Adobe Security Bulletin

Security updates available for Adobe Experience Manager

Release date: December 13, 2016

Last updated: December 14, 2016

Vulnerability identifier: APSB16-42

Priority: 2

CVE number: CVE-2016-7882, CVE-2016-7883, CVE-2016-7884, CVE-2016-7885

Platform: All

Summary

Adobe has released security updates for Adobe Experience Manager. These updates resolve three important input validation issues that could be used in cross-site scripting attacks (CVE-2016-7882, CVE-2016-7883 and CVE-2016-7884), and include an update to protect users from an important Cross-Site Request Forgery vulnerability (CVE-2016-7885).

Affected Versions

Product

Affected Versions

Platform

 

6.2

All

Adobe Experience Manager

6.1

All

 

6.0

All

Solution

Adobe recommends customers with on-premise deployments install the available updates referenced below. Furthermore, customers should review and implement the steps outlined in the Security Checklists for versions 6.26.1 or 6.0.

Product

Versions

Priority rating

Availability

 

6.2

2

Adobe Experience Manager

6.1

2

 

6.0

2

Please contact Adobe customer care for assistance with earlier AEM versions.

Vulnerability Details

Description

CVE

Affected Versions

Download Package

Updates resolve an important input validation issue in WCMDebug filter that could be used in cross-site scripting attacks.

CVE-2016-7882

6.2 and earlier versions

Updates resolve an important input validation issue in create launch Wizard that could be used in cross-site scripting attacks.

CVE-2016-7883

6.2

Updates resolve an important input validation issue in DAM create assets that could be used in cross-site scripting attacks.

CVE-2016-7884

6.1 and earlier versions

Updates in the Jackrabbit component to protect users from Cross-Site Request Forgery.

CVE-2016-7885

6.2 and earlier versions

[0] Note: Hotfix 12444 for 6.1 SP2 is included in AEM 6.1 SP2 CFP2.

Acknowledgments

Adobe would like to thank Daniel Hamid for reporting CVE-2016-7882 and for working with Adobe to help protect our customers.  CVE-2016-7883, CVE-2016-7884 and CVE-2016-7885 were anonymously reported.

Revisions

December 14, 2016: modified the impacted platforms to All (previously stated Windows, Unix, Linux and OS X). Also included a note to clarify that Hotfix 12444 was previously included with AEM 6.1 SP2 CFP2.   

Adobe, Inc.

Dapatkan bantuan lebih cepat dan lebih mudah

Pengguna baru?