Mitigating Struts 2 Vulnerabilities for Experience Manager Forms mitigatin-struts2-rce-vulnerabilities-for-aem-forms
Issue
Critical security vulnerabilities have been reported for Struts 2, a popular and open-source web application framework for developing Java EE web applications. The following vulnerabilities have been analyzed:
- Experience Manager Forms Workbench (all versions)
- Experience Manager Forms on OSGi (all versions)
- Experience Manager Forms as a Cloud Service
Resolution
The following table lists resolution for all the impacted versions:
Use one of the following methods:
NOTE: AEM Forms currently support versions 6.5.13.0 through 6.5.19.0. If you’re using an older version, we recommend upgrading to 6.5.13.0 or a later release. For instructions to install AEM 6.5.13.0 or later release, see release notes.
Use manual mitigation steps use-manual-mitigation-steps
You can use the manual mitigation steps to resolve the issue on AEM 6.5 Form Server running Service Pack 13 to AEM 6.5 Form Server running Service Pack 18 (6.5.13.0 - 6.5.18.0):
-
Download the struts-core 2.5.33 jar to a local folder. For example, C:\Users\labuser\Desktop\struts2-core-2.5.33.jar.
-
Download the AEM Forms on JEE Manual Patching Tool from Software Distribution.
-
Unzip the manual patching tool archive. For example, extract to the
/Users/labuser/Desktop/archive-patcher-1.0.0 folder. The following files are extracted:- archive-patcher-1.0.0.jar
- patch-archive.bat
- patch-archive.sh
-
Shut down all the server instances and locators.
-
Open the terminal window and navigate to the folder containing the AEM Forms on JEE Manual Patching Tool (extracted files).
-
Run the following command to search all the files with older struts2 libraries. Before running the command, replace the path in the command with the path of your AEM Forms Server:
code language-none patch-archive.bat -root=C:\Adobe\Adobe_Experience_Manager_Forms\configurationManager\export -pattern=.*struts2-core.*jar$note note NOTE The tool requires internet connectivity as it downloads dependencies at runtime. So, before running the tool, ensure that you are connected to internet. -
Run the following commands in the listed order for recursive in-place replacement. Before running the command, replace the path in the command with the path of your AEM Forms Server and the
struts2-core-2.5.33.jarfile.code language-none patch-archive.bat -root=C:\Adobe\Adobe_Experience_Manager_Forms\configurationManager\export -pattern=.*struts2-core.*jar$ -action=replace C:\Users\labuser\Desktop\struts2-core-2.5.33.jarThe above steps patch all the ear files with older struts2 libraries.
-
Undeploy the older EAR and deploy the patched EAR file, available in the export folder, to your application server.
-
Start your AEM Forms Server.
-
Shut down all the server instances and locators.
-
Open the terminal window and navigate to the folder containing the AEM Forms on JEE Manual Patching Tool (extracted files).
-
Run the following command to search all the files with older struts2 libraries. Before running the command, replace the path in the command with the path of your AEM Forms Server:
code language-none ./patch-archive.sh -root=/opt/Adobe/Adobe_Experience_Manager_Forms/configurationManager/export/ -pattern=.*struts2-core.*jar$note note NOTE The tool requires internet connectivity as it downloads dependencies at runtime. So, before running the tool, ensure that you are connected to internet. -
Run the following commands in the listed order for recursive in-place replacement. Before running the command, replace the path in the command with the path of your AEM Forms Server and the
struts2-core-2.5.33.jarfile.code language-none ./patch-archive.sh -root=/opt/Adobe/Adobe_Experience_Manager_Forms/configurationManager/export/ -pattern=.*struts2-core.*jar$ -action=replace /opt/struts2-core-2.5.33.jarThe above steps patch all the ear files with older struts2 libraries.
-
Undeploy the older EAR and deploy the patched EAR file, available in the export folder, to your application server.
-
Start your AEM Forms Server.