Adobe Security Bulletin

Last updated on Jan 28, 2022

Security updates available for Adobe Experience Manager | APSB21-82

Bulletin ID	Date Published	Priority
APSB21-82	September 14, 2021	2

Summary

Adobe has released updates for Adobe Experience Manager (AEM). These updates resolve vulnerabilities rated critical and Important.  Successful exploitation of these vulnerabilities could result in arbitrary code execution.

Affected product versions

Product	Version	Platform
Adobe Experience Manager (AEM)	AEM Cloud Service (CS)	All
6.5.9.0 and earlier versions	All

Product

Version

Platform

Adobe Experience Manager (AEM)

AEM Cloud Service (CS)

All

6.5.9.0 and earlier versions

All

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product	Version	Platform	Priority	Availability
Adobe Experience Manager (AEM)	AEM Cloud Service (CS)	All	2	Release Notes
6.5.10.0	All	2	AEM 6.5 Service Pack Release Notes

Product

Version

Platform

Priority

Availability

Adobe Experience Manager (AEM)

AEM Cloud Service (CS)

All

Release Notes

6.5.10.0

All

AEM 6.5 Service Pack Release Notes

Note:

Customers running on Adobe Experience Manager’s Cloud Service will automatically receive updates that include new features as well as security and functionality bug fixes.

Note:

Please contact Adobe customer care for assistance with AEM versions 6.4, 6.3 and 6.2.

Vulnerability details

Vulnerability Category	Vulnerability Impact	Severity	CVSS base score	CVSS vector	CVE Number
Cross-site Scripting (XSS) (CWE-79)	Arbitrary code execution	Important	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2021-40711
Improper Input Validation (CWE-20)	Application denial-of-service	Important	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H	CVE-2021-40712
Improper Certificate Validation (CWE-295)	Security feature bypass	Important	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N	CVE-2021-40713
Cross-site Scripting (XSS) (CWE-79)	Arbitrary code execution	Important	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	CVE-2021-40714
Improper Access Control (CWE-284)	Security feature bypass	Important	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	CVE-2021-42725

Updates to dependencies

Dependency	Vulnerability Impact	Affected Versions
Iodash	Arbitrary code execution	AEM CS  AEM 6.5.9.0 and earlier
Apache Sling	Path Traversal	AEM CS  AEM 6.5.9.0 and earlier
Jetty	Denial of service	AEM CS  AEM 6.5.9.0 and earlier
Jackson-Databind	Unchecked allocation of byte buffer	AEM CS  AEM 6.5.9.0 and earlier

Acknowledgments

Adobe would like to thank Lorenzo Pirondini (Netcentric, a Cognizant Digital Business) (CVE-2021-40711, CVE-2021-40712) and Eckbert Andresen (CVE-2021-42725) for reporting these issues and for working with Adobe to help protect our customers.

Revisions

September 27, 2021: Updated acknowledgement details for CVE-2021-40711 & CVE-2021-40712.

October 4, 2021: Updated CVSS base score, vector, and Severity for CVE-2021-40711.

October 28, 2021: Added details for CVE-2021-42725.

January 27th, 2022: Updated CVSS details for CVE-2021-40711, CVE-2021-40714

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

Adobe

Get help faster and easier

New user?