My Oracle Support Banner

DocuManage Online Dynamic Scan Security Vulnerability Issues (Doc ID 2815528.1)

Last updated on OCTOBER 25, 2021

Applies to:

Skywire Documanage - Version 6.6.1 and later
Information in this document applies to any platform.

Goal

On : 6.6.1 version, Documanage Bridge

DocuManage Online dynamic scan security vulnerability issues

As part of the security vulnerability scan process, the Veracode dynamic scan was run for the DocuManage online URL.  The security team reported the issues below.

Per the security standard these open Medium vulnerabilities issues should be fixed within the SLA time.
Out of the following four issues, we see issue 1 as an authentication issue that requires some design changes in the Oracle DocuManage ASP code. We believe the issues 2,3 and 4 may require a fix in the application server or IIS level configuration.

Could you please review the below issues and let us know id Oracle has any solution or patches for these open vulnerabilities.

1. Authentication Issues (CWE 352 Cross-Site Request Forgery (CSRF))
2. Deployment Configuration (CWE 402 Transmission of Private Resources into a New Sphere ('Resource Leak'))
3. Insecure Dependencies (CWE 829 Inclusion of Functionality from Untrusted Control Sphere)
4. Server Configuration (CWE 757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade'))

DocuManage Details:
Docupresentment (IDS) 2.8
Documanage Bridge 3.5.1
Documanage Router version is 6.5.0.5
Documanage Server version is 6.6.0.5
 

The goal of this document is to respond to the request that there be some design changes to address the vulnerability as described in item 1.

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.