Expand my Community achievements bar.

Learn about Edge Delivery Services in upcoming GEM session
SOLVED

on-prem AEM: which uber-jar should I be using? (or where to find release notes for uber-jars)

Avatar

Level 8

So our IT security has done a scan and found out the 6.4.0 uber-jar we're using has some vulternability.

 

I need to find out which uber-jar version has a fix for this vulnerability.

 

PS. we're currently on 6.4.2 and our uber-jar is on 6.4.0

 

Thank you.

EDIT: this is vulnerability: "CVE-2017-7658" eclipse jetty server

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hello @jayv25585659 

 

There are couple of options:

  1. Go through release notes manually https://github.com/AdobeDocs/experience-manager-64.en/blob/main/help/release-notes/release-notes.md
  2. Raise an Adobe ticket

 

6.4 is very old version. You should consider upgrading AEM. A lot of issues might have already been resolved.

 

 


Aanchal Sikka

View solution in original post

4 Replies

Avatar

Correct answer by
Community Advisor

Hello @jayv25585659 

 

There are couple of options:

  1. Go through release notes manually https://github.com/AdobeDocs/experience-manager-64.en/blob/main/help/release-notes/release-notes.md
  2. Raise an Adobe ticket

 

6.4 is very old version. You should consider upgrading AEM. A lot of issues might have already been resolved.

 

 


Aanchal Sikka

Avatar

Level 8

Hi @jayv25585659 ,

We had a similar kind of vulnerability on the log4j reference through uber jar. We went and raised an adobe ticket and in our case the CSE was able to respond with resolution as not exploitable or the other case will be they will recommend you to upgrade to the latest AEM version and the Uber jar where the fix would have made on the latest Eclipse Jetty Server 9.5x and above.

Avatar

Community Advisor

@jayv25585659 

The AEM Uber jar includes all AEM APIs as a single dependency in your Maven project’s pom.xml. It is always a best practice to include the Uber Jar as a single dependency instead of including individual AEM API dependencies. When upgrading the code base, change the version of the Uber Jar to point to the target version of AEM. If your project was developed on a version of AEM before the existence of the Uber Jar, remove all individual AEM API dependencies. Replace them with a single inclusion of the Uber Jar for the target version of AEM. Recompile the code base against the new version of the Uber Jar. Update any deprecated APIs or methods so they are compatible with the target version of AEM.