- The Livecycle Assembler DDX fails to extract the first page from the PDF and returns an error. (Ref# CQ-67111)
- Deserializing byte code into objects could be manipulated into executing custom code, which lead to a possibility of Remote Code Execution (RCE) without authentication. (Ref #NPR-9962)
To learn more about the vulnerability and obtain application server-specific patches, see Deserialization vulnerability in the Apache commons-collections library article.
- Take a backup of the <LiveCycle_root>/deploy folder. It is required if you decide to uninstall the quick fix.
- Stop your application server.
- Extract the QF archive file to your hard drive.
- In the directory named according to the operating system that you are using:
Navigate to the appropriate directory on the installation media or folder on your hard disk where you copied the installer, and double-click the lces4_qf_install.exe file.
- (Windows 32-bit) CDROM_Installers\Windows\Disk1\InstData\VM
- (Windows 64-bit) CDROM_Installers\Windows_64Bit\Disk1\InstData\VM
- Linux, Solaris, AIX
Navigate to the appropriate directory, and from a command prompt, type ./lces4_qf_install.bin.
- (Linux) CDROM_Installers/Disk1/InstData/NoVM
- (Solaris) CDROM_Installers/Disk1/InstData/NoVM
- (AIX) CDROM_Installers/Disk1/InstData/VM
This launches an install wizard that guides you through the installation.
- On the Introduction panel, click Next.
- On the Choose Install Folder screen, verify that the default location displayed is correct for your existing installation, or click Browse to select the alternate folder where LiveCycle ES4 SP1 is currently installed, and click Next.
- Read the Quick Fix Patch Summary information and click Next.
- Read the Pre-Installation Summary information and click Install.
- When the installation is complete, click Next to apply the quick fix updates to your installed files.
- The Start Configuration Manager checkbox is selected by default. Click Done to run the Configuration Manager.
To run Configuration Manager later, deselect the Start Configuration Manager option before you click Done. You can start Configuration Manager later using the appropriate script in the [LiveCycle root]/configurationManager/bin directory.
- (JBoss only) If you are using connectors, edit the classpath mentioned in the following files and update the version of commons-collections-3.1.jar with commons-collections-3.2.2.jar:
- Depending on your application server, choose one of the following documents and follow the instructions in the Configuring and Deploying LiveCycle section.
- Restart the server machine.
- Open the [LiveCycle root]\patch\<QF_Patch_ID>\FilesAddedDuringServicePack_RemoveOrReplaceToRevert.txt file.
- Delete the files listed in the FilesAddedDuringServicePack_RemoveOrReplaceToRevert.txt file from your LiveCycle ES4 installation.
- Replace the files and folders in the following directories under [LiveCycle root] with the files from the backup copy at [LiveCycle root]\patch\<QF_Patch_ID>\backup_<QF_Patch_ID>\:
- After restoring the [LiveCycle root]\configurationManager directory, delete the EAR files in the [LiveCycle root]\configurationManager\export directory.
- (JBoss only) Perform the following steps:
- Stop the JBoss Application server.
- Clear the Work and Temp directories.
- Restart the JBoss Application server.
- Run LiveCycle Configuration Manager (LCM) to reconfigure and redeploy your LiveCycle system.
- (Optional) Delete the [LiveCycle root]\patch\<QF_Patch_ID> directory.