Product
Last updated on
Feb 15, 2022
Security Update Available for LiveCycle Data Services
Release date: November 17, 2015
Vulnerability identifier: APSB15-30
Priority: See table below
CVE number: CVE-2015-5255
Platform: All Platforms
Summary
Adobe has released a security update for LiveCycle Data Services. This update includes an updated version of Apache™ BlazeDS that resolves an important server-side request forgery vulnerability. Adobe recommends users apply the available updates using the instructions provided in the "Solution" section below.
Affected Versions
|
|
Affected Versions |
Platform |
|
LiveCycle Data Services |
4.7, 4.6.2, 4.5, 3.1.x, 3.0.x |
Windows, Macintosh and Unix |
Solution
Adobe categorizes this hotfix with the following priority rating and recommends users apply the relevant patch available below using the instructions provided in this KB article:
Updates
|
Version |
File Contents |
Checksum (SHA1) |
|
4.7.0.354178 |
flex-messaging-core.jar |
1630ab025c94b9cd17eb6c08c8d3c03e8c3b476d |
|
|
|
|
|
4.6.2.354178 |
flex-messaging-core.jar |
13913aeeab44cca926311d69beab7144acd5cd69 |
|
|
|
|
|
4.5.1.354177 |
flex-messaging-core.jar |
1a7caded7b92da7f7a339b4708a70a6bc0c38a0c |
|
|
|
|
|
3.1.0.354180 |
flex-messaging-core.jar |
e90dc9153729395887096751d37d386a66e96230 |
|
|
|
|
|
3.0.0.354175 |
flex-messaging-core.jar |
0b6e26f5f7a70c524bdd56642a2a3201dc0a3687 |
Vulnerability Details
This update resolves an issue with the parsing of crafted XML documents that could expose affected systems to server side request forgery attacks (CVE-2015-5255).
Acknowledgments
Adobe would like to thank James Kettle of PortSwigger Web Security for reporting this issue.