Deserialization vulnerability in the Apache commons-collections library

Log in to the AEM instance as an administrator and open the package share. The default URL of the package share is http://[server]:[port]/crx/packageshare.

In package share, search CQ-ALL-hotfix-NPR-8364, click the package, and click Download. Read and accept the license agreement and click OK. The download starts. Once downloaded, the word Downloaded appears next to the package.

Alternately, you can also use the hyperlink http://t.info.adobesystems.com/r/?id=hb5e38e83,33b182ff,33b688fb to manually download a package.

After the download completes, click Downloaded. You are redirected to package manager.  In the package manager, search the downloaded package, and click Install.  

If you manually download the package via direct link, open the package manager, click Upload Package, select the downloaded package, and click upload. After the package is uploaded, click the package name, and click Install. The default URL of the Package Manager is http://[server]:[port]/lc/crx/packmgr/index.jsp.            

After the package is installed, open the http://[host]:[port]/lc/libs/cq/sercheck/run/tester.htmlURL in the browser window, and download the notsoserial-[version].jar.   

Copy the downloaded notsoserial-[version].jar file to the server which has AEM forms deployed.

Add the following JVM argument to the application server startup script:

-javaagent:[path]/notsoserial-[version]

[path] is the location on the server containing the notsoserial-[version].jar file.

Restart the application server.

Open the http://[host]:[port]/lc/libs/cq/sercheck/run/tester.html URL in a browser window. Ensure that the Serialization Test Results are set to OK.