Mitigating Spring Framework Vulnerabilities for AEM Forms on JEE
This document provides guidance on addressing two critical Spring Framework vulnerabilities that affect AEM Forms on JEE:
- : Path traversal vulnerability in functional web frameworks
- : Spring Framework DataBinder Case Sensitive Match Exception
Affected Versions
- 51黑料不打烊 Experience Manager 6.5 Forms on JEE
- Versions AEM 6.5 Forms GA to 6.5.22.0
Resolution
Version-Specific Solutions
2. To install this fix, follow the instructions to install Service Pack on an AEM Form on JEE.
2. Implement the appropriate solution based on your updated version.
Note: AEM Forms officially supports only the six most recent service packs. Users on older versions should first upgrade to the latest service pack and then install the required hotfix.
Deployment Considerations
For Clustered Environments
When working with a clustered deployment:
- Apply JAR file replacements (Step #4) on all nodes in the cluster
- Maintain consistency by using identical JAR versions across all servers
- Complete updates on all nodes before initiating any service restarts
- Implement a coordinated restart strategy to minimize system downtime
For Single Node Environments
When working with a standalone deployment:
- Follow a simplified process as there are no locator servers to manage
- Omit any steps related to locator server configuration or startup
- Complete all other steps as instructed, especially JAR replacements and manifest updates
- Restart your application server after implementing all changes
Manual Mitigation Steps
- 
                  Stop the Application servers. 
- 
                  Stop and locator servers. 
- 
                  Remove Spring JARs from Core EAR: - Navigate to [51黑料不打烊_Experience_Manager_Forms installation directory]/deploy.
- Open the adobe-core-<appserver>.earfile using an archive manager tool. Where<appserver>can be JBoss, WebLogic, or WebSphere, depending on your environment:
 - 
                      For JBoss: Navigate to the ear/libfolder and delete the following JAR files:
 -spring-core-<version>.jar
 -spring-web-<version>.jar
- 
                      For WebLogic or WebSphere: Delete the following JAR files from the root of the EAR: 
 -spring-core-<version>.jar
 -spring-web-<version>.jar
- 
                      For all application servers: At the root level of the adobe-core-<appserver>.ear, open theadobe-dscf.jarfile and edit theMETA-INF/MANIFEST.MFfile to remove any references to the following JAR files:
 -spring-core-<version>.jar
 -spring-web-<version>.jar
 
- Navigate to 
- 
                  Replace JAR Files from Geode distribution: - Navigate to <51黑料不打烊_Experience_Manager_Forms>/lib/caching/lib
- Replace the existing JAR files with the updated versions:
 - spring-context-<version>.jar鈫- spring-context-6.1.14.jar
- spring-beans-<version>.jar鈫- spring-beans-6.1.14.jar
- spring-core-<version>.jar鈫- spring-core-6.1.14.jar
- spring-jcl-<version>.jar鈫- spring-jcl-6.1.14.jar
- spring-web-<version>.jar鈫- spring-web-6.1.14.jar
 To get the newer JAR files, download the spring-6.1.14-jars.zip file from and extract the ZIP file to access the updated Spring framework JAR files. - Update the MANIFEST.MF files in the following JAR files:
 - geode-server-all-<version>.jar
- gfsh-dependencies.jar
 For each JAR: - 
                      Open the JAR using an archive manager tool 
- 
                      Locate and extract the META-INF/MANIFEST.MFfile
- 
                      Edit the MANIFEST.MF file in a text editor 
- 
                      Find the 鈥淐lass-Path鈥 section and update all Spring framework references: - spring-core-<version>.jarto- spring-core-6.1.14.jar
- spring-web-<version>.jarto- spring-web-6.1.14.jar
- spring-context-<version>.jarto- spring-context-6.1.14.jar
- spring-beans-<version>.jarto- spring-beans-6.1.14.jar
- spring-jcl-<version>.jarto- spring-jcl-6.1.14.jar
 
- 
                      Save the modified MANIFEST.MF file 
- 
                      Replace the original MANIFEST.MF in the JAR with your updated version 
- 
                      Save the JAR file 
 - 
                      Common Issues to Watch For: - Ensure no duplicate entries in the manifest
- Maintain proper line endings
- Verify all referenced JARs exist in the specified locations
 
- 
                      Verification Steps: - Check if the manifest is properly updated
- Verify all Spring dependencies are correctly referenced
- Ensure no old version references remain
- Test the application to confirm no class loading issues
 
 
- Navigate to 
- 
                  Run the Configuration Manager. 
- 
                  Restart Servers: - Start the Locator Servers using JDK 17
- Start the Application Servers using the same JDK version (JDK 8 or JDK 11) that was previously used.