Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.1081 Multiple vulnerabilities have been identified in Adobe Experience Manager 11 April 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Adobe Experience Manager Publisher: Adobe Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-4931 CVE-2018-4930 CVE-2018-4929 Original Bulletin: https://helpx.adobe.com/security/products/experience-manager/apsb18-10.html - --------------------------BEGIN INCLUDED TEXT-------------------- Adobe Security Bulletin Last Published: April 11, 2018 Security updates available for Adobe Experience Manager | APSB18-10 +-------------------------+--------------------------------+------------------+ |Bulletin ID |Date Published |Priority | +-------------------------+--------------------------------+------------------+ |APSB18-10 |April 10, 2018 |3 | +-------------------------+--------------------------------+------------------+ Summary Adobe has released security updates for Adobe Experience Manager. These updates resolve a stored cross-site scripting vulnerability (CVE-2018-4929) rated moderate, and two cross-site scripting vulnerabilities (CVE-2018-4930 and CVE-2018-4931) rated important. Affected product versions +------------------------+-----------------+-------------------+ | Product | Version | Platform | +------------------------+-----------------+-------------------+ | |6.3 | | | | | | | |6.2 | | |Adobe Experience Manager| |All | | |6.1 | | | | | | | |6.0 | | +------------------------+-----------------+-------------------+ Solution Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version: +--------------------------+-------+---------+---------+----------------------+ |Product |Version|Platform |Priority |Availability | +--------------------------+-------+---------+---------+----------------------+ | |6.3 |All |3 |Release note | | +-------+---------+---------+----------------------+ | |6.2 |All |3 |Release note | |Adobe Experience Manager +-------+---------+---------+----------------------+ | |6.1 |All |3 |Release note | | +-------+---------+---------+----------------------+ | |6.0 |All |3 |Release note | +--------------------------+-------+---------+---------+----------------------+ Please contact Adobe customer care for assistance with earlier AEM versions. Vulnerability details +-------------+--------------+----------+-------------+--------+-----------------+ |Vulnerability|Vulnerability |Severity |CVE Numbers |Affected|Download Package | |Category |Impact | | |Version | | +-------------+--------------+----------+-------------+--------+-----------------+ | | | | | |HOTFIX 19293 for | | | | | | |AEM 6.0.0 | | | | | | | | | | | | | |Cumulative Fix | | | | | | |Pack for 6.1 SP2 | | | | | | |- | |Stored |Sensitive | | |AEM 6.2 |AEM-6.1-SP2-CFP15| |cross-site |Information |Moderate |CVE-2018-4929|and | | |scripting |disclosure | | |earlier |Cumulative Fix | | | | | | |Pack for 6.2 SP1 | | | | | | |- | | | | | | |AEM-6.2-SP1-CFP12| | | | | | | | | | | | | | | | | | | | | | | | | | | | | +-------------+--------------+----------+-------------+--------+-----------------+ | | | | | |Cumulative Fix | | | | | | |Pack for 6.1 SP2 | | | | | | |- | | | | | | |AEM-6.1-SP2-CFP15| | | | | | | | |Cross-site |Sensitive | | |AEM 6.3 |Cumulative Fix | |scripting |Information |Important |CVE-2018-4930|and |Pack for 6.2 SP1 | | |Disclosure | | |earlier |- | | | | | | |AEM-6.2-SP1-CFP12| | | | | | | | | | | | | |Service Pack | | | | | | |6.3.2.0 for AEM | | | | | | |6.3 | +-------------+--------------+----------+-------------+--------+-----------------+ | | |Important | | |HOTFIX 19385 for | | | | | | |AEM 6.0.0 | | | | | | | | | | | | | | | | | | | | | | |Stored |Sensitive | | |AEM 6.1 | | |cross-site |Information | |CVE-2018-4931|and | | |scripting |Disclosure | | |earlier |HOTFIX 9381 for | | | | | | |AEM 6.1.0 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +-------------+--------------+----------+-------------+--------+-----------------+ Note: The packages listed in the table above are the minimum fix packs to address the listed vulnerability. For the latest versions, please see the release notes links referenced above. Acknowledgments Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers: o Frans Rosen of Detectify Labs (CVE-2018-4930) o Nagamarimuthu of Cognizant Technology Solutions - Enterprise Risk & Security Solutions (CVE-2018-4931) - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWs1Wb4x+lLeg9Ub1AQjp0g//d2gLuskWIVX15gPF594jlNQFFc5TZQ3c 5SJWup4f7W/6fgydmCXg79eVuGkDa3EHf6jZIGcV7qy6CP45wQ9Xj7c+3/SNyMMW B73vSvLJT5J0TB/TUnDcqrtdA6+gyqBTZyRdahxFLSid9XwlY8NK1I0ulgiH9ZVw YELj4WgUuebXaRh9ooCTQkLyiestxM8XOY3BB8GKZlXph/GE8Yc6wY6YEKVIapYW kWY44B09LcXAfw//5FvubCGMYTNBJFZNg1sCShpismxt00jQbwuz7yDD+ZrXw28v KRoqpBl2NavM0TljnZKCrGdYbWOkSMKQlMC2mIAxGCDpOJAVRXjzPtqSEMhwJsBy C0d425tMBC7iaJuCqVYnq28VjsvTbSryjLQ3Q8h9vV+TtVijcmqLYf34qm4EPtY6 vvKXVHO3B7WRvmJL9HzCctt81soHY+itjLXRyUUIYu6AAJurPd9wTI9aR9EsNAH5 xHdf2X2oRXKE8qlvt8pC73JerNqsIqBocl6MvTHI5rOrjQc0FkketZeBh8TbL5hw y2xPfaNCrGPX1PTPNEBS0EZPz2En3MDvIS3qhxRN1G1bKYyP70vnzAPuhii0lbv1 e6Ou1OEit7uKzxlfrINwksbUGGnpUD3+nXqE5Zl/6xZEVEuOmyIlQNPfuW58fqIW Ucya+/d23sU= =PwkD -----END PGP SIGNATURE-----