Adobe has been notified of an XML External Entity (XXE) vulnerability (CVE-2015-3269) in BlazeDS. To fix the vulnerability retrospectively in BlazeDS distributions embedded in LiveCycle Data Services (LCDS), Adobe has released a patch that includes fixes in the flex-messaging-core.jar file.
-
Patches are available for the following LCDS versions. See Adobe Security Bulletin for more information and to download the patch for your LCDS version.
- LCDS 3.0.0.354170
- LCDS 3.1.0.354173
- LCDS 4.5.1.354169
- LCDS 4.6.2.354169
- LCDS 4.7.0.354169
-
Edit the services-config.xml file in your LCDS application to specify the value of the allow-xml-external-entity-expansion property as false. The default value is true.
Also, add the property at channels/channel-definition/properties/serialization. For example:
<services-config> | ---- <channels> | ---- <channel-definition ...> | ---- <properties> | ---- <serialization> | ---- <allow-xml-external-entity-expansion> false </allow-xml-external-entity-expansion>
Note:
The default value true maintains backward compatibility and must be turned off to configure the XML parser to disable entity expansion as explained in XML External Entity (XXE) Processing.
Note:
After applying the patch, if you encounter the following error, It implies that your XML parser does not support the external-general-entities feature. Therefore, you need to update your XML parser such as Xerces 2.9.1.