Show Menu

AEM Security Notification (November 2018)


This article addresses a few recent and old vulnerabilities that were recently reported in AEM. Note that most identified vulnerabilities were known issues for the AEM product and mitigation have been previously identified, a new dispatcher version is available for the new vulnerabilities. Adobe also urges customers to complete the AEM Security Checklist and follow the relevant guidelines.

Action Required

  • AEM deployments should start using the latest Dispatcher version.
  • The dispatcher security rules must be applied as per the recommended configuration.
  • The AEM Security Checklist should be completed for AEM deployments.

Vulnerabilities and Resolutions

Bypassing AEM Dispatcher rules
Install latest version of Dispatcher(4.3.1) and follow recommended dispatcher configuration.
URL filter bypass vulnerability that could be used to circumvent dispatcher rules - CVE-2016-0957
This was fixed in an older version of Dispatcher, but now it is recommended that you install the latest version of Dispatcher (4.3.1) and follow recommended Dispatcher configuration.
XSS vulnerability related to stored SWF files
This has been addressed with security fixes released earlier.
Password related Exploits
Follow recommendation in Security checklist for stronger passwords.
Disk usage exposure for anonymous users
This issue has been resolved for AEM 6.1 and later, for AEM 6.0 the out of the box permissions can be modified to be more restrictive.
See release notes for AEM 6.1 and older.
Exposure of Open Social Proxy for anonymous users
This has been resolved in versions starting from 6.0 SP2.
See release notes for AEM 6.1 and older.
CRX Explorer Access on production instances
Managing CRX Explorer access is already covered in the Security Checklist, CRX Explorer should be removed from production author and publish and the security health check reports it if not removed.
BGServlets is exposed
This has been resolved since AEM 6.2.