On last week something weird had happened – a couple of researches disclosed information about vulnerabilities in Documentum xPression and Documentum WDK applications:
- OpenText Documentum Administrator and Webtop – Open Redirection
- OpenText Documentum Administrator and Webtop – XML External Entity Injection
- OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) – Arbitrary File Read
- OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) – SQL Injection
and these disclosures are qualitatively different from what EMC was publishing previosely – these disclosures had been coordinated. Let’s explain this point. When Documentum was under EMC wing EMC was never published correct/true information about security flaws: they were always underestimating security impact and were never noticing that exploit/PoC were available in the wild, and such behaviour, obviously, had negative impact on customers: customers see that vulnerability impact is medium and prefer do not install security fixes – that is a kind of expected behaviour, because in most cases Documentum updates tend to break a lot of things which previosely work smoothly. But last disclosures are different – they are full and everybody can independently estimate a security impact, so I do see positive changes for Documentum customers after acquisition. On the other hand it is not clear whether acquisition took effect on talented team, because my communication with both EMC and OpenText was not so good – please check my story below.
Long time ago (I believe it was 2012 or 2013) I filed a plenty (more than 20) of security reports related to Webtop and Content Server via EMC customer support channel, they confirmed the existence of vulnerabilities and after a while I was notified that
my vulnerabilities were remediated, but there were a couple of things which shocked me:
- EMC refused to disclose those vulnerabilities, that time I considered such decision as scorn of customers
- some of vulnerabilities weren’t actually remediated – EMC didn’t even try to find a root cause of vulnerability
- some of fixes were breaking a lot of thing – check out D2 story for example
So, I realised that EMC customer support channel didn’t work and opened my cool blog. During next three years I was contacted by EMC reps twicely:
- First time that was Jeron Van Rotterdam (CTO) – he asked to share all my finding for free, though on that time EMC knew about 15 unfixed vulnerabilities in Documentum and I was unable to understand why they requested more, by the way I let him know that if he wanted to collaborate on this topic ECD had to provide contact(s) of qualified SW engineer(s) on EMC side
- Second time that was John O’Melia (SVP) – he had attempted to hire me, and I that time I failed to understand what I was supposed to do there – it was clear they failed to find competent contact and I had no intention of teaching their talented team.
Dialog with OpenText had more promising beginning: 7 months ago I have contacted Muhi S. Majzoub (CTO) regarding security issues in Documentum (like I discovered more than 30 security flaws and I would like to help) and on the same day (technically that was next morning in Australia) I received following from David Goldberg (VP):
Thanks for accepting my LinkedIn request. Mark Barrenechea forwarded the note you sent him to the head of Engineering at OpenText who asked me to reach out to you. We are interested in better understanding the issues you mentioned in your message. Is there more you can tell me?
We got a shot conversation (actually, I didn’t provide information about all security vulnerabilities – it would take a lot my time, I just picked up two most important (CVE-2017-5585 and CVE-2017-5586), in my opinion that was enough to evaluate whether talented team is capable to fix security flaws or not), and the result of that conversation was (un)expected:
Thank you, Andrey
I will pass this on to our Engineering team and we will consider what follow-up is required.
And as you can see, CEO, two VPs and 2000 talented persons are not enough to replace two vulnerable jar files.
As regards to last vulnerability disclosures: the second part of CVE-2017-14524 looks very similar to I perceive the world: response.sendRedirect(String location) and it is XSRF, but the first part is not a XSRF but XSS – if I understood properly the following piece of code in webtop/help/en/default.js is vulnerable:
so I have no idea why two different security vulnerabilities were combined into single CVE, moreover I doubt that XSS was actually remediated – both disclosed test case and description (“open redirect”) are confusing:
So, I think it is clear that OpenText management seems to be much better than EMC was, but, unfortunately, talented team remains the same.