Adobe Security Bulletin

Security updates available for Adobe Experience Manager | APSB20-72

Bulletin ID

Date Published

Priority

APSB20-72

December 8, 2020 

2

Summary

Adobe has released updates for Adobe Experience Manager (AEM) and the AEM Forms add-on package. These updates resolve vulnerabilities rated Critical and Important.  

Affected product versions

Product Version Platform

 

 

Adobe Experience Manager (AEM)

AEM Cloud Service (CS)
All
6.5.6.0 and earlier versions
All
6.4.8.2 and earlier versions
All 
6.3.3.8 and earlier versions
All 
6.2 SP1-CFP20 and earlier versions 
All 
AEM Forms add-on 
AEM Forms Service Pack 6 add-on package for AEM 6.5.6.0 
All 
AEM Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 2 (6.4.8.2)
All

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product

Version

Platform

Priority

Availability

 

Adobe Experience Manager (AEM) 

AEM Cloud Service (CS)
All 2 Release Notes

6.5.7.0 

All

2

AEM 6.5 Service Pack Release Notes   

6.4.8.3

All

2

AEM 6.4 Cumulative Fix Pack Release Notes  

 

AEM Forms add-on

AEM Forms Service Pack 7
All
2
AEM Forms Releases 
AEM 6.4 Service Pack 8 CFP 3
All 2 AEM Forms Releases
Note:

Customers running on Adobe Experience Manager’s Cloud Service will automatically receive updates that include new features as well as security and functionality bug fixes.  

Note:

Adobe Experience Manager 6.5.7.0 is an important update that includes new features, key customer requested enhancements, and performance, stability, and security improvements released since the general availability of 6.5 release in April 2019.  It can be installed on top of Adobe Experience Manager 6.5.

Note:

AEM Cumulative Fix Pack 6.4.8.3 is an important update that includes several internal and customer fixes since the general availability of AEM 6.4 Service Pack 8 (6.4.8.0) in March 2020. AEM Cumulative Fix Pack 6.4.8.3 is dependent on AEM 6.4 Service Pack 8. Therefore, you must install the AEM Cumulative Fix Pack 6.4.8.3 package after installing AEM 6.4 Service Pack 8.

Note:

Please contact Adobe customer care for assistance with AEM versions 6.3 and 6.2.

Vulnerability details

Vulnerability Category

Vulnerability Impact

Severity

CVE Number 

Affected Versions

Blind server-side request forgery

Sensitive Information Disclosure

Important

CVE-2020-24444

AEM Forms SP6 add-on for AEM 6.5.6.0 and earlier

AEM Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 2 (6.4.8.2) and earlier

Cross-site scripting (stored)

Arbitrary JavaScript execution in the browser

Critical

CVE-2020-24445

AEM CS

AEM 6.5.6.0 and earlier

Updates to dependencies

Dependency
Vulnerability Impact
Affected Versions
Apache Abdera
Resource consumption

AEM CS

AEM 6.5.6.0 and earlier

AEM 6.4.8.2 and earlier

AEM 6.3.3.8 and earlier

Apache Batik
Server-side request forgery

AEM CS

AEM 6.5.6.0 and earlier

AEM 6.4.8.2 and earlier

AEM 6.3.3.8 and earlier

Apache Commons Compress
Resource consumption

AEM CS

AEM 6.5.6.0 and earlier

AEM 6.4.8.2 and earlier

AEM 6.3.3.8 and earlier

Apache OpenNLP
XML external entity (XXE) injection

AEM CS

AEM 6.5.6.0 and earlier

AEM 6.4.8.2 and earlier

AEM 6.3.3.8 and earlier

Apache Sling Scheduler Service
XML external entity (XXE) injection

AEM CS

AEM 6.5.6.0 and earlier

AEM 6.4.8.2 and earlier

AEM 6.3.3.8 and earlier

Apache Xerces2
Resource consumption

AEM CS

AEM 6.5.6.0 and earlier

AEM 6.4.8.2 and earlier

AEM 6.3.3.8 and earlier

CKEditor
Arbitrary JavaScript execution in the browser

AEM CS

AEM 6.5.6.0 and earlier

AEM 6.4.8.2 and earlier

AEM 6.3.3.8 and earlier

Eclipse Jetty
Resource consumption

AEM CS

AEM 6.5.6.0 and earlier

AEM 6.4.8.2 and earlier

AEM 6.3.3.8 and earlier

Google-oauth-client
Improper authorization

AEM CS

AEM 6.5.6.0 and earlier

AEM 6.4.8.2 and earlier

AEM 6.3.3.8 and earlier

Handlebars.js
Prototype pollution

AEM CS

AEM 6.5.6.0 and earlier

AEM 6.4.8.2 and earlier

AEM 6.3.3.8 and earlier

Jackson Mapper
XML external entity (XXE) injection

AEM CS

AEM 6.5.6.0 and earlier

AEM 6.4.8.2 and earlier

AEM 6.3.3.8 and earlier

jQuery
Arbitrary JavaScript execution in the browser

AEM CS

AEM 6.5.6.0 and earlier

AEM 6.4.8.2 and earlier

AEM 6.3.3.8 and earlier

Spring Framework
Directory traversal

AEM CS

AEM 6.5.6.0 and earlier

AEM 6.4.8.2 and earlier

AEM 6.3.3.8 and earlier

Zip4j
Directory traversal

AEM CS

AEM 6.5.6.0 and earlier

AEM 6.4.8.2 and earlier

AEM 6.3.3.8 and earlier

Acknowledgments

Adobe would like to thank Frank Karlstrøm and Kenny Jansson of Storebrand Group, Norway (CVE-2020-24444) for working with Adobe to help protect our customers.

Revisions

January 13, 2021: Removed AEM 6.4.8.2 and 6.3.3.8 from the list of versions impacted by CVE-2020-24445.  

 Adobe

Get help faster and easier

New user?

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online