum Content Server versions of 7.0
  • EMC Software: All EMC Documentum Content Server versions of 6.7 SP2
  • EMC Software: All EMC Documentum Content Server versions prior to 6.7 SP2

Summary
Malicious users could potentially compromise the root encryption key (also called the Application Encryption Key) in EMC Documentum Content Server when Document Content Server best practices are not followed.

Details
The root encryption key (AEK) in EMC Documentum Content Server is encrypted using a passphrase (default or user provided) and stored on the file system with operating system’s ACL protection. If best practices to change the default passphrase were not followed during or after installation, privileged users with access to IAPI/IDQL and file system could retrieve the AEK using the default passphrase and access sensitive application information.

Resolution

All customers are strongly advised to change the default passphrase that is used to encrypt AEK using dm_crypto_change_passphrase and and use dm_crypto_boot utilities at the earliest opportunity. Refer to CS Installation and Administration guides for more details on using these utilities.

Has anybody seen document named “EMC Documentum Content Server Security Best Practices”?

4 thoughts on “ESA-2015-013. EMC continues kidding

  1. This is the closest you’ll find: (From CS Admin Guide):
    It is strongly recommended that you change the default to a custom passphrase of your choosing.

    Best Practices = Strong recommendations 😛

    Like

  2. Pingback: A bit of real security best practice | Documentum in a (nuts)HELL
  3. Pingback: Encryption madness | Documentum in a (nuts)HELL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s