Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.6476 APSB22-59 : Security update available for Adobe Experience Manager 14 December 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Adobe Experience Manager (AEM) Publisher: Adobe Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2022-44488 CVE-2022-44474 CVE-2022-44473 CVE-2022-44471 CVE-2022-44470 CVE-2022-44469 CVE-2022-44468 CVE-2022-44467 CVE-2022-44466 CVE-2022-44465 CVE-2022-44463 CVE-2022-44462 CVE-2022-42367 CVE-2022-42366 CVE-2022-42365 CVE-2022-42364 CVE-2022-42362 CVE-2022-42360 CVE-2022-42357 CVE-2022-42356 CVE-2022-42354 CVE-2022-42352 CVE-2022-42351 CVE-2022-42350 CVE-2022-42349 CVE-2022-42348 CVE-2022-42346 CVE-2022-42345 CVE-2022-38439 CVE-2022-38438 CVE-2022-35696 CVE-2022-35695 CVE-2022-35694 CVE-2022-35693 CVE-2022-30679 CVE-2022-28851 CVE-2021-43762 CVE-2021-40722 Original Bulletin: https://helpx.adobe.com/security/products/experience-manager/apsb22-59.html Comment: CVSS (Max): 5.4 CVE-2022-44474 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVSS Source: Adobe Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- Security updates available for Adobe Experience Manager | APSB22-59 Bulletin ID Date Published Priority APSB22-59 December 13, 2022 3 Summary Adobe has released updates for Adobe Experience Manager (AEM). These updates resolve vulnerabilities rated Important and Moderate . Successful exploitation of these vulnerabilities could result in arbitrary code execution and security feature bypass. Affected product versions +------------------------------+-----------------------------------+----------+ | Product | Version | Platform | +------------------------------+-----------------------------------+----------+ | |AEM Cloud Service (CS) |All | |Adobe Experience Manager (AEM)+-----------------------------------+----------+ | |6.5.14.0 and earlier versions |All | +------------------------------+-----------------------------------+----------+ Solution Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version: +------------------+--------------+----------+--------+-----------------------+ | Product | Version | Platform |Priority| Availability | +------------------+--------------+----------+--------+-----------------------+ | |AEM Cloud | | | | | |Service |All |3 |Release Notes | |Adobe Experience |Release | | | | |Manager (AEM) |2022.10.0 | | | | | +--------------+----------+--------+-----------------------+ | |6.5.15.0 |All |3 |AEM 6.5 Service Pack | | | | | |Release Notes | +------------------+--------------+----------+--------+-----------------------+ Note: Customers running on Adobe Experience Manager's Cloud Service will automatically receive updates that include new features as well as security and functionality bug fixes. Note: Please contact Adobe customer care for assistance with AEM versions 6.4, 6.3 and 6.2. Vulnerability details Vulnerability Vulnerability Severity CVSS CVE Number Category Impact base CVSS vector score Cross-site Arbitrary CVSS:3.1/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-42345 execution /S:C/C:L/I:L/ (CWE-79) A:N Cross-site Arbitrary CVSS:3.1/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-42346 execution /S:C/C:L/I:L/ (CWE-79) A:N Cross-site Arbitrary CVSS:3.1/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-30679 execution /S:C/C:L/I:L/ (CWE-79) A:N Cross-site Arbitrary CVSS:3.0/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-42348 execution /S:C/C:L/I:L/ (CWE-79) A:N Cross-site Arbitrary CVSS:3.0/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-42349 execution /S:C/C:L/I:L/ (CWE-79) A:N Cross-site Arbitrary CVSS:3.1/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-42350 execution /S:C/C:L/I:L/ (CWE-79) A:N Security CVSS:3.1/AV:N/ Improper Access feature Moderate 4.3 AC:L/PR:L/UI:N CVE-2022-42351 Control ( CWE-284 ) bypass /S:U/C:L/I:N/ A:N Cross-site Arbitrary CVSS:3.1/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-42352 execution /S:C/C:L/I:L/ (CWE-79) A:N Cross-site Arbitrary CVSS:3.1/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-35693 execution /S:C/C:L/I:L/ (CWE-79) A:N Cross-site Arbitrary CVSS:3.1/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-42354 execution /S:C/C:L/I:L/ (CWE-79) A:N Cross-site Arbitrary CVSS:3.1/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-35694 execution /S:U/C:L/I:L/ (CWE-79) A:N Cross-site Arbitrary CVSS:3.1/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-42356 execution /S:C/C:L/I:L/ (CWE-79) A:N Cross-site Arbitrary