-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ESA-2012-003: EMC SourceOne Web Search Sensitive Information Disclosure Vulnerability. 

EMC Identifier: ESA-2012-003
 
CVE Identifier: CVE-2011-4142 

Severity Rating: CVSS v2 Base Score: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C) 

Affected products:

EMC SourceOne Email Management 6.5 (6.5.2.3668) (SP2 HF3) and earlier 
EMC SourceOne Email Management 6.6 (6.6.1.2108) (SP1 HF1) and earlier 
EMC SourceOne Email Management 6.7 (6.7.2.0017) (SP2) and earlier 

Notes:  New or upgraded installations using versions 6.8 and later are not affected by this issue. 

Vulnerability Summary: 
A vulnerability exists in EMC SourceOne Web Search in which sensitive user credential information may be exposed.
 
Vulnerability Details: 
EMC SourceOne Web Search contains a vulnerability that may, under certain circumstances, log sensitive user credential information in plain text to the OS log of the web server. This can potentially be exploited by an unprivileged user with access to log information to gain access to the protected SourceOne components.
 
Resolution:

The following EMC SourceOne products contain resolutions to this issue:

EMC SourceOne Web Security Patch 6.5.2.4033 
EMC SourceOne Web Security Patch 6.6.1.2194 
EMC SourceOne Web Security Patch 6.7.2.2033 

A patch, for the appropriate version of the software listed above, should be downloaded from Powerlink and applied to each IIS web server in a customer's deployment. The download includes directions for applying the patch to an IIS web server, depending on which SourceOne components are installed.

EMC strongly recommends all customers download and apply these patches at the earliest opportunity.

Link to remedies:

Registered EMC Powerlink customers can download software from Powerlink. Select  Home > Support > Software Downloads and Licensing > Downloads S> SourceOne Email Management.

Because the view is restricted based on customer agreements, you may not have permission to view certain downloads. Should you not see a software download you believe you should have access to, follow the instructions in EMC Knowledgebase solution emc116045.
 
For an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. 

EMC Corporation distributes EMC Security Advisories in order to bring to the attention of users of the affected EMC products important security information. EMC recommends all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall EMC or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. 
 
 
EMC Product Security Response Center
Security_Alert@EMC.com
http://www.emc.com/contact-us/contact/product-security-response-center.htm
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)

iEYEARECAAYFAk8VtfEACgkQtjd2rKp+ALyOdACgu+VlRdZbfzCWVDfXMqGTUoud
5nMAn0azNEfvDeV0/mAM7yuAPXmGNvsJ
=CqDF
-----END PGP SIGNATURE-----