A VMware update addresses an information disclosure problem caused by an Apache Flex BlazeDS vulnerability.
An XML External Entity (XXE) vulnerability in Flex BlazeDS, a component used by several of the company’s products, can end up exploited by a remote attacker to cause a server to disclose information by sending it a specially crafted XML request, VMware researchers said.
The flaw affects VMware vCenter Server 5.0, 5.1 and 5.5, vCloud Director 5.5 and 5.6, and Horizon View 5.0 and 6.0. The issue has been resolved with the release of VMware vCenter Server 5.0u3e, 5.1u3b and 5.5u3, vCloud Director 5.5.3 and 5.6.4, and Horizon View 5.3.4 and 6.1, according to a VMware post. vCenter Server 6.0 does not suffer from the issue.
The Apache Flex BlazeDS vulnerability, which exists in the BlazeDS Remoting/AMF protocol implementation, ended up discovered this past August by Matthias Kaiser of Code White, who published a blog post detailing the issue and ways to exploit it.
“When receiving XML encoded AMF messages containing DTD entities, the default XML parser configurations allows expanding of entities to local resources. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected,” Apache Software Foundation researches said in an advisory.
Apache patched the security hole with the release of Flex BlazeDS 4.7.1. All prior versions suffer from the issue.
Flex BlazeDS is an open-source server-based Java remoting and web messaging technology originally developed by Adobe. The project ended up donated to the Apache Software Foundation a few years ago, but Adobe continues to use it in its products.