DocuManage Online Dynamic Scan Security Vulnerability Issues (Doc ID 2815528.1)

Last updated on JULY 10, 2023

Applies to:

Goal

On : 6.6.1 version, Documanage Bridge

DocuManage Online dynamic scan security vulnerability issues

As part of the security vulnerability scan process, the Veracode dynamic scan was run for the DocuManage online URL.  The security team reported the issues below.

Per the security standard these open Medium vulnerabilities issues should be fixed within the SLA time.
Out of the following four issues, we see issue 1 as an authentication issue that requires some design changes in the Oracle DocuManage ASP code. We believe the issues 2,3 and 4 may require a fix in the application server or IIS level configuration.

Could you please review the below issues and let us know id Oracle has any solution or patches for these open vulnerabilities.

1. Authentication Issues (CWE 352 Cross-Site Request Forgery (CSRF))
2. Deployment Configuration (CWE 402 Transmission of Private Resources into a New Sphere ('Resource Leak'))
3. Insecure Dependencies (CWE 829 Inclusion of Functionality from Untrusted Control Sphere)
4. Server Configuration (CWE 757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade'))

DocuManage Details:
Docupresentment (IDS) 2.8
Documanage Bridge 3.5.1
Documanage Router version is 6.5.0.5
Documanage Server version is 6.6.0.5
 

The goal of this document is to respond to the request that there be some design changes to address the vulnerability as described in item 1.

Solution

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.