Adobe has released a security hotfix to address an XML External Entity (XXE) vulnerability in LiveCycle Data Services (DS).
Adobe LiveCycle Data Services is a framework that simplifies the development of Flex and AIR applications. The solution provides data enabling capabilities such as synchronization, paging, conflict management and publish-subscribe messaging.
Matthias Kaiser of Code White discovered that BlazeDS, a free and open-source server-based Java remoting and web messaging technology, is plagued by an XXE vulnerability (CVE-2015-3269) that can result in information disclosure. While BlazeDS can be used separately, it’s also embedded in LiveCycle DS.
The vulnerability affects LiveCycle DS versions 4.7, 4.6.2, 4.5 and 3.0.x for Windows, Mac and Linux. The flaw has been addressed by Adobe with the release of a hotfix that involves changes in the flex-messaging-core.jar file. Users are advised to download the flex-messaging-core.jar file for their product and replace the file in their installation with the patched version. Patching also involves some minor modifications to the services-config.xml file.
The XXE bug has been classified as “important” with a priority rating of 3. This means that the flaw can be exploited to compromise data security, but it affects a product that has historically not been targeted by malicious actors.
Adobe says it’s not aware of attacks exploiting this vulnerability.
Last week, Adobe released security updates to address a total of 35 vulnerabilities affecting Flash Player. Numerous vulnerabilities have been discovered in Flash Player this year, including several zero-days, and many security experts have advised users to uninstall the application from their computers. However, Adobe seems determined to keep the product and the company has been trying to make it more difficult to exploit.