Adobe Security Bulletin

Security Update Available for LiveCycle Data Services

Release date: November 17, 2015

Vulnerability identifier: APSB15-30

Priority: See table below

CVE number: CVE-2015-5255

Platform: All Platforms

Summary

Adobe has released a security update for LiveCycle Data Services. This update includes an updated version of Apache™ BlazeDS that resolves an important server-side request forgery vulnerability. Adobe recommends users apply the available updates using the instructions provided in the "Solution" section below.

Affected Versions

Product

Affected Versions

Platform

LiveCycle Data Services

4.7, 4.6.2, 4.5, 3.1.x, 3.0.x

Windows, Macintosh and Unix

Solution

Adobe categorizes this hotfix with the following priority rating and recommends users apply the relevant patch available below using the instructions provided in this KB article:

Product

Updated Versions

Platform

Priority

LiveCycle Data Services

4.7.0.354178

Windows, Macintosh and Unix

2

 

4.6.2.354178

Windows, Macintosh and Unix

2

 

4.5.1.354177

Windows, Macintosh and Unix

2

 

3.1.0.354180

Windows, Macintosh and Unix

2

 

3.0.0.354175

Windows, Macintosh and Unix

2

Updates

Version

File Contents

Checksum (SHA1)

4.7.0.354178

flex-messaging-core.jar

1630ab025c94b9cd17eb6c08c8d3c03e8c3b476d

 

 

 

4.6.2.354178

flex-messaging-core.jar

13913aeeab44cca926311d69beab7144acd5cd69

 

 

 

4.5.1.354177

flex-messaging-core.jar

1a7caded7b92da7f7a339b4708a70a6bc0c38a0c

 

 

 

3.1.0.354180

flex-messaging-core.jar

e90dc9153729395887096751d37d386a66e96230

 

 

 

3.0.0.354175

flex-messaging-core.jar

0b6e26f5f7a70c524bdd56642a2a3201dc0a3687

Download

Download

Vulnerability Details

This update resolves an issue with the parsing of crafted XML documents that could expose affected systems to server side request forgery attacks (CVE-2015-5255).

Acknowledgments

Adobe would like to thank James Kettle of PortSwigger Web Security for reporting this issue.

 Adobe

Get help faster and easier

New user?

Adobe MAX 2024

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX 2024

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online