Adobe patches important flaw in LiveCycle Data Services

19.08.2015
Adobe Systems released a security patch for LiveCycle Data Services, a development tool used by businesses to synchronize data between back-end servers and rich Internet applications built with Adobe Flex or AIR.

The hotfix is available for LiveCycle Data Services 3.0.0, 4.5.1, 4.6.2 and 4.7.0 and addresses a vulnerability that could lead to information disclosure.

The flaw is tracked as CVE-2015-3269 in the Common Vulnerabilities and Exposures database and is rated important by Adobe.

The issue is associated with parsing crafted XML entities and falls into a class of vulnerabilities known as XML External Entity (XXE).

According to OWASP, a non-profit organization that produces guidelines for preventing Web flaws, XXE vulnerabilities occur when an application parses XML input that contains a reference to an external entity.

The attack can be used to read sensitive files from a server, scan internal ports, access the server's local network and more. The impact depends on the type of extracted data. In some cases, such information could allow a hacker to plan or execute a more sophisticated attack.

Adobe has also published a support article with detailed information on applying the patch to an affected LiveCycle Data Services application. The steps involve replacing a file called flex-messaging-core.jar and turning the allow-xml-external-entity-expansion option to false in the configuration file.

Lucian Constantin