Adobe has been notified of an SSRF vulnerability (CVE-2015-5255) in BlazeDS. To fix the vulnerability retrospectively in BlazeDS distributions embedded in LiveCycle Data Services (LCDS), Adobe has released a patch that includes fixes in the flex-messaging-core.jar file.
Patches are available for the following LCDS versions. See Adobe Security Bulletin for more information and to download the patch for your LCDS version.
- LCDS 220.127.116.114175
- LCDS 18.104.22.1684180
- LCDS 22.214.171.1244177
- LCDS 126.96.36.1994178
- LCDS 188.8.131.524178
Edit the services-config.xml file in your LCDS application. Add the property allow-xml-doctype-declaration under channels/channel-definition/properties/serialization and set its value to false. For example:
<services-config> | ---- <channels> | ---- <channel-definition ...> | ---- <properties> | ---- <serialization> | ---- <allow-xml-doctype-declaration> false </allow-xml-doctype-declaration>
After applying the patch, if you encounter the following error, it implies that your XML parser does not support the disallow-doctype-decl feature. In this case, you would need to update your XML parser to one that supports it. For example, Xerces 2.9.1.