Bulletin ID
Security updates available for Adobe Experience Manager | APSB21-82
|  | Date Published | Priority | 
|---|---|---|
| APSB21-82 | September 14, 2021  | 2 | 
Summary
Affected product versions
| Product | Version | Platform | 
|---|---|---|
| 
 Adobe Experience Manager (AEM) | AEM Cloud Service (CS) | All | 
| 6.5.9.0 and earlier versions | All | 
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:
| Product | Version | Platform | Priority | Availability | 
|---|---|---|---|---|
| 
 Adobe Experience Manager (AEM)  | AEM Cloud Service (CS) | All | 2 | Release Notes | 
| 6.5.10.0  | All | 2 | AEM 6.5 Service Pack Release Notes | 
Customers running on Adobe Experience Manager’s Cloud Service will automatically receive updates that include new features as well as security and functionality bug fixes.
Please contact Adobe customer care for assistance with AEM versions 6.4, 6.3 and 6.2.
Vulnerability details
| Vulnerability Category | Vulnerability Impact | Severity | CVSS base score  | CVE Number  | |
|---|---|---|---|---|---|
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 6.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N | CVE-2021-40711 | 
| Improper Input Validation (CWE-20) | Application denial-of-service | Important | 6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | CVE-2021-40712 | 
| Improper Certificate Validation (CWE-295) | Security feature bypass | Important | 5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N | CVE-2021-40713 | 
| Cross-site Scripting (XSS) (CWE-79) | Arbitrary code execution | Important | 6.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | CVE-2021-40714 | 
| Improper Access Control (CWE-284) | Security feature bypass | Important | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 
 | 
Updates to dependencies
| Dependency | Vulnerability Impact | Affected Versions | 
| Iodash | Arbitrary code execution | AEM CS AEM 6.5.9.0 and earlier | 
| Apache Sling | Path Traversal | AEM CS AEM 6.5.9.0 and earlier | 
| Jetty | Denial of service | AEM CS AEM 6.5.9.0 and earlier | 
| Jackson-Databind | Unchecked allocation of byte buffer | AEM CS AEM 6.5.9.0 and earlier | 
Acknowledgments
Adobe would like to thank Lorenzo Pirondini (Netcentric, a Cognizant Digital Business) (CVE-2021-40711, CVE-2021-40712) and Eckbert Andresen (CVE-2021-42725) for reporting these issues and for working with Adobe to help protect our customers.
Revisions
September 27, 2021: Updated acknowledgement details for CVE-2021-40711 & CVE-2021-40712.
October 4, 2021: Updated CVSS base score, vector, and Severity for CVE-2021-40711.
October 28, 2021: Added details for CVE-2021-42725.
For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.