Adobe patches important flaw in LiveCycle Data Services

The vulnerability could be exploited to extract sensitive information from servers

XXE vulnerabilities allow reading sensitive files from servers

Big Data

Credit: IDGNS

Adobe Systems released a security patch for LiveCycle Data Services, a development tool used by businesses to synchronize data between back-end servers and rich Internet applications built with Adobe Flex or AIR.

The hotfix is available for LiveCycle Data Services 3.0.0, 4.5.1, 4.6.2 and 4.7.0 and addresses a vulnerability that could lead to information disclosure.

The flaw is tracked as CVE-2015-3269 in the Common Vulnerabilities and Exposures database and is rated important by Adobe.

The issue is associated with parsing crafted XML entities and falls into a class of vulnerabilities known as XML External Entity (XXE).

According to OWASP, a non-profit organization that produces guidelines for preventing Web flaws, XXE vulnerabilities occur when an application parses XML input that contains a reference to an external entity.

The attack can be used to read sensitive files from a server, scan internal ports, access the server's local network and more. The impact depends on the type of extracted data. In some cases, such information could allow a hacker to plan or execute a more sophisticated attack.

Adobe has also published a support article with detailed information on applying the patch to an affected LiveCycle Data Services application. The steps involve replacing a file called flex-messaging-core.jar and turning the allow-xml-external-entity-expansion option to false in the configuration file.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.