Sensitive data kept in memory 

Issue date: 29-04-2019
Affects versions: 13.0, 12.6, 11.2


Affected Product Version(s)

This vulnerability affects all versions of both CMS and delivery applications based on Bloomreach Experience Manager prior to 11.2.12, 12.6.2 and 13.0.1.




The credentials for a logged-in user were held in memory unnecessarily. This was accessible to code running in the CMS or site, and could be leaked out of the process via a debugger. This vulnerability could only be exploited by a highly-privileged administrator with access to deploy code and attach a debugger to a running JVM process. This has now been secured by holding only a hash of the user's password, using the hash algorithm that is configured to use for persistent credential storage and seeded with a random key valid only for the duration of the JVM system process.

Note that an additional step has been taken to clear the character array used to store the password in the credentials object used for repository login. This may have side effects for customer test code that reuses the same credentials object for multiple logins, across startup/shutdown of a repository, for example in unit tests which create and destroy the repository for each test. Such test code must be modified to instantiate 
a new credentials object for each login, or at least per new repository instance.


Every CMS customer is strongly advised to upgrade as soon as possible to the latest CMS maintenance release as indicated above, or higher. This can be done by simply incrementing the version number of the parent POM for the implementation project.