Deserialization vulnerability in the Apache commons-collections library

Adobe has become aware of a deserialization vulnerability in the Apache commons-collections library. The vulnerability can lead to Remote Code Execution and impacts customers using Oracle WebLogic, IBM WebSphere, and Red Hat JBoss application servers.

Perform the following steps to fix the vulnerability:

  1. Install security fixes for your application server:

    The following table lists the Security Alerts or Advisories that Oracle, IBM, and Red Hat have released for the vulnerability.

    Customers using these technologies are advised to obtain the security fixes directly from the application server vendors, and apply them as recommended. Customers using the JBoss turnkey, and not having a support contract with Red Hat, can contact Adobe enterprise support to obtain JBoss patches when the patches are made available by Red Hat.

  2. Download and install the hotfix-NPR-8364:

    1. Log in to the AEM instance as an administrator and open the package share. The default URL of the package share is http://[server]:[port]/crx/packageshare.

    2. In package share, search CQ-ALL-hotfix-NPR-8364, click the package, and click Download. Read and accept the license agreement and click OK. The download starts. Once downloaded, the word Downloaded appears next to the package.

      Alternately, you can also use the hyperlink http://t.info.adobesystems.com/r/?id=hb5e38e83,33b182ff,33b688fb to manually download a package.

    3. After the download completes, click Downloaded. You are redirected to package manager.  In the package manager, search the downloaded package, and click Install.  

      If you manually download the package via direct link, open the package manager, click Upload Package, select the downloaded package, and click upload. After the package is uploaded, click the package name, and click Install. The default URL of the Package Manager is http://[server]:[port]/lc/crx/packmgr/index.jsp.            

    4. After the package is installed, open the http://[host]:[port]/lc/libs/cq/sercheck/run/tester.htmlURL in the browser window, and download the notsoserial-[version].jar.   

      Copy the downloaded notsoserial-[version].jar file to the server which has AEM forms deployed.

      Note:

      Ensure that the user running the application server has permissions to read and write to the server directory containing downloaded jar file.

    5. Add the following JVM argument to the application server startup script:

      -javaagent:[path]/notsoserial-[version]

      [path] is the location on the server containing the notsoserial-[version].jar file.

    6. Restart the application server.

    7. Open the http://[host]:[port]/lc/libs/cq/sercheck/run/tester.html URL in a browser window. Ensure that the Serialization Test Results are set to OK.

  3. If you are using Adobe Experience Manager forms document security add-on or LiveCycle Rights Management, then install the applicable quick fix:

    Product Version
    Quick Fix
    Adobe Experience Manager 6.1 forms feature pack 1

    Quick Fix 1034-010

    Quick Fix 1048-010

    Quick Fix 1049-011

    Adobe Experience Manager 6.0 forms Quick Fix 1020-005
    LiveCycle ES4 SP1

    Quick Fix 1126-016

    Quick Fix 1134-011

    Quick Fix 1137-011

    Quick Fix 1141-043

    LiveCycle ES3 SP2 Quick Fix 1058-012