Bullshit security

I always like to read dm_misc: Miscellaneous Documentum Information blog because it is an inexhaustible source of bullshit EMC feeds customers. On last week I have read two funny posts:

Documentum Core Stack Security Status

I’m not sure about EMC’s habits, but in my universe the word “status” means some kind of description of progress on some activity, though it is obvious that EMC’s report would not look so good if they put there something like “we have fixed 10 out of 50 security issues” 🙂 By the way, even that report is a bullshit, for example, let’s take a closer look at ESA-2015-131:

Authenticated Content Server users with sysadmin privileges may potentially escalate their privileges to become a super-user due to improper authorization checks performed on subgroups that exists within the dm_superusers group and other privileged groups. This may potentially be exploited by a malicious attacker to gain unauthorized access to data or to perform unauthorized actions on Content Server. The previous fix for CVE-2014-4622 was incomplete.

Oops…

Authenticated non-privileged Content Server users are allowed to run save RPC commands with super user privileges on arbitrary objects. This is due to improper user authorization checks and object type checks being performed on these objects. This may potentially be exploited by a malicious, authenticated non-privileged user to perform unauthorized actions on Content Server including executing arbitrary code. The previous fix for CVE-2014-2514 was incomplete.

Oops…

Authenticated non-privileged Content Server users are allowed to execute arbitrary code with super user privileges via custom scripts. This is due to improper authorization checks being performed on the objects created. This may potentially be exploited to perform unauthorized actions on Content Server. The previous fix for CVE-2014-2513 was incomplete.

Oops…

The second post is also “related” to ESA-2015-131:

D2 ETA for Read-Only Operations

The problem is 7.2P02 has only one corresponding ESA and this ESA is ESA-2015-131, unfortunately, that ESA does contain nothing about “Content Server security patch (v7.1 P18 and v7.2 P02) shored up the security of the dmr_content object”. What did really happen in 7.2P02?

One thought on “Bullshit security

  1. Pingback: Feedback storm | Documentum in a (nuts)HELL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s