Patches are available for the following LCDS versions. See Adobe Security Bulletin for more information and to download the patch for your LCDS version.
- LCDS 3.0.0.354170
- LCDS 3.1.0.354173
- LCDS 4.5.1.354169
- LCDS 4.6.2.354169
- LCDS 4.7.0.354169
Adobe has been notified of an XML External Entity (XXE) vulnerability (CVE-2015-3269) in BlazeDS. To fix the vulnerability retrospectively in BlazeDS distributions embedded in LiveCycle Data Services (LCDS), Adobe has released a patch that includes fixes in the flex-messaging-core.jar file.
Perform the following steps to obtain and apply the patch:
Patches are available for the following LCDS versions. See Adobe Security Bulletin for more information and to download the patch for your LCDS version.
Navigate to the patch directory and copy the flex-messaging-core.jar file.
Replace the flex-messaging-core.jar file in your LCDS application with the file copied in step 2.
Edit the services-config.xml file in your LCDS application to specify the value of the allow-xml-external-entity-expansion property as false. The default value is true.
Also, add the property at channels/channel-definition/properties/serialization. For example:
<services-config> | ---- <channels> | ---- <channel-definition ...> | ---- <properties> | ---- <serialization> | ---- <allow-xml-external-entity-expansion> false </allow-xml-external-entity-expansion>
The default value true maintains backward compatibility and must be turned off to configure the XML parser to disable entity expansion as explained in XML External Entity (XXE) Processing.
After applying the patch, if you encounter the following error, It implies that your XML parser does not support the external-general-entities feature. Therefore, you need to update your XML parser such as Xerces 2.9.1.
Error deserializing XML type jaxp_feature_not_supported: Feature "http://xml.org/sax/features/external-general-entities" is not supported