-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ESA-2011-016: EMC SourceOne ASP.NET application tracing information
disclosure vulnerability.
EMC Identifier: ESA-2011-016
CVE Identifier: CVE-2011-1424
Severity Rating: CVSS v2 Base Score: 6.8 (AV:N/AC:L/Au:S/C:C/I:N/A:N)
Affected products:
EMC SW: EMC SourceOne Email Management for Microsoft Exchange
6.5.2.3668 (SP2 HF3) and earlier
EMC SW: EMC SourceOne Email Management for Notes/Domino 6.5.2.3668
(SP2 HF3) and earlier
EMC SW: EMC SourceOne Email Management for Microsoft Exchange
6.6.0.1209 (HF1) and earlier
EMC SW: EMC SourceOne Email Management for Notes/Domino 6.6.0.1209
(HF1) and earlier
NOTE: New installations using SourceOne Email Management 6.6 SP1 and
later are not affected by this issue.
This ESA applies only to SourceOne customers using the Mobile
Services component of SourceOne Email Management. The Mobile Services
component is included in the EMC SourceOne Email Management software
kit and is used only in the following environments:
EMC SourceOne Email Management
EMC SourceOne for File Systems
Vulnerability Summary:
EMC SourceOne Email Management may allow the disclosure of
application-sensitive information using ASP.NET Application Tracing
Vulnerability Details:
The ASP.NET application trace is enabled in affected versions of EMC
SourceOne Email Management. This trace file may contain
application-sensitive information that can be accessed by a remote
user. Authentication is required to access the trace file.
Problem Resolution:
A manual change is required on each Microsoft Windows IIS web server
on which EMC SourceOne Mobile Services software is installed. This
manual change is required for all existing installations of affected
versions, even if the server has been upgraded to a non-affected
version. Follow these steps to make the required change:
NOTE: New installations using SourceOne Email Management 6.6 SP1 and
later are not affected by this issue.
At the earliest opportunity, EMC strongly recommends all customers
apply the mitigation steps above to resolve the issue.
For an explanation of Severity Ratings, refer to EMC Knowledgebase
solution emc218831. EMC recommends all customers take into account
both the base score and any relevant temporal and environmental
scores which may impact the potential severity associated with
particular security vulnerability.
EMC Corporation distributes EMC Security Advisories in order to
bring to the attention of users of the affected EMC products
important security information. EMC recommends all users determine
the applicability of this information to their individual situations
and take appropriate action. The information set forth herein is
provided "as is" without warranty of any kind. EMC disclaims all
warranties, either express or implied, including the warranties of
merchantability, fitness for a particular purpose, title and
non-infringement. In no event shall EMC or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
EMC or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of
liability for consequential or incidental damages so the foregoing
limitation may not apply.
EMC Product Security Response Center
[email protected]
http://www.emc.com/contact-us/contact/product-security-response-center.htm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
iEYEARECAAYFAk3NiMsACgkQtjd2rKp+ALy6CwCgy3v/1iNkOawktuot4qMHLO55
LZUAnRxRz5r34ZR2xIdUWWIV1gMqQ/yF
=sx7o
-----END PGP SIGNATURE-----