Adobe issued a hotfix to address an XML External Entity (XXE) vulnerability in LiveCycle Data Services (DS).
Adobe LiveCycle Data Services is a framework that simplifies the development of Flex and AIR applications.
The solution provides data enabling capabilities such as synchronization, paging, conflict management and publish-subscribe messaging.
BlazeDS, a free and open-source server-based Java remoting and web messaging technology, suffers from an XXE vulnerability that can result in information disclosure, said Matthias Kaiser of Code White, who discovered the vulnerability. BlazeDS can work separately, but the catch is, it is also embedded in LiveCycle DS.
The vulnerability affects LiveCycle DS versions 4.7, 4.6.2, 4.5 and 3.0.x for Windows, Mac and Linux.
The fix includes changes in the flex-messaging-core.jar file. Users should download the flex-messaging-core.jar file for their product and replace the file in their installation with the patched version.
The classification for the XXE bug is “important” with a priority rating of 3. This means the flaw can end up exploited to compromise data security, but it affects a product historically not targeted by malicious actors.
Adobe said there are no attacks leveraging the vulnerability.