Adobe Security Bulletin
Security updates available for Adobe Experience Manager | APSB17-26
Bulletin ID Date Published Priority
APSB17-26 August 08, 2017
2

Summary

Adobe has released security updates for Adobe Experience Manager. These updates resolve an important  file type validation vulnerability (CVE-2017-3108) and two moderate information disclosure vulnerabilities (CVE-2017-3107 and CVE-2017-3110).

Affected product versions

Product Version Platform
Adobe Experience Manager

6.3

6.2

6.1

6.0

All

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product Version Platform Priority Availability
Adobe Experience Manager
6.3
All 2 Release note
6.2 All 2 Release note
6.1 All 2 Release note
6.0 All 2 Release note

Please contact Adobe customer care for assistance with earlier AEM versions.

Vulnerability details

Vulnerability Category Vulnerability Impact Severity CVE Numbers Affected Version Download Package
Disclosure of product version number
Information disclosure
Moderate
CVE-2017-3107
AEM 6.3 and earlier

Hotfix 17203 for 6.0.0

Cumulative Fix Pack for 6.1 SP2 - AEM-6.1-SP2-CFP9

Cumulative Fix Pack for 6.2 SP1- AEM-6.2-SP1-CFP5

Cumulative Fix Pack for 6.3.0.1

Insufficient file type validation during file upload
Arbitrary code execution attacks
Important CVE-2017-3108
AEM 6.2 and earlier Hotfix 16617 for 6.0.0 version 1.2
 
Cumulative Fix Pack for 6.1 SP2 -  AEM-6.1-SP2-CFP3

Cumulative Fix Pack for 6.2 SP1 - AEM-6.2-SP1-CFP4
Internal Information Disclosure in Output Information disclosure Moderate CVE-2017-3110 AEM 6.1 and earlier

Hotfix 16005 for 6.0.0.0

Cumulative Fix Pack for 6.1 SP2 - AEM-6.1-SP2-CFP10

 

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:  

  • Anonymously reported (CVE-2017-3107, CVE-2017-3108, CVE-2017-3110)

Revisions

August 9, 2017: The summary section incorrectly classified CVE-2017-3108 as Moderate.  CVE-2017-3108 is rated Important, as noted in the Vulnerability Details table, and the summary section has been corrected.