Bulletin ID
Security updates available for Adobe Experience Manager | APSB20-72
|  | Date Published | Priority | 
|---|---|---|
| APSB20-72 | December 8, 2020  | 2 | 
Summary
Affected product versions
| Product | Version | Platform | 
|---|---|---|
| 
 
 Adobe Experience Manager (AEM) | AEM Cloud Service (CS) | All | 
| 6.5.6.0 and earlier versions | All | |
| 6.4.8.2 and earlier versions | All | |
| 6.3.3.8 and earlier versions | All | |
| 6.2 SP1-CFP20 and earlier versions | All | |
| AEM Forms add-on | AEM Forms Service Pack 6 add-on package for AEM 6.5.6.0 | All | 
| AEM Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 2 (6.4.8.2) | All | 
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:
| Product | Version | Platform | Priority | Availability | 
|---|---|---|---|---|
| 
 Adobe Experience Manager (AEM)  | AEM Cloud Service (CS) | All | 2 | Release Notes | 
| 6.5.7.0  | All | 2 | AEM 6.5 Service Pack Release Notes | |
| 6.4.8.3 | All | 2 | ||
| 
 AEM Forms add-on | AEM Forms Service Pack 7 | All | 2 | AEM Forms Releases | 
| AEM 6.4 Service Pack 8 CFP 3 | All | 2 | AEM Forms Releases | 
Customers running on Adobe Experience Manager’s Cloud Service will automatically receive updates that include new features as well as security and functionality bug fixes.
Adobe Experience Manager 6.5.7.0 is an important update that includes new features, key customer requested enhancements, and performance, stability, and security improvements released since the general availability of 6.5 release in April 2019. It can be installed on top of Adobe Experience Manager 6.5.
AEM Cumulative Fix Pack 6.4.8.3 is an important update that includes several internal and customer fixes since the general availability of AEM 6.4 Service Pack 8 (6.4.8.0) in March 2020. AEM Cumulative Fix Pack 6.4.8.3 is dependent on AEM 6.4 Service Pack 8. Therefore, you must install the AEM Cumulative Fix Pack 6.4.8.3 package after installing AEM 6.4 Service Pack 8.
Please contact Adobe customer care for assistance with AEM versions 6.3 and 6.2.
Vulnerability details
| Vulnerability Category | Vulnerability Impact | Severity | CVE Number  | Affected Versions | 
|---|---|---|---|---|
| Blind server-side request forgery | Sensitive Information Disclosure | Important | CVE-2020-24444 | AEM Forms SP6 add-on for AEM 6.5.6.0 and earlier AEM Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 2 (6.4.8.2) and earlier | 
| Cross-site scripting (stored) | Arbitrary JavaScript execution in the browser | Critical | CVE-2020-24445 | AEM CS AEM 6.5.6.0 and earlier | 
Updates to dependencies
| Dependency | Vulnerability Impact | Affected Versions | 
| Apache Abdera | Resource consumption | AEM CS AEM 6.5.6.0 and earlier AEM 6.4.8.2 and earlier AEM 6.3.3.8 and earlier | 
| Apache Batik | Server-side request forgery | AEM CS AEM 6.5.6.0 and earlier AEM 6.4.8.2 and earlier AEM 6.3.3.8 and earlier | 
| Apache Commons Compress | Resource consumption | AEM CS AEM 6.5.6.0 and earlier AEM 6.4.8.2 and earlier AEM 6.3.3.8 and earlier | 
| Apache OpenNLP | XML external entity (XXE) injection | AEM CS AEM 6.5.6.0 and earlier AEM 6.4.8.2 and earlier AEM 6.3.3.8 and earlier | 
| Apache Sling Scheduler Service | XML external entity (XXE) injection | AEM CS AEM 6.5.6.0 and earlier AEM 6.4.8.2 and earlier AEM 6.3.3.8 and earlier | 
| Apache Xerces2 | Resource consumption | AEM CS AEM 6.5.6.0 and earlier AEM 6.4.8.2 and earlier AEM 6.3.3.8 and earlier | 
| CKEditor | Arbitrary JavaScript execution in the browser | AEM CS AEM 6.5.6.0 and earlier AEM 6.4.8.2 and earlier AEM 6.3.3.8 and earlier | 
| Eclipse Jetty | Resource consumption | AEM CS AEM 6.5.6.0 and earlier AEM 6.4.8.2 and earlier AEM 6.3.3.8 and earlier | 
| Google-oauth-client | Improper authorization | AEM CS AEM 6.5.6.0 and earlier AEM 6.4.8.2 and earlier AEM 6.3.3.8 and earlier | 
| Handlebars.js | Prototype pollution | AEM CS AEM 6.5.6.0 and earlier AEM 6.4.8.2 and earlier AEM 6.3.3.8 and earlier | 
| Jackson Mapper | XML external entity (XXE) injection | AEM CS AEM 6.5.6.0 and earlier AEM 6.4.8.2 and earlier AEM 6.3.3.8 and earlier | 
| jQuery | Arbitrary JavaScript execution in the browser | AEM CS AEM 6.5.6.0 and earlier AEM 6.4.8.2 and earlier AEM 6.3.3.8 and earlier | 
| Spring Framework | Directory traversal | AEM CS AEM 6.5.6.0 and earlier AEM 6.4.8.2 and earlier AEM 6.3.3.8 and earlier | 
| Zip4j | Directory traversal | AEM CS AEM 6.5.6.0 and earlier AEM 6.4.8.2 and earlier AEM 6.3.3.8 and earlier | 
Acknowledgments
Adobe would like to thank Frank Karlstrøm and Kenny Jansson of Storebrand Group, Norway (CVE-2020-24444), and Pankaj Upadhyay (CVE-2020-24445) for working with Adobe to help protect our customers.
Revisions
January 13, 2021: Removed AEM 6.4.8.2 and 6.3.3.8 from the list of versions impacted by CVE-2020-24445.