[CVE-2017-15044] DocuWare FullText Search - Incorrect Access Control vulnerability-1523657197

Graham Leggett
Posted Fri, 13 Apr 2018 20:06:37 GMT by Graham Leggett

Hi all,

In September of last year I reported a security vulnerability involving the Docuware Fulltext Server to Docuware, which in the default configuration bypasses authentication and exposes the complete solr index if you can reach ports 9200 or 8009 with a web browser. Docuware gave the bug number 203945 to the issue. By November Docuware had not created a fix, and so as per the CVE schedule this was disclosed to the bugtraq mailing list as follows:

http://seclists.org/bugtraq/2017/Nov/54

(The link above contains details of the vulnerability and the steps you can take to fix it)

 

With GDPR a month away, there is much concern at the lack of progress on this issue. Can someone from Docuware confirm when we can expect to see a hotfix for this?

 

Phil Robson
Posted Fri, 20 Apr 2018 12:30:00 GMT by Phil Robson DocuWare Corporation Senior Director Professional Services, Americas

We have reviewed the claim of a security vulnerability in our Fulltext server. When DocuWare is installed on a server running the default configuration of the Windows firewall, the fulltext ports are blocked. That is, there is no access to the fulltext server. Therefore, the only way for the fulltext index data can be accessed outside of the DocuWare server is for the firewall to be reconfigured in an insecure manner. DocuWare does not alter firewall configurations in any way. We maintain therefore, that there is no inherent security vulnerability in DocuWare on a Windows server in its default configuration.  It is always the responsibility of the system administrator to ensure that their network is secure.
We accept however, that when DocuWare is installed in a multi-server environment, that the dispersed DocuWare services require access to the fulltext server. For most the easy way to achieve this is to simply open the DocuWare ports in the firewalls, or worse still turn the firewalls off altogether. This practice immediately exposes client data to a security risk.

DocuWare does not condone this practice. The system administrator must always follow best practices when allowing specific traffic between servers that is not exposed to any client, either local or remote.
There may well be a further arguement, that even with the firewall correctly configured, that access to the fulltext server will still be possible when logged in to the server. Again, we would stress that proper security measures must be in place to limit access to any server by other than system administrators.

In order to mitigate the possibility in the future of inexperienced administrators creating a security vulnerability in their DocuWare system we will be modifying our installation package to issue  a warning when installing DocuWare. This warning will indicate the need to properly configure firewalls on all servers, and will require the installer to accept the warning before continuing the installation.

 

Phil Robson
Senior Director Support Americas

Graham Leggett
Posted Sun, 22 Apr 2018 10:04:54 GMT by Graham Leggett

Unfortunately relying on external software provided by outside parties such as the Windows Firewall to act as a crutch does not close this security hole.

Three ways to fix this are:

- Configure the Apache Tomcat server to bind to localhost only in it's default configuration. This is the workaround advice in the advisory.

- Configure the Apache Tomcat server to limit connections from given IP addresses only, defaulting to localhost, using the RemoteAddrValve.

- Configure the Apache Tomcat server to password protect connections using Tomcat's Realm mechanism.

Docuware needs to follow the security advice as documented in Tomcat's security documentation here

https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html

Docuware also needs to properly harden the Tomcat configuration, specifically by removing the unused AJP support exposed on port 8009. It was through this port that all data in Docuware was exposed. (Obviously removing AJP but leaving HTTP exposed on 9200 will not close the hole).

 

Phil Robson
Posted Mon, 23 Apr 2018 21:18:18 GMT by Phil Robson DocuWare Corporation Senior Director Professional Services, Americas

Thank you for your input. It is much appreciated. However, we do not agree with your opinion on this issue.

Phil Robson
Senior Director Support Americas

 

 

Graham Leggett
Posted Sat, 28 Apr 2018 08:02:06 GMT by Graham Leggett

Alas, GDPR compliance is not a matter of opinion. With a breach being found, you are expected to have an independent security consultancy come in and perform an assessment of both the breach as well as the timeliness of your security response, and adopt their recommendations.

Please publish that assessment.

Phil Robson
Posted Sat, 28 Apr 2018 20:16:34 GMT by Phil Robson DocuWare Corporation Senior Director Professional Services, Americas

Expected by whom? We are under no legal obligation or expectation and you know it.
GDPR, as is HIPAA compliancy is the responsibility of an entity to be compliant. Software is not certified with such compliancy, practises are. We are an SOC2 and HIPAA compliant company. Usage of our software requires the user to ensure that they remain compliant with security laws prevalent in their various locations. I believe I have outlined DocuWare's position on fulltext security sufficiently at this time.

Thank you for your input.

Phil Robson
Senior Director Support Americas

 

 

You must be signed in to post in this forum.

Get Help

Search in Knowledge Base
Ask Community
New Support Request