Adobe Experience Manager Information Disclosure via Apache Sling v2.3.6 vulnerability
Description
Adobe Experience Manager (AEM) is an enterprise content management solution for building websites, mobile apps, and forms. Versions 5.6.1, 6.0.0, and 6.1.0 contain a vulnerability in the Apache Sling Servlets Post component 2.3.6 that allows unauthorized information disclosure. Due to insufficient access controls or misconfiguration, unauthenticated remote attackers can enumerate files and directories on the local system that should be restricted from public access. This vulnerability enables attackers to map the server's file structure and potentially identify sensitive configuration files or other resources.
Remediation
Apply the security hot fixes provided by Adobe for Experience Manager as documented in security bulletin APSB16-05. These patches address the underlying vulnerability in the Apache Sling Servlets Post component and implement proper access controls.<br/><br/>1. Review the Adobe security bulletin at https://helpx.adobe.com/security/products/experience-manager/apsb16-05.html to identify the appropriate hot fix for your AEM version<br/>2. Download and install the security hot fix following Adobe's installation procedures<br/>3. After applying the patch, verify that unauthenticated users cannot access system file enumeration endpoints<br/>4. Review and harden AEM dispatcher configurations to ensure proper access controls are enforced<br/>5. Implement the principle of least privilege for all AEM servlets and components<br/>6. Consider upgrading to a supported version of AEM if running an end-of-life release