- Overview
- Administration
- Authentication
- Adobe Cloud Manager
- Development
- Projects
- Security
- Workflow
- Troubleshooting
- How to enable asset download report
- How to force recompilation in AEM6.4
- How to investigate indexing related issues in AEM
- How to investigate SAML related issues in AEM
- How to investigate search related issues in AEM
- How to set the Oak login token session expiration
- How to troubleshoot issues related to Jetty configuration
- How to troubleshoot performance related issues
- Steps to resolve memory related issues in AEM
- Steps to resolve replication issues in AEM
AEM Security Notification (November 2018)
Summary
This article addresses a few recent and old vulnerabilities that were recently reported in AEM. Note that most identified vulnerabilities were known issues for the AEM product and mitigation have been previously identified, a new dispatcher version is available for the new vulnerabilities. Adobe also urges customers to complete the AEM Security Checklist and follow the relevant guidelines.
Action Required
- AEM deployments should start using the latest Dispatcher version.
- The dispatcher security rules must be applied as per the recommended configuration.
- The AEM Security Checklist should be completed for AEM deployments.
Vulnerabilities and Resolutions
| Issue | Resolution | Links |
|---|---|---|
| Bypassing AEM Dispatcher rules | Install latest version of Dispatcher(4.3.1) and follow recommended dispatcher configuration. | See AEM Dispatcher Release Notes and Configuring Dispatcher. |
| URL filter bypass vulnerability that could be used to circumvent dispatcher rules - CVE-2016-0957 | This was fixed in an older version of Dispatcher, but now it is recommended that you install the latest version of Dispatcher (4.3.1) and follow recommended Dispatcher configuration. | See AEM Dispatcher Release Notes and Configuring Dispatcher. |
| XSS vulnerability related to stored SWF files | This has been addressed with security fixes released earlier. | Please see AEM Security Bulletin APSB18-10. |
| Password related Exploits | Follow recommendation in Security checklist for stronger passwords. | See AEM Security Checklist |
| Disk usage exposure for anonymous users | This issue has been resolved for AEM 6.1 and later, for AEM 6.0 the out of the box permissions can be modified to be more restrictive. | See release notesfor AEM 6.1 and older. |
| Exposure of Open Social Proxy for anonymous users | This has been resolved in versions starting from 6.0 SP2. | See release notes for AEM 6.1 and older. |
| CRX Explorer Access on production instances | Managing CRX Explorer access is already covered in the Security Checklist, CRX Explorer should be removed from production author and publish and the security health check reports it if not removed. | See AEM Security Checklist. |
| BGServlets is exposed | This has been resolved since AEM 6.2. | See AEM 6.2 Release Notes |
Business.Adobe.com resources
Resources
Adobe Account
Change language
Copyright © 2023 Adobe. All Rights Reserved.
