Adobe Security Bulletin

Last updated on Dec 29, 2021

Security updates available for Adobe Experience Manager | APSB21-103

Bulletin ID	Date Published	Priority
APSB21-103	December 14, 2021	2

Summary

Adobe has released updates for Adobe Experience Manager (AEM). These updates resolve vulnerabilities rated critical and Important.  Successful exploitation of these vulnerabilities could result in arbitrary code execution and security feature bypass.

Affected product versions

Product	Version	Platform
Adobe Experience Manager (AEM)	AEM Cloud Service (CS)	All
6.5.10.0 and earlier versions	All

Product

Version

Platform

Adobe Experience Manager (AEM)

AEM Cloud Service (CS)

All

6.5.10.0 and earlier versions

All

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product	Version	Platform	Priority	Availability
Adobe Experience Manager (AEM)	AEM Cloud Service (CS)	All	2	Release Notes
6.5.11.0	All	2	AEM 6.5 Service Pack Release Notes

Product

Version

Platform

Priority

Availability

Adobe Experience Manager (AEM)

AEM Cloud Service (CS)

All

Release Notes

6.5.11.0

All

AEM 6.5 Service Pack Release Notes

Note:

Customers running on Adobe Experience Manager’s Cloud Service will automatically receive updates that include new features as well as security and functionality bug fixes.

Note:

Please contact Adobe customer care for assistance with AEM versions 6.4, 6.3 and 6.2.

Vulnerability details

Vulnerability Category	Vulnerability Impact	Severity	CVSS base score	CVSS vector	CVE Number
Cross-site Scripting (XSS) (CWE-79)	Arbitrary code execution	Critical	8.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H	CVE-2021-43761
Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)	Arbitrary code execution	Critical	9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	CVE-2021-40722
Improper Input Validation (CWE-20)	Security feature bypass	Important	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N	CVE-2021-43762
Cross-site Scripting (XSS) (CWE-79)	Arbitrary code execution	Critical	8.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H	CVE-2021-43764
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Critical	8.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N	CVE-2021-43765
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Critical	8.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N	CVE-2021-44176
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Critical	8.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N	CVE-2021-44177
Cross-site Scripting (Reflected XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N	CVE-2021-44178

Updates to dependencies

Dependency

Vulnerability Impact

Affected Versions

xmlgraphics

Priviledge escalation

AEM CS 

AEM 6.5.9.0 and earlier 

ionetty

Priviledge escalation

AEM CS 

AEM 6.5.9.0 and earlier 

Acknowledgments

Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers:

BASF - CVE-2021-44178, CVE-2021-44177, CVE-2021-44176, CVE-2021-43765, CVE-2021-43764

Lorenzo Pirondini (Netcentric, a Cognizant Digital Business) - CVE-2021-43762
Muh. Azinar Ismail and Adi Satriadharma - CVE-2021-40722

Revisions

December 14th, 2021: Updated acknowledgment for CVE-2021-43762

December 16, 2021: Corrected priority level of bulletin to 2

December 29, 2021: Updated acknowledgement for CVE-2021-40722

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

Adobe

Get help faster and easier

New user?