Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.2952 Security updates available for Adobe Experience Manager Forms 14 December 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Adobe Experience Manager Forms Publisher: Adobe Operating System: Windows Linux variants Solaris AIX Impact/Access: Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2016-6934 CVE-2016-6933 Original Bulletin: https://helpx.adobe.com/security/products/aem-forms/apsb16-40.html - --------------------------BEGIN INCLUDED TEXT-------------------- Adobe Security Bulletin Security updates available for Adobe Experience Manager Forms Release date: December 13, 2016 Vulnerability identifier: APSB16-40 Priority: 3 CVE number: CVE-2016-6933, CVE-2016-6934 Platform: Windows, Linux, Solaris and AIX Summary Adobe has released security updates for Adobe Experience Manager (AEM) Forms on Windows, Linux, Solaris and AIX. These updates resolve two important input validation issues that could be used in cross-site scripting attacks (CVE-2016-6933 and CVE-2016-6934). Adobe recommends users apply the available updates using the instructions provided in the "Solution" section below. Note: In 2015, AEM Forms became the successor to Adobe LiveCycle. Affected versions Product Affected version Platform Adobe Experience Manager Forms 6.2 Windows, Linux, Solaris and AIX 6.1 6.0 LiveCycle 11.0.1 Windows, Linux, Solaris and AIX 10.0.4 Solution Adobe categorizes these updates with the following priority rating, and recommends customers with on premise deployments install the available updates referenced below with the help of Adobe Marketing Cloud Customer Care team. Product Fixed version Platform Priority rating Adobe Experience Manager Forms 6.2 AEMForms-6.2.0-0002 Windows, Linux, Solaris and AIX 3 Adobe Experience Manager Forms 6.1 6.1.0-COR-1064-012 6.1.0-PRM-1065-020 Adobe Experience Manager Forms 6.0 6.0.0-COR-1042-015 Windows, Linux, Solaris and AIX 3 6.0.0-PRM-1043-020 LiveCycle 11.0.1 11.0.1-COR-1155-044 Windows, Linux, Solaris and AIX 3 11.0.1-PRM-1161-017 LiveCycle 10.0.4 10.0.4-COR-1064-025 Windows, Linux, Solaris and AIX 3 10.0.4-PRM-1065-007 Vulnerability Details Description CVE Fixed version Updates resolve an input validation issue in the AACComponent that could CVE-2016-6933 AEMForms-6.2.0-0002 be used in cross-site scripting attacks. 6.1.0-COR-1064-012 6.0.0-COR-1042-015 11.0.1-COR-1155-044 10.0.4-COR-1064-025 Updates resolve an input validation issue in the PMAdmin module that could CVE-2016-6934 AEMForms-6.2.0-0002 be used in cross-site scripting attacks. 6.1.0-PRM-1065-020 6.0.0-PRM-1043-020 11.0.1-PRM-1161-017 10.0.4-PRM-1065-007 Acknowledgments Adobe would like to thank Adam Willard of Blue Canopy for reporting these issues (CVE-2016-6933 and CVE-2016-6934) and for working with Adobe to help protect our customers. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWFDINIx+lLeg9Ub1AQgzfw/8COlfm1CI1kToDF4fQDWF80WK/REpD5mJ Le7MO7x8m6nN/W+CMpAdZ/VMr0uD2jq3HNeP3YpyY4Lq/J/L85K2zuyHrp0fZ+up f1y9nzmcmaPmoqgQVoCyhlshh/067kJ6wcRFZcSEM5FCtJZ+ySVljmD7Ow/nJ7EO UVj9/3YimCUhTOMArpVbRmPIG32IJ4PJhoXbkElOmkWKQQsp3jatFZtYakE1dJ90 u2tqVm23sywhCFuhELlEKU8mJPg0itOgAIFfLz310SnoDVwoIMcZnjVp5X2dwuat WcTMEGLhX1pr1MmSWJGRPgGSEP92QwPoPUE3wjSZVvVPNOaTnmY94dFJlEveCFKs c4ZNnAehClQiHiRZ2otP/FXYnsOLSVORrnbiJnt6Q9bnGSdWM1sfjOmJ5dy4eDWX UPZGIzeoNtfFbH0oIe/2BpMQlUWJzm2YMSb+CV0i9qTzWFUxtPPLzUoRMoD9HOVV xUxVhUq1KsSHQFUPGYtbZMdsgDGp48ZMthcgFCUknrMhRA7/O7KV0Iv/GiEOK+X2 jGkiTmP87Tjp9zkFUxqvY98j6rvYrLovIe8WCDGAOXGy5+FoeFiFuce14ol/KqCl Z3qVLZoWujS79cp3RTc8Ns9yIjJ1/bGJs22va28bL7oUj+cWz0oGDNgL2jm/86Ab f858Q0C6zyM= =Izb8 -----END PGP SIGNATURE-----