Adobe patches important flaw in LiveCycle Data Services

The vulnerability could be exploited to extract sensitive information from servers

XXE vulnerabilities allow reading sensitive files from servers

Big Data

Credit: IDGNS

Adobe Systems released a security patch for LiveCycle Data Services, a development tool used by businesses to synchronize data between back-end servers and rich Internet applications built with Adobe Flex or AIR.

The hotfix is available for LiveCycle Data Services 3.0.0, 4.5.1, 4.6.2 and 4.7.0 and addresses a vulnerability that could lead to information disclosure.

The flaw is tracked as CVE-2015-3269 in the Common Vulnerabilities and Exposures database and is rated important by Adobe.

The issue is associated with parsing crafted XML entities and falls into a class of vulnerabilities known as XML External Entity (XXE).

According to OWASP, a non-profit organization that produces guidelines for preventing Web flaws, XXE vulnerabilities occur when an application parses XML input that contains a reference to an external entity.

The attack can be used to read sensitive files from a server, scan internal ports, access the server's local network and more. The impact depends on the type of extracted data. In some cases, such information could allow a hacker to plan or execute a more sophisticated attack.

Adobe has also published a support article with detailed information on applying the patch to an affected LiveCycle Data Services application. The steps involve replacing a file called flex-messaging-core.jar and turning the allow-xml-external-entity-expansion option to false in the configuration file.

Why is Apple letting Macs rot on the tree?
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies