Adobe Security Bulletin

Security hotfixes available for Adobe Experience Manager

Release date: August 9, 2016

Vulnerability identifier: APSB16-27

Priority: 2

CVE number: CVE-2016-4168, CVE-2016-4169, CVE-2016-4170, CVE-2016-4253

Platform: Windows, Unix, Linux and OS X

Summary

Adobe has released security hotfixes for Adobe Experience Manager. These hotfixes resolve two important input validation issues that could be used in cross-site scripting attacks (CVE-2016-4168 and CVE-2016-4170), an important vulnerability in backup functionality that could lead to information disclosure (CVE-2016-4253), and an important vulnerability that could disclose audit log events to unprivileged users (CVE-2016-4169).

Affected Versions

Product Affected Versions Platform
  6.2 Windows, Unix, Linux and OS X
Adobe Experience Manager 6.1 Windows, Unix, Linux and OS X
  6.0 Windows, Unix, Linux and OS X
  5.6.1 Windows, Unix, Linux and OS X

Solution

Adobe recommends customers with on-premise deployments install the available hotfixes referenced below. Furthermore, customers should review and implement the steps outlined in the Security Checklists for versions 6.26.16.0 or 5.6.1.

Product Versions Priority rating Availability
  6.2
2 Hotfixes (6.2)
Adobe Experience Manager 6.1 2 Hotfixes (6.1)
  6.0 2 Hotfixes (6.0)
  5.6.1 2 Hotfixes (5.6.1)

Please visit the Adobe Experience Manager Help Page for more information on available hotfixes.  

Vulnerability Details

Description CVE Affected Versions Download Package

Hotfixes resolve an input validation issue that could be used in cross-site scripting attacks.

CVE-2016-4168
6.1 and earlier versions Hotfix 9639 for 6.1
Hotfix 10767 for 6.0
Hotfix 10764 for 5.6.1

Hotfixes resolve a vulnerability that could potentially disclose audit log events to unprivileged users.

CVE-2016-4169
6.2, 6.1 and 6.0 Hotfix 10956 for 6.2
Hotfix 10768 for 6.1
Hotfix 10767 for 6.0

Hotfixes resolve an input validation issue that could be used in cross-site scripting attacks.

CVE-2016-4170
6.2 and earlier versions Hotfix 10936 for 6.2
Hotfix 10936 for 6.1
Hotfix 10936 for 6.0
Hotfix 10936 for 5.6.1

Hotfixes resolve a vulnerability in Backup functionality that could lead to information disclosure.

CVE-2016-4253 6.2 and earlier versions Hotfix 10870 for 6.2
Hotfix 10870 for 6.1
Hotfix 10870 for 6.0
Hotfix 10870 for 5.6.1

Acknowledgments

Adobe would like to thank the following individuals for reporting these issues and for working with Adobe to help protect our customers:

  • Adam Willard of Raytheon Foreground Security (CVE-2016-4168)
  • Ninad Sarang (@hbkninad) (CVE-2016-4169)
  • Franz Saller (CVE-2016-4170)
  • Kyle Lovett (CVE-2016-4253)