Bullshit security

I always like to read dm_misc: Miscellaneous Documentum Information blog because it is an inexhaustible source of bullshit EMC feeds customers. On last week I have read two funny posts:

Documentum Core Stack Security Status

I’m not sure about EMC’s habits, but in my universe the word “status” means some kind of description of progress on some activity, though it is obvious that EMC’s report would not look so good if they put there something like “we have fixed 10 out of 50 security issues” 🙂 By the way, even that report is a bullshit, for example, let’s take a closer look at ESA-2015-131:

Authenticated Content Server users with sysadmin privileges may potentially escalate their privileges to become a super-user due to improper authorization checks performed on subgroups that exists within the dm_superusers group and other privileged groups. This may potentially be exploited by a malicious attacker to gain unauthorized access to data or to perform unauthorized actions on Content Server. The previous fix for CVE-2014-4622 was incomplete.

Oops…

Authenticated non-privileged Content Server users are allowed to run save RPC commands with super user privileges on arbitrary objects. This is due to improper user authorization checks and object type checks being performed on these objects. This may potentially be exploited by a malicious, authenticated non-privileged user to perform unauthorized actions on Content Server including executing arbitrary code. The previous fix for CVE-2014-2514 was incomplete.

Oops…

Authenticated non-privileged Content Server users are allowed to execute arbitrary code with super user privileges via custom scripts. This is due to improper authorization checks being performed on the objects created. This may potentially be exploited to perform unauthorized actions on Content Server. The previous fix for CVE-2014-2513 was incomplete.

Oops…

The second post is also “related” to ESA-2015-131:

D2 ETA for Read-Only Operations

The problem is 7.2P02 has only one corresponding ESA and this ESA is ESA-2015-131, unfortunately, that ESA does contain nothing about “Content Server security patch (v7.1 P18 and v7.2 P02) shored up the security of the dmr_content object”. What did really happen in 7.2P02?