Adobe Security Bulletin

Security updates available for Adobe Experience Manager | APSB19-48

Bulletin ID

Date Published

Priority

APSB19-48

October 15, 2019

2

Summary

Adobe has released security updates for Adobe Experience Manager (AEM). These updates resolve multiple vulnerabilities in AEM versions 6.3, 6.4 and 6.5.  Successful exploitation could result in unauthorized access to the AEM environment.  

Affected product versions

Product

Version

Platform

Adobe Experience Manager

6.5

6.4

6.3

6.2

6.1

6.0

All

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product

Version

Platform

Priority

Availability

 

Adobe Experience Manager

6.5

All

2

Releases and Updates

6.4

All

2

Releases and Updates

6.3

All

2

Releases and Updates

Please contact Adobe customer care for assistance with earlier AEM versions.

Vulnerability details

Vulnerability Category

Vulnerability Impact

Severity

CVE Number 

Affected Versions Download Package
Cross-Site Request Forgery Sensitive Information disclosure Important

CVE-2019-8234

 

AEM 6.2

AEM 6.3

AEM 6.4

Cumulative Fix Pack for 6.3 SP3 – AEM-6.3.3.6

Service Pack for 6.4 - AEM-6.4.6.0

Reflected Cross Site Scripting

Sensitive Information disclosure

 

Moderate CVE-2019-8078

AEM 6.2

AEM 6.3

AEM 6.4

Cumulative Fix Pack for 6.3 SP3 – AEM-6.3.3.6

Service Pack for 6.4 - AEM-6.4.6.0

Stored Cross Site Scripting Sensitive Information disclosure Important CVE-2019-8079

AEM 6.0

AEM 6.1

AEM 6.2

AEM 6.3 

AEM 6.4

Cumulative Fix Pack for 6.3 SP3 – AEM-6.3.3.6

Service Pack for 6.4 - AEM-6.4.4.0

Stored Cross Site Scripting Privilege Escalation Important 

CVE-2019-8080

 

AEM 6.3

AEM 6.4

Cumulative Fix Pack for 6.3 SP3 – AEM-6.3.3.6

Service Pack for 6.4 - AEM-6.4.6.0

Authentication Bypass

 

 

Sensitive Information disclosure Important CVE-2019-8081

AEM 6.2

AEM 6.3

AEM 6.4

AEM 6.5 

Cumulative Fix Pack for 6.3 SP3 – AEM-6.3.3.6

Service Pack for 6.4 - AEM-6.4.6.0

Service Pack for 6.5 - AEM-6.5.2.0 

XML External Entity Injection

Sensitive Information disclosure

 

Important CVE-2019-8082

AEM 6.2

AEM 6.3 

AEM 6.4

Cumulative Fix Pack for 6.3 SP3 – AEM-6.3.3.6

Service Pack for 6.4 - AEM-6.4.6.0

Cross Site Scripting

Sensitive Information disclosure

 

Moderate

 

CVE-2019-8083

 

AEM 6.3

AEM 6.4

AEM 6.5

Cumulative Fix Pack for 6.3 SP3 – AEM-6.3.3.6

Service Pack for 6.4 - AEM-6.4.6.0

Service Pack for 6.5 - AEM-6.5.2.0 

Reflected Cross Site Scripting

Sensitive Information disclosure

 

 

Moderate

 

 

 

 

CVE-2019-8084

 

 

AEM 6.2

AEM 6.3

AEM 6.4 

AEM 6.5

Cumulative Fix Pack for 6.3 SP3 – AEM-6.3.3.6

Service Pack for 6.4 - AEM-6.4.5.0

Service Pack for 6.5 - AEM-6.5.2.0 

Reflected Cross Site Scripting

 

 

Sensitive Information disclosure

 

 

Moderate

 

 

 

 

CVE-2019-8085

 

 

AEM 6.2

AEM 6.3

AEM 6.4 

AEM 6.5

Cumulative Fix Pack for 6.3 SP3 – AEM-6.3.3.6

Service Pack for 6.4 - AEM-6.4.5.0

Service Pack for 6.5 - AEM-6.5.2.0 

XML External Entity Injection

 

 

Sensitive Information disclosure

 

 

Important

 

 

CVE-2019-8086

 

 

AEM 6.2

AEM 6.3 

AEM 6.4

AEM 6.5

 

Cumulative Fix Pack for 6.3 SP3 – AEM-6.3.3.6

Service Pack for 6.4 - AEM-6.4.6.0

Service Pack for 6.5 - AEM-6.5.2.0 

XML External Entity Injection

 

 

Sensitive Information disclosure

 

Important

 

 

CVE-2019-8087

 

 

AEM 6.2

AEM 6.3 

AEM 6.4

AEM 6.5

Cumulative Fix Pack for 6.3 SP3 – AEM-6.3.3.6

Service Pack for 6.4 - AEM-6.4.6.0

Service Pack for 6.5 - AEM-6.5.2.0 

JavaScript Code Injection

 

 

Arbitrary Code Execution

 

 

Critical

 

 

CVE-2019-8088*

 

 

AEM 6.2

AEM 6.3

AEM 6.4

AEM 6.5

 

Cumulative Fix Pack for 6.3 SP3 – AEM-6.3.3.6

Service Pack for 6.4 - AEM-6.4.6.0

Service Pack for 6.5 - AEM-6.5.2.0 

Note:

JavaScript code execution (CVE-2019-8088) impacts version 6.2 only.  Beginning with 6.3, the strictly sandboxed Rhino engine is used to execute JavaScript, which reduces the impact of CVE-2019-8088 to blind Server-Side Request Forgery (SSRF) attacks and denial-of-service (DoS). 

Note:

Note: the packages listed in the table above are the minimum fix packs to address the relevant vulnerability.  For the latest versions, please see the release notes links referenced above.

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:     

  • Mikhail Egorov @0ang3el (CVE-2019-8086, CVE-2019-8087, CVE-2019-8088)

Revisions

October 15, 2019: Updated CVE id from CVE-2019-8077 to CVE-2019-8234.

March 11, 2020: Added a note to clarify that JavaScript code execution (CVE-2019-8088) only impacts AEM 6.2.  

 Adobe

Get help faster and easier

New user?

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online