CVSS:3.1/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-42357 execution /S:C/C:L/I:L/ (CWE-79) A:N Cross-site Arbitrary CVSS:3.1/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-35695 execution /S:C/C:L/I:L/ (CWE-79) A:N Cross-site Arbitrary CVSS:3.1/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-35696 execution /S:U/C:L/I:L/ (CWE-79) A:N Cross-site Arbitrary CVSS:3.1/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-42360 execution /S:C/C:L/I:L/ (CWE-79) A:N Cross-site Arbitrary CVSS:3.1/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-42362 execution /S:C/C:L/I:L/ (CWE-79) A:N Cross-site Arbitrary CVSS:3.1/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-42364 execution /S:C/C:L/I:L/ (CWE-79) A:N Cross-site Arbitrary CVSS:3.1/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-42365 execution /S:C/C:L/I:L/ (CWE-79) A:N Cross-site Arbitrary CVSS:3.1/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-42366 execution /S:U/C:L/I:L/ (CWE-79) A:N Cross-site Arbitrary CVSS:3.1/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-42367 execution /S:C/C:L/I:L/ (CWE-79) A:N Cross-site Arbitrary CVSS:3.1/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-44462 execution /S:C/C:L/I:L/ (CWE-79) A:N Cross-site Arbitrary CVSS:3.1/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-44463 execution /S:C/C:L/I:L/ (CWE-79) A:N Cross-site Arbitrary Scripting (XSS) code Important 5.4 CVSS:3.1/AV:N/ CVE-2022-44465 execution AC:L/PR:L/UI:R (CWE-79) /S:C/C:L/I:L/ A:N Cross-site Arbitrary CVSS:3.1/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-44466 execution /S:C/C:L/I:L/ (CWE-79) A:N Cross-site Arbitrary CVSS:3.1/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-44467 execution /S:C/C:L/I:L/ (CWE-79) A:N Cross-site Arbitrary CVSS:3.1/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-44468 execution /S:C/C:L/I:L/ (CWE-79) A:N Cross-site Arbitrary CVSS:3.1/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-44469 execution /S:C/C:L/I:L/ (CWE-79) A:N Cross-site Arbitrary CVSS:3.1/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-44470 execution /S:C/C:L/I:L/ (CWE-79) A:N Cross-site Arbitrary CVSS:3.1/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-44471 execution /S:C/C:L/I:L/ (CWE-79) A:N Cross-site Arbitrary CVSS:3.1/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-44473 execution /S:C/C:L/I:L/ (CWE-79) A:N Cross-site Arbitrary CVSS:3.1/AV:N/ Scripting (XSS) code Important 5.4 AC:L/PR:L/UI:R CVE-2022-44474 execution /S:C/C:L/I:L/ (CWE-79) A:N URL Redirection to Security CVSS:3.1/AV:N/ Untrusted Site feature Moderate 3.5 AC:L/PR:L/UI:R CVE-2022-44488 ('Open Redirect') bypass /S:U/C:N/I:L/ (CWE-601 ) A:N Updates to dependencies +-----------+--------------------+-----------------------+ |Dependency |Vulnerability Impact|Affected Versions | +-----------+--------------------+-----------------------+ | | |AEM CS | |xmlgraphics|Privilege escalation| | | | |AEM 6.5.9.0 and earlier| +-----------+--------------------+-----------------------+ | | |AEM CS | |ionetty |Privilege escalation| | | | |AEM 6.5.9.0 and earlier| +-----------+--------------------+-----------------------+ Acknowledgments Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers: o Jim Green (green-jam) --CVE-2022-42345; CVE-2022-30679; CVE-2022-42348; CVE-2022-42349; CVE-2022-42350; CVE-2022-42351; CVE-2022-42352; CVE-2022-35693; CVE-2022-42354; CVE-2022-35694; CVE-2022-42356; CVE-2022-42357; CVE-2022-35695; CVE-2022-35696; CVE-2022-42360; CVE-2022-42362; CVE-2022-42364; CVE-2022-42365; CVE-2022-42366; CVE-2022-42367; CVE-2022-44462; CVE-2022-44463; CVE-2022-44465; CVE-2022-44466; CVE-2022-44467; CVE-2022-44468; CVE-2022-44469; CVE-2022-44470; CVE-2022-44471; CVE-2022-44473; CVE-2022-44474; CVE-2022-44488 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY5j+VMkNZI30y1K9AQiagw/+MU2/MkE8JGrQHuA4qtcfazKFn2EgXnyb nFo7CTN0an4tt6509K4WwZeytu+Br+KLoHMvertmav8FV6xRFK1aw2THXcTTp+iV CUuahMJeAdYaCvV1Wxoetm7zNNNR6OmqkcFiSFKU0wdEYczlK1aJhQwiGpjwlRqf +uTBdtuV29zNO79W4TC8zN6oBsUj5oRKmyRQQhWImlRakfUAJQ8L81uC6deswp6E jRCPsKcDN3lhf7AvM7fXUDPPWzAUJ9b+qD5eY5XoSE33NfMv33+e796EuBgZmn/j d+GB2fHY/D8O1mq3EqiHtjx9fxGDuMKU86/eDGxlYoIXaD4/W5NnC0pKgRAiP1wu 6SLCPjtLfhhMJOWZ9tY1VuIL+Ug9dqd3KT1qFwqesAJeEwacCXYyjXYklvxO8qSu ySq33RJB7o3SP1T865mCvJrwAg89+3gUZSZNmKq3Tx+dgn8xrIb9jXI+mq3T85uH V6ga+srvm8UyNvjw0rY9tjDaysx/ZII3rw+Op9QGtFNfJz3JjJBQx39HDGbJhdYN c0uEgg06O0PvE7zlrxzOiKz1OMnK5SKdb/Y+ftVJU3wBIzaiHkcGuO4yHa3PKD78 Z+zNg8aOWyQECqHKeHmnIrL87fUrE8SnSKXGVdAMDzN6scmHqOWw0dY0zh5fDnKq viVroPZ4X8U= =9Fdp -----END PGP SIGNATURE-----