Bulletin ID
Last updated on
10 Sep 2021
Security updates available for Adobe Experience Manager | APSB21-15
|
|
Date Published |
Priority |
|---|---|---|
|
APSB21-15 |
May 11, 2021 |
2 |
Summary
Affected product versions
| Product | Version | Platform |
|---|---|---|
Adobe Experience Manager (AEM) |
AEM Cloud Service (CS) |
All |
| 6.5.7.0 and earlier versions |
All |
|
| 6.4.8.3 and earlier versions |
All |
|
| 6.3.3.8 and earlier versions |
All |
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:
Product |
Version |
Platform |
Priority |
Availability |
|---|---|---|---|---|
Adobe Experience Manager (AEM) |
AEM Cloud Service (CS) |
All | 2 | Release Notes |
6.5.8.0 |
All |
2 |
AEM 6.5 Service Pack Release Notes | |
6.4.8.4 |
All |
2 |
Note:
Customers running on Adobe Experience Manager’s Cloud Service will automatically receive updates that include new features as well as security and functionality bug fixes.
Note:
AEM Cumulative Fix Pack 6.4.8.4 is an important update that includes several internal and customer fixes since the general availability of AEM 6.4 Service Pack 8 (6.4.8.0) in March 2020.
Note:
Please contact Adobe customer care for assistance with AEM versions 6.3 and 6.2.
Vulnerability details
|
Vulnerability Category |
Vulnerability Impact |
Severity |
CVE Number |
Affected Versions |
|---|---|---|---|---|
|
Improper Access control |
Application denial-of-service |
Important |
CVE-2021-21083 |
AEM CS AEM 6.5.7.0 and earlier AEM 6.4.8.3 and earlier AEM 6.3.3.8 and earlier |
|
Cross-site scripting (stored) |
Arbitrary JavaScript execution in the browser |
Critical |
CVE-2021-21084 |
AEM CS AEM 6.5.7.0 and earlier AEM 6.4.8.3 and earlier AEM 6.3.3.8 and earlier |
Updates to dependencies
| Dependency |
Vulnerability Impact |
Affected Versions |
| Commons-io |
Improper Access Control |
AEM CS AEM 6.5.7.0 and earlier AEM 6.4.8.3 and earlier AEM 6.3.3.8 and earlier |
| MetadataExtractor |
Uncontrolled Resource Consumption |
AEM CS AEM 6.5.7.0 and earlier AEM 6.4.8.3 and earlier AEM 6.3.3.8 and earlier |
| FasterXML Jackson Databind/Core |
Remote Code Execution |
AEM CS AEM 6.5.7.0 and earlier AEM 6.4.8.3 and earlier AEM 6.3.3.8 and earlier |
| Eclipse Jetty |
Improper Access Control |
AEM CS AEM 6.5.7.0 and earlier AEM 6.4.8.3 and earlier AEM 6.3.3.8 and earlier |
| Lucene Queryparser |
Remote Code Execution |
AEM CS AEM 6.5.7.0 and earlier AEM 6.4.8.3 and earlier AEM 6.3.3.8 and earlier |
| Apache XML-RPC |
Arbitrary Code Execution |
AEM CS AEM 6.5.7.0 and earlier AEM 6.4.8.3 and earlier AEM 6.3.3.8 and earlier |
| Zip4j |
Arbitrary Code Execution |
AEM CS AEM 6.5.7.0 and earlier AEM 6.4.8.3 and earlier AEM 6.3.3.8 and earlier |
| Apache Directory LDAP API |
Improper Access Control | AEM CS AEM 6.5.7.0 and earlier AEM 6.4.8.3 and earlier AEM 6.3.3.8 and earlier |
| Apache Sling |
Improper Access Control | AEM CS AEM 6.5.7.0 and earlier AEM 6.4.8.3 and earlier AEM 6.3.3.8 and earlier |
| Apache Felix |
Arbitrary Code Execution |
AEM CS AEM 6.5.7.0 and earlier AEM 6.4.8.3 and earlier AEM 6.3.3.8 and earlier |
| Apache Solr |
Improper Read/Write Access |
AEM CS AEM 6.5.7.0 and earlier AEM 6.4.8.3 and earlier AEM 6.3.3.8 and earlier |
| Apache Tomcat |
Improper Access Control |
AEM CS AEM 6.5.7.0 and earlier AEM 6.4.8.3 and earlier AEM 6.3.3.8 and earlier |
| jQuery |
Arbitrary Code Execution |
AEM CS AEM 6.5.7.0 and earlier AEM 6.4.8.3 and earlier AEM 6.3.3.8 and earlier |
Acknowledgments
Adobe would like to thank Thomas Hartmann from netcentric (CVE-2021-21083) reporting both issues and for working with Adobe to help protect our customers.