Adobe has become aware of a deserialization vulnerability in the Apache commons-collections library. The vulnerability can lead to Remote Code Execution and impacts customers using Oracle WebLogic, IBM WebSphere, and Red Hat JBoss application servers.
Perform the following steps to fix the vulnerability:
The following table lists the Security Alerts or Advisories that Oracle, IBM, and Red Hat have released for the vulnerability.
Security Alert or Advisory
Red Hat JBoss
Customers using these technologies are advised to obtain the security fixes directly from the application server vendors, and apply them as recommended. Customers using the JBoss turnkey, and not having a support contract with Red Hat, can contact Adobe enterprise support to obtain JBoss patches when the patches are made available by Red Hat.
In package share, search CQ-ALL-hotfix-NPR-8364, click the package, and click Download. Read and accept the license agreement and click OK. The download starts. Once downloaded, the word Downloaded appears next to the package.
Alternately, you can also use the hyperlink http://t.info.adobesystems.com/r/?id=hb5e38e83,33b182ff,33b688fb to manually download a package.
After the download completes, click Downloaded. You are redirected to package manager. In the package manager, search the downloaded package, and click Install.
If you manually download the package via direct link, open the package manager, click Upload Package, select the downloaded package, and click upload. After the package is uploaded, click the package name, and click Install. The default URL of the Package Manager is http://[server]:[port]/lc/crx/packmgr/index.jsp.
After the package is installed, open the http://[host]:[port]/lc/libs/cq/sercheck/run/tester.htmlURL in the browser window, and download the notsoserial-[version].jar.
Copy the downloaded notsoserial-[version].jar file to the server which has AEM forms deployed.
Ensure that the user running the application server has permissions to read and write to the server directory containing downloaded jar file.
If you are using Adobe Experience Manager forms document security add-on or LiveCycle Rights Management, then install the applicable quick fix:
Quick Fix Adobe Experience Manager 6.1 forms feature pack 1 Adobe Experience Manager 6.0 forms Quick Fix 1020-005 LiveCycle ES4 SP1 LiveCycle ES3 SP2 Quick Fix 1058-012