XML External Entity (XXE) Vulnerability in BlazeDS

Adobe has been notified of an XML External Entity (XXE) vulnerability (CVE-2015-3269) in BlazeDS. To fix the vulnerability retrospectively in BlazeDS distributions embedded in LiveCycle Data Services (LCDS), Adobe has released a patch that includes fixes in the flex-messaging-core.jar file.

Perform the following steps to obtain and apply the patch:

  1. Patches are available for the following LCDS versions. See Adobe Security Bulletin for more information and to download the patch for your LCDS version.

    • LCDS 3.0.0.354170
    • LCDS 3.1.0.354173
    • LCDS 4.5.1.354169
    • LCDS 4.6.2.354169
    • LCDS 4.7.0.354169
  2. Navigate to the patch directory and copy the flex-messaging-core.jar file.

  3. Replace the flex-messaging-core.jar file in your LCDS application with the file copied in step 2.

  4. Edit the services-config.xml file in your LCDS application to specify the value of the allow-xml-external-entity-expansion property as false. The default value is true.

    Also, add the property at channels/channel-definition/properties/serialization. For example:

    <services-config>
    
      |
    
      ---- <channels>
    
         |
    
         ---- <channel-definition ...>
    
             |
    
             ---- <properties>
    
                |
    
                ---- <serialization>
    
                    |
    
                    ---- <allow-xml-external-entity-expansion>
                            false
                          </allow-xml-external-entity-expansion>

    Note:

    The default value true maintains backward compatibility and must be turned off to configure the XML parser to disable entity expansion as explained in XML External Entity (XXE) Processing.

Note:

After applying the patch, if you encounter the following error, It implies that your XML parser does not support the external-general-entities feature. Therefore, you need to update your XML parser such as Xerces 2.9.1.

Error deserializing XML type jaxp_feature_not_supported: Feature "http://xml.org/sax/features/external-general-entities" is not supported