Adobe Security Bulletin

Security updates available for Adobe Experience Manager

Release date: February 9, 2016

Last updated: February 12, 2016

Vulnerability identifier: APSB16-05

Priority: 2

CVE number: CVE-2016-0955, CVE-2016-0956, CVE-2016-0957, CVE-2016-0958

Platform: Windows, Unix, Linux and OS X

Summary

Adobe has released security hot fixes for Adobe Experience Manager. These hot fixes resolve important vulnerabilities that could potentially lead to information disclosure.  

Affected Versions

Product Affected Versions Platform
  6.1.0 Windows, Unix, Linux and OS X
Adobe Experience Manager 6.0.0 Windows, Unix, Linux and OS X
  5.6.1 Windows, Unix, Linux and OS X

Solution

Adobe recommends customers with on-premise deployments install the available hot fixes referenced below.  Furthermore, customers should review and implement the steps outlined in the Security Checklists for versions 6.1, 6.0 or 5.6.1.

Product Versions Priority rating Availability
  6.1.0
2 Hot fixes (6.1.0)
Adobe Experience Manager 6.0.0 2 Hot fixes (6.0)
  5.6.1 2 Hot fixes (5.6.1)

Please visit the Adobe Experience Manager Help Page for more information on available hot fixes.  

Vulnerability Details

Description CVE Download Package
  • Hot fix 8364 includes a Java deserialization issues mitigation agent
CVE-2016-0958

Hot fix for 6.1
Hot fix for 6.0
Hot fix for 5.6.1

  • Hot fix 8651 resolves a cross-site scripting vulnerability - exclusively affecting version 6.1.0 - that could lead to information disclosure
CVE-2016-0955

Hot fix for 6.1

  • Hot fix 6445 resolves an information disclosure vulnerability affecting Apache Sling Servlets Post 2.3.6 and earlier versions
CVE-2016-0956

Hot fix for 6.1
Hot fix for 6.0
Hot fix for 5.6.1

  • Dispatcher 4.1.5 and higher resolves a URL filter bypass vulnerability that could be used to circumvent dispatcher rules
CVE-2016-0957 Dispatcher

Acknowledgments

Adobe would like to thank the following individuals for reporting these issues and for working with Adobe to help protect our customers:

  • Damian Pfammatter of Compass Security Schweiz AG (CVE-2016-0955)
  • Ateeq ur Rehman Khan - Vulnerability Labs (@CyberCrimeNEWS) (CVE-2016-0956)

Revisions

February 12, 2016:

  • Added "and earlier versions" to clarify that CVE-2016-0956 affects Apache Sling Servlets Post 2.3.6 and earlier versions.  
  • Modified the description of CVE-2016-0955 to clarify that only version 6.1.0 is affected. Versions prior to AEM 6.1.0 are not affected by CVE-2016-0955.  
  • Reformatted the Vulnerability Details section in a tabular format and included URLs to the download packages for each hotfix.