AEM Security Notification (November 2018)


This article addresses a few recent and old vulnerabilities that were recently reported in AEM. Note that most identified vulnerabilities were known issues for the AEM product and mitigation have been previously identified, a new dispatcher version is available for the new vulnerabilities. Adobe also urges customers to complete the AEM Security Checklist and follow the relevant guidelines.

Action Required

  • AEM deployments should start using the latest Dispatcher version.
  • The dispatcher security rules must be applied as per the recommended configuration.
  • The AEM Security Checklist should be completed for AEM deployments.

Vulnerabilities and Resolutions

Issue Resolution Links
Bypassing AEM Dispatcher rules Install latest version of Dispatcher(4.3.1) and follow recommended dispatcher configuration. See AEM Dispatcher Release Notes and Configuring Dispatcher.
URL filter bypass vulnerability that could be used to circumvent dispatcher rules - CVE-2016-0957 This was fixed in an older version of Dispatcher, but now it is recommended that you install the latest version of Dispatcher (4.3.1) and follow recommended Dispatcher configuration. See AEM Dispatcher Release Notes and Configuring Dispatcher.
XSS vulnerability related to stored SWF files This has been addressed with security fixes released earlier. Please see AEM Security Bulletin APSB18-10.
Password related Exploits Follow recommendation in Security checklist for stronger passwords. See AEM Security Checklist
Disk usage exposure for anonymous users This issue has been resolved for AEM 6.1 and later, for AEM 6.0 the out of the box permissions can be modified to be more restrictive. See release notesfor AEM 6.1 and older.
Exposure of Open Social Proxy for anonymous users This has been resolved in versions starting from 6.0 SP2. See release notes for AEM 6.1 and older.
CRX Explorer Access on production instances Managing CRX Explorer access is already covered in the Security Checklist, CRX Explorer should be removed from production author and publish and the security health check reports it if not removed. See AEM Security Checklist.
BGServlets is exposed This has been resolved since AEM 6.2. See AEM 6.2 Release Notes

On this page