ESB-2018.1081 - [Win][UNIX/Linux] Adobe Experience Manager: Cross-site scripting - Remote with user interaction 2018-04-11

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1081
 Multiple vulnerabilities have been identified in Adobe Experience Manager
                               11 April 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Adobe Experience Manager
Publisher:         Adobe
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Cross-site Scripting -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-4931 CVE-2018-4930 CVE-2018-4929

Original Bulletin: 
   https://helpx.adobe.com/security/products/experience-manager/apsb18-10.html

- --------------------------BEGIN INCLUDED TEXT--------------------

Adobe Security Bulletin

Last Published: April 11, 2018

Security updates available for Adobe Experience Manager | APSB18-10
+-------------------------+--------------------------------+------------------+
|Bulletin ID              |Date Published                  |Priority          |
+-------------------------+--------------------------------+------------------+
|APSB18-10                |April 10, 2018                  |3                 |
+-------------------------+--------------------------------+------------------+

Summary

Adobe has released security updates for Adobe Experience Manager. These updates
resolve a stored cross-site scripting vulnerability (CVE-2018-4929) rated
moderate, and two cross-site scripting vulnerabilities (CVE-2018-4930 and
CVE-2018-4931) rated important.

Affected product versions

+------------------------+-----------------+-------------------+
|        Product         |     Version     |     Platform      |
+------------------------+-----------------+-------------------+
|                        |6.3              |                   |
|                        |                 |                   |
|                        |6.2              |                   |
|Adobe Experience Manager|                 |All                |
|                        |6.1              |                   |
|                        |                 |                   |
|                        |6.0              |                   |
+------------------------+-----------------+-------------------+

Solution

Adobe categorizes these updates with the following priority ratings and
recommends users update their installation to the newest version:

+--------------------------+-------+---------+---------+----------------------+
|Product                   |Version|Platform |Priority |Availability          |
+--------------------------+-------+---------+---------+----------------------+
|                          |6.3    |All      |3        |Release note          |
|                          +-------+---------+---------+----------------------+
|                          |6.2    |All      |3        |Release note          |
|Adobe Experience Manager  +-------+---------+---------+----------------------+
|                          |6.1    |All      |3        |Release note          |
|                          +-------+---------+---------+----------------------+
|                          |6.0    |All      |3        |Release note          |
+--------------------------+-------+---------+---------+----------------------+

Please contact Adobe customer care for assistance with earlier AEM versions.

Vulnerability details

+-------------+--------------+----------+-------------+--------+-----------------+
|Vulnerability|Vulnerability |Severity  |CVE Numbers  |Affected|Download Package |
|Category     |Impact        |          |             |Version |                 |
+-------------+--------------+----------+-------------+--------+-----------------+
|             |              |          |             |        |HOTFIX 19293 for |
|             |              |          |             |        |AEM 6.0.0        |
|             |              |          |             |        |                 |
|             |              |          |             |        |Cumulative Fix   |
|             |              |          |             |        |Pack for 6.1 SP2 |
|             |              |          |             |        |-                |
|Stored       |Sensitive     |          |             |AEM 6.2 |AEM-6.1-SP2-CFP15|
|cross-site   |Information   |Moderate  |CVE-2018-4929|and     |                 |
|scripting    |disclosure    |          |             |earlier |Cumulative Fix   |
|             |              |          |             |        |Pack for 6.2 SP1 |
|             |              |          |             |        |-                |
|             |              |          |             |        |AEM-6.2-SP1-CFP12|
|             |              |          |             |        |                 |
|             |              |          |             |        |                 |
|             |              |          |             |        |                 |
|             |              |          |             |        |                 |
+-------------+--------------+----------+-------------+--------+-----------------+
|             |              |          |             |        |Cumulative Fix   |
|             |              |          |             |        |Pack for 6.1 SP2 |
|             |              |          |             |        |-                |
|             |              |          |             |        |AEM-6.1-SP2-CFP15|
|             |              |          |             |        |                 |
|Cross-site   |Sensitive     |          |             |AEM 6.3 |Cumulative Fix   |
|scripting    |Information   |Important |CVE-2018-4930|and     |Pack for 6.2 SP1 |
|             |Disclosure    |          |             |earlier |-                |
|             |              |          |             |        |AEM-6.2-SP1-CFP12|
|             |              |          |             |        |                 |
|             |              |          |             |        |Service Pack     |
|             |              |          |             |        |6.3.2.0 for AEM  |
|             |              |          |             |        |6.3              |
+-------------+--------------+----------+-------------+--------+-----------------+
|             |              |Important |             |        |HOTFIX 19385 for |
|             |              |          |             |        |AEM 6.0.0        |
|             |              |          |             |        |                 |
|             |              |          |             |        |                 |
|             |              |          |             |        |                 |
|Stored       |Sensitive     |          |             |AEM 6.1 |                 |
|cross-site   |Information   |          |CVE-2018-4931|and     |                 |
|scripting    |Disclosure    |          |             |earlier |HOTFIX 9381 for  |
|             |              |          |             |        |AEM 6.1.0        |
|             |              |          |             |        |                 |
|             |              |          |             |        |                 |
|             |              |          |             |        |                 |
|             |              |          |             |        |                 |
+-------------+--------------+----------+-------------+--------+-----------------+

Note:

The packages listed in the table above are the minimum fix packs to address the
listed vulnerability.  For the latest versions, please see the release notes
links referenced above.

Acknowledgments

Adobe would like to thank the following individuals and organizations for
reporting the relevant issues and for working with Adobe to help protect our
customers:

  o Frans Rosen of Detectify Labs (CVE-2018-4930)
  o Nagamarimuthu of Cognizant Technology Solutions - Enterprise Risk &
    Security Solutions (CVE-2018-4931)

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWs1Wb4x+lLeg9Ub1AQjp0g//d2gLuskWIVX15gPF594jlNQFFc5TZQ3c
5SJWup4f7W/6fgydmCXg79eVuGkDa3EHf6jZIGcV7qy6CP45wQ9Xj7c+3/SNyMMW
B73vSvLJT5J0TB/TUnDcqrtdA6+gyqBTZyRdahxFLSid9XwlY8NK1I0ulgiH9ZVw
YELj4WgUuebXaRh9ooCTQkLyiestxM8XOY3BB8GKZlXph/GE8Yc6wY6YEKVIapYW
kWY44B09LcXAfw//5FvubCGMYTNBJFZNg1sCShpismxt00jQbwuz7yDD+ZrXw28v
KRoqpBl2NavM0TljnZKCrGdYbWOkSMKQlMC2mIAxGCDpOJAVRXjzPtqSEMhwJsBy
C0d425tMBC7iaJuCqVYnq28VjsvTbSryjLQ3Q8h9vV+TtVijcmqLYf34qm4EPtY6
vvKXVHO3B7WRvmJL9HzCctt81soHY+itjLXRyUUIYu6AAJurPd9wTI9aR9EsNAH5
xHdf2X2oRXKE8qlvt8pC73JerNqsIqBocl6MvTHI5rOrjQc0FkketZeBh8TbL5hw
y2xPfaNCrGPX1PTPNEBS0EZPz2En3MDvIS3qhxRN1G1bKYyP70vnzAPuhii0lbv1
e6Ou1OEit7uKzxlfrINwksbUGGnpUD3+nXqE5Zl/6xZEVEuOmyIlQNPfuW58fqIW
Ucya+/d23sU=
=PwkD
-----END PGP SIGNATURE-----

« Back to bulletins