Adobe has been notified of an XML External Entity (XXE) vulnerability (CVE-2015-3269) in BlazeDS. To fix the vulnerability retrospectively in BlazeDS distributions embedded in LiveCycle Data Services (LCDS), Adobe has released a patch that includes fixes in the flex-messaging-core.jar file.
Patches are available for the following LCDS versions. See Adobe Security Bulletin for more information and to download the patch for your LCDS version.
- LCDS 188.8.131.524170
- LCDS 184.108.40.2064173
- LCDS 220.127.116.114169
- LCDS 18.104.22.1684169
- LCDS 22.214.171.1244169
Edit the services-config.xml file in your LCDS application to specify the value of the allow-xml-external-entity-expansion property as false. The default value is true.
Also, add the property at channels/channel-definition/properties/serialization. For example:
<services-config> | ---- <channels> | ---- <channel-definition ...> | ---- <properties> | ---- <serialization> | ---- <allow-xml-external-entity-expansion> false </allow-xml-external-entity-expansion>
The default value true maintains backward compatibility and must be turned off to configure the XML parser to disable entity expansion as explained in XML External Entity (XXE) Processing.
After applying the patch, if you encounter the following error, It implies that your XML parser does not support the external-general-entities feature. Therefore, you need to update your XML parser such as Xerces 2.9.1.