Server-side request forgery (SSRF) vulnerability in BlazeDS

Adobe has been notified of an SSRF vulnerability (CVE-2015-5255) in BlazeDS. To fix the vulnerability retrospectively in BlazeDS distributions embedded in LiveCycle Data Services (LCDS), Adobe has released a patch that includes fixes in the flex-messaging-core.jar file.

Perform the following steps to obtain and apply the patch:

  1. Patches are available for the following LCDS versions. See Adobe Security Bulletin for more information and to download the patch for your LCDS version.

    • LCDS 3.0.0.354175
    • LCDS 3.1.0.354180
    • LCDS 4.5.1.354177
    • LCDS 4.6.2.354178
    • LCDS 4.7.0.354178
  2. Navigate to the patch directory and copy the flex-messaging-core.jar file.

  3. Replace the flex-messaging-core.jar file in your LCDS application with the file copied in step 2.

  4. Edit the services-config.xml file in your LCDS application. Add the property allow-xml-doctype-declaration under channels/channel-definition/properties/serialization and set its value to false. For example:

    <services-config>
    
      |
    
      ---- <channels>
    
         |
    
         ---- <channel-definition ...>
    
             |
    
             ---- <properties>
    
                |
    
                ---- <serialization>
    
                    |
    
                    ---- <allow-xml-doctype-declaration>
                            false
                          </allow-xml-doctype-declaration>
Note:

After applying the patch, if you encounter the following error, it implies that your XML parser does not support the disallow-doctype-decl feature. In this case, you would need to update your XML parser to one that supports it. For example, Xerces 2.9.1.

Error deserializing XML type jaxp_feature_not_supported:
Feature "http://apache.org/xml/features/disallow-doctype-decl" is not supported

 Adobe

Get help faster and easier

New user?

Adobe MAX 2024

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX 2024

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online