Product
Last updated on
Feb 15, 2022
Security Update Available for LiveCycle Data Services
Release date: November 17, 2015
Vulnerability identifier: APSB15-30
Priority: See table below
CVE number: CVE-2015-5255
Platform: All Platforms
Summary
Adobe has released a security update for LiveCycle Data Services. This update includes an updated version of Apache™ BlazeDS that resolves an important server-side request forgery vulnerability. Adobe recommends users apply the available updates using the instructions provided in the "Solution" section below.
Affected Versions
|
|
Affected Versions |
Platform |
|
LiveCycle Data Services |
4.7, 4.6.2, 4.5, 3.1.x, 3.0.x |
Windows, Macintosh and Unix |
Solution
Adobe categorizes this hotfix with the following priority rating and recommends users apply the relevant patch available below using the instructions provided in this KB article:
Updates
|
Version |
File Contents |
Checksum (SHA1) |
|
4.7.0.354178 |
flex-messaging-core.jar |
1630ab025c94b9cd17eb6c08c8d3c03e8c3b476d |
|
|
|
|
|
4.6.2.354178 |
flex-messaging-core.jar |
13913aeeab44cca926311d69beab7144acd5cd69 |
|
|
|
|
|
4.5.1.354177 |
flex-messaging-core.jar |
1a7caded7b92da7f7a339b4708a70a6bc0c38a0c |
|
|
|
|
|
3.1.0.354180 |
flex-messaging-core.jar |
e90dc9153729395887096751d37d386a66e96230 |
|
|
|
|
|
3.0.0.354175 |
flex-messaging-core.jar |
0b6e26f5f7a70c524bdd56642a2a3201dc0a3687 |
Vulnerability Details
This update resolves an issue with the parsing of crafted XML documents that could expose affected systems to server side request forgery attacks (CVE-2015-5255).
Acknowledgments
Adobe would like to thank James Kettle of PortSwigger Web Security for reporting this issue.
Adobe MAX
The Creativity Conference
Oct 14–16 Miami Beach and online
Adobe MAX
The Creativity Conference
Oct 14–16 Miami Beach and online