How to Mitigate the Salesforce SSRF Vulnerability in AEM


A Server Side Request Forgery vulnerability has been recently discovered in an AEM path that can be abused to leak IAM instance role credentials from the AWS or Azure instance metadata service. This vulnerability is found within the Salesforce MCM bundle.

A vulnerable AEM instance will return temporary API keys. Those API keys expire within hours and have permissions equivalent to the ManagedServicesBigBearInstance role.

Mitigation Options

Recommended Mitigation - Disable the Salesforce Bundle

The preferred mitigation is to disable Salesforce bundle. To do this, please follow the procedure below:

  1. Go to the Author System Console by browsing to this URL:

    • http://serveraddress:serverip/system/console/bundles
  2. Search for Once you find it, press the stop button in the right hand corner of the bundle to stop it.

  3. Clear the Dispatcher cache by running these commands in the terminal:

    cd /mnt/var/www/html

    After switching to the proper location, clear the cache by running:

    rm -rf ./libs/*
  4. Finally, confirm that the URLs are not returning the key information. You can do this by accessing these two URLs:

    • http://publishurl:pubishport/libs/mcm/salesforce/customer.html%3b%0aa.css?checkType=authorize&authorization_url=
    • http://authorandpublishurl:port/libs/mcm/salesforce/customer.html%3b%0aa.css?checkType=authorize&authorization_url=

Mitigating the Vulnerability in Case You Are Using the SalesForce Integration

First, check whether you are using the AEM Salesforce integration. You can do this by:

  1. Browse to http://serveraddress:serverip/etc/cloudservices/salesforce.html and check whether the dashboard says that the service is enabled or not
  2. Or by running this cURL command:
    1. curl -s -u "admin:$(pass CQ_Admin)" serveraddress:serverport/etc/cloudservices/salesforce.html|grep enabled|wc -l

If the service is running, follow the below procedure to apply the mitigation:

  1. Identify the config file that controls the Dispatcher rules. Generically, you can do this by browsing to /etc/httpd/conf/ and looking for *.any files as shown below:


    Paths and filenames can differ depending on the configuration of your instance.

    cd /etc/httpd/conf/
    cat dispatcher.any
    cat publish-farm.any
  2. Once you identified the file, back it up to antoher location. After that, edit the current file like this:

    cp publish-farm.any publish-farm.any.20180525
    vi publish-farm.any

    Now, add this line to the configuration file:

    /9999 { /type "deny" /glob "GET *libs/mcm/salesforce/customer*" }
  3. Verify the configuration by running:

    apachectl configtest
  4. Run the following commands to restart the httpd service:

    service httpd reload
    service httpd status
  5. Now, clear the Dispatcher cache:

    cd /mnt/var/www/html
    rm -rf ./libs/*
  6. Finally, confirm the URLs are not returning the key information by accessing these URLs:

    • http://publishurl:pubishport/libs/mcm/salesforce/customer.html%3b%0aa.css?checkType=authorize&authorization_url=
    • http://authorandpublishurl:port/libs/mcm/salesforce/customer.html%3b%0aa.css?checkType=authorize&authorization_url=

Another Mitigation Option In Case The Above Fails

If you are using the Salesforce integration but the above mitigation fails, you can alternatively add the following rewrite rule in every VirtualHost section in the dispatcher_conf.any:

  • RewriteRule ^/libs/mcm/salesforce/customer.html* [F]