Adobe Patches XXE Vulnerability in LiveCycle Data Services

Adobe pushed out a hotfix for LiveCycle Data Services patching an XXE vulnerability in BlazeDS.

Adobe is today expected to push a hotfix through to implementations of its LiveCycle Data Services application framework.

The company said the vulnerability, CVE-2015-3269, affects versions 4.7, 4.6.2, 4.5 and 3.0.x on Windows, Macintosh and UNIX systems. Adobe is not aware of public exploits of this flaw, the company said in its advisory. Exploits against this bug could lead to information disclosure, Adobe said.

The hotfix will be pushed directly to LiveCycle Data Services implementations, and will not require a reboot, unlike most patches.

LiveCycle Data Services, the former Flex Data Services, is a development tool sold by Adobe that streamlines development processes, including data and client integration and application deployment.

Specifically, an XML External Entity (XXE) vulnerability was found in BlazeDS, a web-based messaging technology that is available and embedded in LiveCycle. Adobe addressed the vulnerability, which it rated “important,” with a fix in the flex-messaging-core.jar file.

“This hotfix resolves an issue associated with parsing crafted XML entities that could lead to information disclosure,” Adobe said.

XXE vulnerabilities in web applications that parse XML input and can be exploited to leak protected files from the network.

“This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser,” said OWASP in its description of XXE.

Suggested articles