Go to the Author System Console by browsing to this URL:
- http://serveraddress:serverip/system/console/bundles
A Server Side Request Forgery vulnerability has been recently discovered in an AEM path that can be abused to leak IAM instance role credentials from the AWS or Azure instance metadata service. This vulnerability is found within the Salesforce MCM bundle.
A vulnerable AEM instance will return temporary API keys. Those API keys expire within hours and have permissions equivalent to the ManagedServicesBigBearInstance role.
The preferred mitigation is to disable Salesforce bundle. To do this, please follow the procedure below:
Go to the Author System Console by browsing to this URL:
Search for com.day.cq.mcm.cq-mcm-salesforce. Once you find it, press the stop button in the right hand corner of the bundle to stop it.
Clear the Dispatcher cache by running these commands in the terminal:
cd /mnt/var/www/html
After switching to the proper location, clear the cache by running:
rm -rf ./libs/*
Finally, confirm that the URLs are not returning the key information. You can do this by accessing these two URLs:
First, check whether you are using the AEM Salesforce integration. You can do this by:
If the service is running, follow the below procedure to apply the mitigation:
Identify the config file that controls the Dispatcher rules. Generically, you can do this by browsing to /etc/httpd/conf/ and looking for *.any files as shown below:
Paths and filenames can differ depending on the configuration of your instance.
cd /etc/httpd/conf/ cat dispatcher.any cat publish-farm.any
Once you identified the file, back it up to antoher location. After that, edit the current file like this:
cp publish-farm.any publish-farm.any.20180525 vi publish-farm.any
Now, add this line to the configuration file:
/9999 { /type "deny" /glob "GET *libs/mcm/salesforce/customer*" }
Verify the configuration by running:
apachectl configtest
Run the following commands to restart the httpd service:
service httpd reload service httpd status
Now, clear the Dispatcher cache:
cd /mnt/var/www/html rm -rf ./libs/*
Finally, confirm the URLs are not returning the key information by accessing these URLs:
If you are using the Salesforce integration but the above mitigation fails, you can alternatively add the following rewrite rule in every VirtualHost section in the dispatcher_conf.any: