====================================================================

                              CERT-Renater

                 Note d'Information No. 2017/VULN146
_____________________________________________________________________

DATE                : 10/05/2017

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running Adobe Experience Manager Forms
             versions 6.2, 6.1, 6.0 prior to 6.2 SP1 CFP3, 6.1 SP2 CFP8.

=====================================================================
https://helpx.adobe.com/security/products/aem-forms/apsb17-16.html
____________________________________________________________________

Adobe Security Bulletin

Security updates available for Adobe Experience Manager Forms

Release date: May 9, 2017

Vulnerability identifier: APSB17-16

Priority: 2

CVE number: CVE-2017-3067

Platform: Windows, Linux, Solaris and AIX

Summary

Adobe has released security updates for Adobe Experience Manager (AEM)
Forms on Windows, Linux, Solaris and AIX. These updates resolve an
important information disclosure vulnerability (CVE-2017-3067)
resulting from abuse of the pre-population service in AEM Forms. This
issue was resolved by providing administrators with additional controls
in the configuration manager to restrict the file paths and protocols
used to pre-fill a form. Adobe recommends users apply the available
updates using the instructions provided in the "Solution" section below.


Affected versions

Product					Affected version	Platform
Adobe Experience Manager Forms		6.2			Windows, Linux, Solaris and AIX
					6.1
					6.0

Solution

Adobe categorizes these updates with the following priority rating, and
recommends customers with on premise deployments install the available
updates referenced below with the help of Adobe Marketing Cloud Customer
Care team.


Product	   Fixed version    Platform    Priority rating    Availability
Adobe Experience Manager Forms 6.2	6.2 SP1 CFP3	Windows, Linux,
Solaris and AIX		2		Release Notes

Adobe Experience Manager Forms 6.1	6.1 SP2 CFP8	Windows, Linux,
Solaris and AIX		2		Release Notes

Adobe Experience Manager Forms 6.0	HotFix 2.0.58	Windows, Linux, Solaris
and AIX		2		Release Notes


Vulnerability Details

    These updates resolve an information disclosure vulnerability
    (CVE-2017-3067) resulting from abuse of the pre-population service
    in AEM Forms. This issue was resolved by providing administrators
    with additional controls in the configuration manager to restrict
    the file paths and protocols used to pre-fill a form.


Acknowledgments

Adobe would like to thank Ruben Reusser of headwire.com for reporting
(CVE-2017-3067) and for working with Adobe to help protect our
customers.


==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================