DocuManage Online Dynamic Scan Security Vulnerability Issues
(Doc ID 2815528.1)
Last updated on OCTOBER 25, 2021
Applies to:Skywire Documanage - Version 6.6.1 and later
Information in this document applies to any platform.
On : 6.6.1 version, Documanage Bridge
DocuManage Online dynamic scan security vulnerability issues
As part of the security vulnerability scan process, the Veracode dynamic scan was run for the DocuManage online URL. The security team reported the issues below.
Per the security standard these open Medium vulnerabilities issues should be fixed within the SLA time.
Out of the following four issues, we see issue 1 as an authentication issue that requires some design changes in the Oracle DocuManage ASP code. We believe the issues 2,3 and 4 may require a fix in the application server or IIS level configuration.
Could you please review the below issues and let us know id Oracle has any solution or patches for these open vulnerabilities.
1. Authentication Issues (CWE 352 Cross-Site Request Forgery (CSRF))
2. Deployment Configuration (CWE 402 Transmission of Private Resources into a New Sphere ('Resource Leak'))
3. Insecure Dependencies (CWE 829 Inclusion of Functionality from Untrusted Control Sphere)
4. Server Configuration (CWE 757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade'))
Docupresentment (IDS) 2.8
Documanage Bridge 3.5.1
Documanage Router version is 220.127.116.11
Documanage Server version is 18.104.22.168
The goal of this document is to respond to the request that there be some design changes to address the vulnerability as described in item 1.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document