Headline
CVE-2021-21083: Adobe Security Bulletin
AEM’s Cloud Service offering, as well as versions 6.5.7.0 (and below), 6.4.8.3 (and below) and 6.3.3.8 (and below) are affected by an Improper Access Control vulnerability. An unauthenticated attacker could leverage this vulnerability to cause an application denial-of-service in the context of the current user.
Security updates available for Adobe Experience Manager | APSB21-15
Bulletin ID
Date Published
Priority
APSB21-15
May 11, 2021
2
Summary
Adobe has released updates for Adobe Experience Manager (AEM). These updates resolve vulnerabilities rated Critical and Important. Successful exploitation of these vulnerabilities could result in arbitrary JavaScript execution in the browser.
Affected product versions
Product
Version
Platform
Adobe Experience Manager (AEM)
AEM Cloud Service (CS)
All
6.5.7.0 and earlier versions
All
6.4.8.3 and earlier versions
All
6.3.3.8 and earlier versions
All
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:
Product
Version
Platform
Priority
Availability
Adobe Experience Manager (AEM)
AEM Cloud Service (CS)
All
2
Release Notes
6.5.8.0
All
2
AEM 6.5 Service Pack Release Notes
6.4.8.4
All
2
AEM 6.4 Cumulative Fix Pack Release Notes
Customers running on Adobe Experience Manager’s Cloud Service will automatically receive updates that include new features as well as security and functionality bug fixes.
AEM Cumulative Fix Pack 6.4.8.4 is an important update that includes several internal and customer fixes since the general availability of AEM 6.4 Service Pack 8 (6.4.8.0) in March 2020.
Vulnerability details
Vulnerability Category
Vulnerability Impact
Severity
CVE Number
Affected Versions
Improper Access control
Application denial-of-service
Important
CVE-2021-21083
AEM CS
AEM 6.5.7.0 and earlier
AEM 6.4.8.3 and earlier
AEM 6.3.3.8 and earlier
Cross-site scripting (stored)
Arbitrary JavaScript execution in the browser
Critical
CVE-2021-21084
AEM CS
AEM 6.5.7.0 and earlier
AEM 6.4.8.3 and earlier
AEM 6.3.3.8 and earlier
Updates to dependencies
**Dependency
**
**Vulnerability Impact
**
Affected Versions
Commons-io
Improper Access Control
AEM CS
AEM 6.5.7.0 and earlier
AEM 6.4.8.3 and earlier
AEM 6.3.3.8 and earlier
MetadataExtractor
Uncontrolled Resource Consumption
AEM CS
AEM 6.5.7.0 and earlier
AEM 6.4.8.3 and earlier
AEM 6.3.3.8 and earlier
FasterXML Jackson Databind/Core
Remote Code Execution
AEM CS
AEM 6.5.7.0 and earlier
AEM 6.4.8.3 and earlier
AEM 6.3.3.8 and earlier
Eclipse Jetty
Improper Access Control
AEM CS
AEM 6.5.7.0 and earlier
AEM 6.4.8.3 and earlier
AEM 6.3.3.8 and earlier
Lucene Queryparser
Remote Code Execution
AEM CS
AEM 6.5.7.0 and earlier
AEM 6.4.8.3 and earlier
AEM 6.3.3.8 and earlier
Apache XML-RPC
Arbitrary Code Execution
AEM CS
AEM 6.5.7.0 and earlier
AEM 6.4.8.3 and earlier
AEM 6.3.3.8 and earlier
Zip4j
Arbitrary Code Execution
AEM CS
AEM 6.5.7.0 and earlier
AEM 6.4.8.3 and earlier
AEM 6.3.3.8 and earlier
Apache Directory LDAP API
Improper Access Control
AEM CS
AEM 6.5.7.0 and earlier
AEM 6.4.8.3 and earlier
AEM 6.3.3.8 and earlier
Apache Sling
Improper Access Control
AEM CS
AEM 6.5.7.0 and earlier
AEM 6.4.8.3 and earlier
AEM 6.3.3.8 and earlier
Apache Felix
Arbitrary Code Execution
AEM CS
AEM 6.5.7.0 and earlier
AEM 6.4.8.3 and earlier
AEM 6.3.3.8 and earlier
Apache Solr
Improper Read/Write Access
AEM CS
AEM 6.5.7.0 and earlier
AEM 6.4.8.3 and earlier
AEM 6.3.3.8 and earlier
Apache Tomcat
Improper Access Control
AEM CS
AEM 6.5.7.0 and earlier
AEM 6.4.8.3 and earlier
AEM 6.3.3.8 and earlier
jQuery
Arbitrary Code Execution
AEM CS
AEM 6.5.7.0 and earlier
AEM 6.4.8.3 and earlier
AEM 6.3.3.8 and earlier
Acknowledgments
Adobe would like to thank Thomas Hartmann from netcentric (CVE-2021-21083) reporting both issues and for working with Adobe to help protect our customers.