Security updates available for Adobe Experience Manager Forms

Release date: May 9, 2017

Vulnerability identifier: APSB17-16

Priority: 2

CVE number: CVE-2017-3067

Platform: Windows, Linux, Solaris and AIX

Summary

Adobe has released security updates for Adobe Experience Manager (AEM) Forms on Windows, Linux, Solaris and AIX. These updates resolve an important  information disclosure vulnerability (CVE-2017-3067) resulting from abuse of the pre-population service in AEM Forms. This issue was resolved by providing administrators with additional controls in the configuration manager to restrict the file paths and protocols used to pre-fill a form. Adobe recommends users apply the available updates using the instructions provided in the "Solution" section below. 

Affected versions

Product Affected version Platform
Adobe Experience Manager Forms

6.2
6.1
6.0

Windows, Linux, Solaris and AIX

Solution

Adobe categorizes these updates with the following priority rating, and recommends customers with on premise deployments install the available updates referenced below with the help of Adobe Marketing Cloud Customer Care team.

Product Fixed version Platform Priority rating Availability
Adobe Experience Manager Forms 6.2 6.2 SP1 CFP3 Windows, Linux, Solaris and AIX
2 Release Notes
Adobe Experience Manager Forms 6.1 6.1 SP2 CFP8 Windows, Linux, Solaris and AIX 2 Release Notes
Adobe Experience Manager Forms 6.0 HotFix 2.0.58 Windows, Linux, Solaris and AIX 2 Release Notes

Vulnerability Details

  • These updates resolve an information disclosure vulnerability (CVE-2017-3067) resulting from abuse of the pre-population service in AEM Forms. This issue was resolved by providing administrators with additional controls in the configuration manager to restrict the file paths and protocols used to pre-fill a form. 

Acknowledgments

Adobe would like to thank Ruben Reusser of headwire.com for reporting (CVE-2017-3067) and for working with Adobe to help protect our customers.