=====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN475
_____________________________________________________________________

DATE                : 15/09/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Adobe Experience Manager versions
                        prior to 6.5.10.0, AEM Cloud Service (CS).

=====================================================================
https://helpx.adobe.com/security/products/experience-manager/apsb21-82.html
_____________________________________________________________________


Last updated on Sep 14, 2021

Security updates available for Adobe Experience Manager | APSB21-82

Bulletin ID      Date Published          Priority
APSB21-82        September 14, 2021      2


Summary

Adobe has released updates for Adobe Experience Manager (AEM). These
updates resolve vulnerabilities rated critical and Important. 
Successful exploitation of these vulnerabilities could result in
arbitrary code execution .


Affected product versions

Product 	Version 	Platform



Adobe Experience Manager (AEM)   AEM Cloud Service (CS)  	All
                                 6.5.9.0 and earlier versions   All


Solution

Adobe categorizes these updates with the following priority ratings and
recommends users update their installation to the newest version:

Product
	

Version        Platform        Priority        Availability



Adobe Experience
Manager (AEM)        AEM Cloud Service (CS)    All    2   Release Notes
                     6.5.10.0                  All    2   AEM 6.5
                                                           Service Pack
                                                           Release Notes
Note:

Customers running on Adobe Experience Manager’s Cloud Service will
automatically receive updates that include new features as well as
security and functionality bug fixes.

Note:

Please contact Adobe customer care for assistance with AEM versions 6.4,
6.3 and 6.2.


Vulnerability details

Vulnerability Category    Vulnerability Impact    Severity
CVSS base score         CVSS vector      CVE Number

Cross-site Scripting (XSS) (CWE-79)    Arbitrary code execution
Critical     7.5      CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2021-40711

Improper Input Validation (CWE-20)     Application denial-of-service
Important    6.5    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2021-40712

Improper Certificate Validation (CWE-295)    Security feature bypass
Important    5.9     CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2021-40713

Cross-site Scripting (XSS) (CWE-79)    Arbitrary code execution
Important    6.4    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CVE-2021-40714


Updates to dependencies

Dependency      Vulnerability Impact      Affected Versions
Iodash          Arbitrary code execution      AEM CS 
                                           AEM 6.5.9.0 and earlier 
Apache Sling 	Path Traversal 	              AEM CS 
                                           AEM 6.5.9.0 and earlier 
Jetty           Denial of service             AEM CS 
                                           AEM 6.5.9.0 and earlier 
Jackson-Databind Unchecked allocation
                    of byte buffer            AEM CS 
                                            AEM 6.5.9.0 and earlier 


Acknowledgments

Adobe would like to thank Lorenzo (CVE-2021-40711, CVE-2021-40712) for
reporting this issue and for working with Adobe to help protect our
customers.

For more information, visit https://helpx.adobe.com/security.html, or
email PSIRT@adobe.com.


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================