Adobe Security Bulletin

Security updates available for Adobe Experience Manager

Release date: February 9, 2016

Last updated: February 12, 2016

Vulnerability identifier: APSB16-05

Priority: 2

CVE number: CVE-2016-0955, CVE-2016-0956, CVE-2016-0957, CVE-2016-0958

Platform: Windows, Unix, Linux and OS X

Summary

Adobe has released security hot fixes for Adobe Experience Manager. These hot fixes resolve important vulnerabilities that could potentially lead to information disclosure.  

Affected Versions

Product

Affected Versions

Platform

 

6.1.0

Windows, Unix, Linux and OS X

Adobe Experience Manager

6.0.0

Windows, Unix, Linux and OS X

 

5.6.1

Windows, Unix, Linux and OS X

Solution

Adobe recommends customers with on-premise deployments install the available hot fixes referenced below.  Furthermore, customers should review and implement the steps outlined in the Security Checklists for versions 6.1, 6.0 or 5.6.1.

Product

Versions

Priority rating

Availability

 

6.1.0

2

Hot fixes (6.1.0)

Adobe Experience Manager

6.0.0

2

Hot fixes (6.0)

 

5.6.1

2

Hot fixes (5.6.1)

Please visit the Adobe Experience Manager Help Page for more information on available hot fixes.  

Vulnerability Details

Description

CVE

Download Package

  • Hot fix 8364 includes a Java deserialization issues mitigation agent

CVE-2016-0958

  • Hot fix 8651 resolves a cross-site scripting vulnerability - exclusively affecting version 6.1.0 - that could lead to information disclosure

CVE-2016-0955

  • Hot fix 6445 resolves an information disclosure vulnerability affecting Apache Sling Servlets Post 2.3.6 and earlier versions

CVE-2016-0956

  • Dispatcher 4.1.5 and higher resolves a URL filter bypass vulnerability that could be used to circumvent dispatcher rules

CVE-2016-0957

Acknowledgments

Adobe would like to thank the following individuals for reporting these issues and for working with Adobe to help protect our customers:

  • Damian Pfammatter of Compass Security Schweiz AG (CVE-2016-0955)
  • Ateeq ur Rehman Khan - Vulnerability Labs (@CyberCrimeNEWS) (CVE-2016-0956)

Revisions

February 12, 2016:

  • Added "and earlier versions" to clarify that CVE-2016-0956 affects Apache Sling Servlets Post 2.3.6 and earlier versions.  
  • Modified the description of CVE-2016-0955 to clarify that only version 6.1.0 is affected. Versions prior to AEM 6.1.0 are not affected by CVE-2016-0955.  
  • Reformatted the Vulnerability Details section in a tabular format and included URLs to the download packages for each hotfix.  

Adobe, Inc.

तेज़ी से और आसानी से सहायता प्राप्त करें

नए यूज़र हैं?