Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.2952
Security updates available for Adobe Experience Manager Forms
14 December 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Adobe Experience Manager Forms
Publisher: Adobe
Operating System: Windows
Linux variants
Solaris
AIX
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2016-6934 CVE-2016-6933
Original Bulletin:
https://helpx.adobe.com/security/products/aem-forms/apsb16-40.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Adobe Security Bulletin
Security updates available for Adobe Experience Manager Forms
Release date: December 13, 2016
Vulnerability identifier: APSB16-40
Priority: 3
CVE number: CVE-2016-6933, CVE-2016-6934
Platform: Windows, Linux, Solaris and AIX
Summary
Adobe has released security updates for Adobe Experience Manager (AEM) Forms
on Windows, Linux, Solaris and AIX. These updates resolve two important
input validation issues that could be used in cross-site scripting attacks
(CVE-2016-6933 and CVE-2016-6934). Adobe recommends users apply the available
updates using the instructions provided in the "Solution" section below.
Note: In 2015, AEM Forms became the successor to Adobe LiveCycle.
Affected versions
Product Affected version Platform
Adobe Experience Manager Forms 6.2 Windows, Linux, Solaris and AIX
6.1
6.0
LiveCycle 11.0.1 Windows, Linux, Solaris and AIX
10.0.4
Solution
Adobe categorizes these updates with the following priority rating, and
recommends customers with on premise deployments install the available
updates referenced below with the help of Adobe Marketing Cloud Customer
Care team.
Product Fixed version Platform Priority rating
Adobe Experience Manager Forms 6.2 AEMForms-6.2.0-0002 Windows, Linux, Solaris and AIX 3
Adobe Experience Manager Forms 6.1 6.1.0-COR-1064-012
6.1.0-PRM-1065-020
Adobe Experience Manager Forms 6.0 6.0.0-COR-1042-015 Windows, Linux, Solaris and AIX 3
6.0.0-PRM-1043-020
LiveCycle 11.0.1 11.0.1-COR-1155-044 Windows, Linux, Solaris and AIX 3
11.0.1-PRM-1161-017
LiveCycle 10.0.4 10.0.4-COR-1064-025 Windows, Linux, Solaris and AIX 3
10.0.4-PRM-1065-007
Vulnerability Details
Description CVE Fixed version
Updates resolve an input validation issue in the AACComponent that could CVE-2016-6933 AEMForms-6.2.0-0002
be used in cross-site scripting attacks. 6.1.0-COR-1064-012
6.0.0-COR-1042-015
11.0.1-COR-1155-044
10.0.4-COR-1064-025
Updates resolve an input validation issue in the PMAdmin module that could CVE-2016-6934 AEMForms-6.2.0-0002
be used in cross-site scripting attacks. 6.1.0-PRM-1065-020
6.0.0-PRM-1043-020
11.0.1-PRM-1161-017
10.0.4-PRM-1065-007
Acknowledgments
Adobe would like to thank Adam Willard of Blue Canopy for reporting these
issues (CVE-2016-6933 and CVE-2016-6934) and for working with Adobe to
help protect our customers.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWFDINIx+lLeg9Ub1AQgzfw/8COlfm1CI1kToDF4fQDWF80WK/REpD5mJ
Le7MO7x8m6nN/W+CMpAdZ/VMr0uD2jq3HNeP3YpyY4Lq/J/L85K2zuyHrp0fZ+up
f1y9nzmcmaPmoqgQVoCyhlshh/067kJ6wcRFZcSEM5FCtJZ+ySVljmD7Ow/nJ7EO
UVj9/3YimCUhTOMArpVbRmPIG32IJ4PJhoXbkElOmkWKQQsp3jatFZtYakE1dJ90
u2tqVm23sywhCFuhELlEKU8mJPg0itOgAIFfLz310SnoDVwoIMcZnjVp5X2dwuat
WcTMEGLhX1pr1MmSWJGRPgGSEP92QwPoPUE3wjSZVvVPNOaTnmY94dFJlEveCFKs
c4ZNnAehClQiHiRZ2otP/FXYnsOLSVORrnbiJnt6Q9bnGSdWM1sfjOmJ5dy4eDWX
UPZGIzeoNtfFbH0oIe/2BpMQlUWJzm2YMSb+CV0i9qTzWFUxtPPLzUoRMoD9HOVV
xUxVhUq1KsSHQFUPGYtbZMdsgDGp48ZMthcgFCUknrMhRA7/O7KV0Iv/GiEOK+X2
jGkiTmP87Tjp9zkFUxqvY98j6rvYrLovIe8WCDGAOXGy5+FoeFiFuce14ol/KqCl
Z3qVLZoWujS79cp3RTc8Ns9yIjJ1/bGJs22va28bL7oUj+cWz0oGDNgL2jm/86Ab
f858Q0C6zyM=
=Izb8
-----END PGP SIGNATURE-----