• Insights

Security Alert! eDOCS DM Auto Logon Vulnerability and Hotfix

Brian Podolsky

2 min read

All Insights

Today, OpenText announced a hotfix that patches a critical security vulnerability in the eDOCS DM platforms.  According to the communication that was delivered to customers and partners:

The eDOCS DM 5.3.x and 10 Web Services application programming interface (API) contains a security vulnerability that could be exploited to allow a bad actor to programmatically authenticate as any valid eDOCS user and act with permissions and privileges associated with that account if the Allow Auto Logon feature is enabled.

The bad actor could access content, disrupt the system functionality, perform actions attributable to other user’s accounts, and further disrupt the eDOCS system.

The hotfix consists of two DLLs that need to be updated on each DM server, and then one DLL that needs to be updated on all DM clients. DM services must be stopped on the server to apply the hotfix files, and DM.exe must not be running in order to apply the hotfix file to the DM client.  The hotfix is available in the OpenText Knowledge Center (login required). The caveat here is that Allow Auto Logon should be disabled before patching the servers, then you MUST patch your clients before they would be able to connect properly to the DM server when you re-enable Auto Logon.  In addition, your environment must be running either eDOCS DM 5.3.0 Patch 5 Rollup 5, DM 5.3.1 Patch 5 or Patch 5 Rollup 1, or eDOCS DM 10 to apply the hotfix.  In other words, you must be on the latest patch level of the major release version in order to apply the hotfix.

If applying the server and client hotfixes is not an option right now, the other workaround is to disable the Allow Auto Logon system parameter in the environment. Please note that disabling the Auto Logon feature would require users to provide logon credentials each time they connect to DM.

OpenText announced plans to include this hotfix with eDOCS DM 5.3.1 Patch 6, and eDOCS DM 10 Patch 1, but no release date has been announced. Unless we hear anything different, we are assuming that with this patch, the client patch would be a requirement in order to provide secure connectivity using the Auto Logon feature.