Adobe Security Bulletin

Security updates available for Adobe Experience Manager

Release date: December 13, 2016

Last updated: December 14, 2016

Vulnerability identifier: APSB16-42

Priority: 2

CVE number: CVE-2016-7882, CVE-2016-7883, CVE-2016-7884, CVE-2016-7885

Platform: All

Summary

Adobe has released security updates for Adobe Experience Manager. These updates resolve three important input validation issues that could be used in cross-site scripting attacks (CVE-2016-7882, CVE-2016-7883 and CVE-2016-7884), and include an update to protect users from an important Cross-Site Request Forgery vulnerability (CVE-2016-7885).

Affected Versions

Product Affected Versions Platform
  6.2 All
Adobe Experience Manager 6.1 All
  6.0 All

Solution

Adobe recommends customers with on-premise deployments install the available updates referenced below. Furthermore, customers should review and implement the steps outlined in the Security Checklists for versions 6.26.1 or 6.0.

Product Versions Priority rating Availability
  6.2
2 Release note
Adobe Experience Manager 6.1 2 Release note
  6.0 2 Release note

Please contact Adobe customer care for assistance with earlier AEM versions.

Vulnerability Details

Description CVE Affected Versions Download Package

Updates resolve an important input validation issue in WCMDebug filter that could be used in cross-site scripting attacks.

CVE-2016-7882
6.2 and earlier versions Hotfix 12444 for 6.2
Hotfix 12444 for 6.1 SP2 [0]
Hotfix 12444 for 6.0 SP3

Updates resolve an important input validation issue in create launch Wizard that could be used in cross-site scripting attacks.

CVE-2016-7883
6.2 Hotfix 13062 for 6.2

Updates resolve an important input validation issue in DAM create assets that could be used in cross-site scripting attacks.

CVE-2016-7884
6.1 and earlier versions Cumulative Fix pack for 6.1 SP2
Hotfix 13297 for 6.0 SP3

Updates in the Jackrabbit component to protect users from Cross-Site Request Forgery.

CVE-2016-7885 6.2 and earlier versions Hotfix 13547 for 6.2
Hotfix 12817 for 6.1
Hotfix 12846 for 6.0

[0] Note: Hotfix 12444 for 6.1 SP2 is included in AEM 6.1 SP2 CFP2.

Acknowledgments

Adobe would like to thank Daniel Hamid for reporting CVE-2016-7882 and for working with Adobe to help protect our customers.  CVE-2016-7883, CVE-2016-7884 and CVE-2016-7885 were anonymously reported.

Revisions

December 14, 2016: modified the impacted platforms to All (previously stated Windows, Unix, Linux and OS X). Also included a note to clarify that Hotfix 12444 was previously included with AEM 6.1 SP2 CFP2.