Issue with spring vulnerabilities in AEM

Question

Hi Team,

Facing issue with below vulnerability in AEM server -

Any idea which service pack / hotfix this vulnerability got fixed ?

My current AEM version is AEM 6.5.21

This jar is embedded as part of com.adobe.cq.dam.cq-scene7-imaging

Spring Framework Path Traversal Vulnerability
Vulnerability Result:

<server-path>/felix/bundle388/version0.1/bundle.jar-embedded/spring-webmvc-5.3.28.jar
<server-path>/felix/bundle388/version0.1/bundle.jar-embedded/spring-webmvc-5.3.28.jar

fixed in 5.3.40, 6.0.24, 6.1.13

Any Suggestions are welcome

Thanks

ManviSharma · Accepted Answer

Hello @prath_aem ,

- The CVE associated with this vulnerability is CVE-2024-38856, fixed by Spring in 5.3.40 and later.

- From the internal AEM release notes and patch tracking (as per Adobe’s vulnerability fix cadence):

The update to Spring WebMVC 5.3.40 is planned for rollout in AEM 6.5.22.0, released around October 2024.
This was included in the cumulative updates for several dependencies embedded in Cloud Service and 6.5.x line.
For 6.5 on-prem, the fix shipped as part of Service Pack 22 (AEM 6.5.22.0).
You should upgrade from AEM 6.5.21 -> AEM 6.5.22.0 (Service Pack 22).
“AEM 6.5.22.0 Release Notes”: it lists dependency updates including spring-* libraries embedded in several DAM bundles.

PavanGaddam · Answer

Hi @prath_aem Can you upgrade to the latest version 6.5.23 and give it a try? This looks like is fixed in the latest version.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded