Accessibility

Security bulletin

Security update available for BlazeDS

Release date: February 11, 2010

Last updated: March 5, 2010

Vulnerability identifier: APSB10-05

CVE number: CVE-2009-3960

Platform: All

Summary

An important vulnerability (CVE-2009-3960) has been identified in BlazeDS 3.2 and earlier versions. When processing incoming requests, XML external entity references and injected tags can result in disclosure of information. This issue affects LiveCycle 9.0, 8.2.1 and 8.0.1, and ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2, which are installed with different versions of Data Services products. Adobe has provided a solution for the reported vulnerability for each affected Adobe product. It is recommended that users update their installations of each affected Adobe product to the latest version using the instructions provided below.

Affected software versions

BlazeDS 3.2 and earlier versions
LiveCycle 9.0, 8.2.1, and 8.0.1
LiveCycle Data Services 3.0, 2.6.1, and 2.5.1
Flex Data Services 2.0.1
ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2

Solution

BlazeDS
Prerequisite: Requires that BlazeDS 3.2 already be installed.
Installation Instructions:
1. Download the patch zip file for BlazeDS 3.2, and extract the contents to your local file system.
2. Copy the files flex-messaging-core.jar and flex-messaging-common.jar to the /WEB-INF/lib/ directory of the BlazeDS web application you want to apply the hotfix to.
Note: For nightly builds of the BlazeDS Trunk branch or the BlazeDS 3.x branch, customers are advised to update to the latest nightly build. This issue was resolved in BlazeDS 3.x build 12617 (and later builds) and BlazeDS Trunk build 12583 (and later builds).

LiveCycle 9.0
Prerequisite: Requires that LiveCycle 9.0 is already installed.
Installation Instructions:
1. Download the patch zip for LiveCycle 9.0.
2. Extract the zip file to a directory on the server machine.
3. Go to the <PatchFolder>/<AppServer>_build_configuration/Disk1/InstData/<OS>/VM folder.
e.g. On Windows/JBoss setup: go to <PatchFolder>\JBoss_build_configuration\Disk1\InstData\Windows\VM
or On Linux/Weblogic setup: go to <PatchFolder>/WebLogic_build_configuration/Disk1/InstData/Linux/NoVM
4. Run the following file to launch the patch installer:
On Windows: lces2_qf_install.exe
On Unix: lces2_qf_install.bin
5. Adobe LiveCycle ES2 Quick Fix Patch window with Introduction pane appears. Click Next.
6. In Choose Install Folder pane, provide the path of the folder where LiveCycle ES2 is installed.
e.g. On Windows: C:\Adobe\Adobe LiveCycle ES2
or On Linux: /opt/adobe/adobe_livecycle_es2
Click Next.
7. View the quick fix patch summary in the Quick Fix Patch Summary pane. Click Next.
8. View the pre-installation summary before continuing in Pre-Installation Summary pane. Click Install.
9. The updated files have been successfully installed. Click Next to replace your existing files with the updated ones.
10. In the Installation Complete pane check the Start LiveCycle Configuration Manager check box, and Click Done.
11. Adobe LiveCycle Configuration Manager window appears. Now you can proceed to configure and deploy the patched LiveCycle ES2.

LiveCycle 8.2.1
Prerequisite: Requires that LiveCycle 8.2.1 is already installed.
Installation Instructions:
1. Download the patch zip for LiveCycle 8.2.1.
2. Extract the zip file to a patch folder and copy the patch folder for the specific operating system to the server machine.
3. Go to <PatchFolder>/<OS>_build_configuration/disk1 folder.
e.g. On Windows setup: go to <PatchFolder>\x86_win32_build_configuration\disk1
or On Linux setup: go to <PatchFolder>/x86_linux_build_configuration/disk1
4. Run the following file to launch the patch installer:
On Windows: adobe_livecycle_8_2_qf.exe
On Unix: adobe_livecycle_8_2_qf.bin
5. InstallShield window appears. Select the language to be used for this wizard, and click OK.
6. LiveCycle ES Quick Fix Installer window with Introduction pane appears. Click Next.
7. In Configuration pane provide the path of the LiveCycle ES root directory.
e.g. On Windows: C:\Adobe\LiveCycle8.2
or On Linux: /opt/adobe/livecycle8.2
Click Next.
8. View the quick fix summary and click Next.
9. View the Quick Fix Summary (continued) in the Review pane before continuing. Click Install.
10. The Adobe LiveCycle ES Quick Fix Installer has finished copying files. Click Next to apply the Quick Fix updates to your installed files.
11.  In the Quick Fix Installation Completion pane check the Start LiveCycle Configuration Manager checkbox and Click Finish.
12. Adobe LiveCycle Configuration Manager window appears. Now you can proceed to configure, deploy and validate the patched LiveCycle ES.

LiveCycle 8.0.1
Prerequisite: Requires that LiveCycle 8.0.1 is already installed.
Installation Instructions:
1. Download the patch zip for LiveCycle 8.0.1.
2. Extract the zip file to a patch folder and copy the patch folder for the specific operating system to the server machine.
3. Go to <PatchFolder>/<OS>_build_configuration/disk1 folder.
e.g. On Windows setup: go to <PatchFolder>\x86_win32_build_configuration\disk1
or On Linux setup: go to <PatchFolder>/x86_linux_build_configuration/disk1
4. Run the following file to launch the patch installer:
On Windows: adobe_livecycle_8_0_qf.exe
On Unix: adobe_livecycle_8_0_qf.bin
5. InstallShield window appears. Select the language to be used for this wizard, and click OK.
6. LiveCycle ES Quick Fix Installer window with Introduction pane appears. Click Next.
7. In Configuration pane provide the path of LiveCycle ES root directory.
e.g. On Windows: C:\Adobe\LiveCycle8
or On Linux: /opt/adobe/livecycle8
Click Next.
8. View the patch summary, and click Next.
9. View the Patch Summary (continued) in the Review pane before continuing. Click Install.
10. The Adobe LiveCycle ES Patch Installer has finished copying files. Click Next to apply the patch updates to your installed files.
11. In the Patch Installation Completion pane check the Start LiveCycle Configuration Manager checkbox and Click Finish.
12. Adobe LiveCycle Configuration Manager window appears. Now you can proceed to configure, deploy and validate the patched LiveCycle ES.

LiveCycle Data Services 2.5.1
Prerequisite: Requires that LiveCycle Data Services 2.5.1 already be installed.
Installation Instructions:
1. Download the patch zip file for LiveCycle Data Services 2.5.1, and extract the contents to your local file system.
2. Copy the files flex-messaging.jar and flex-messaging-common.jar to the /WEB-INF/lib/ directory of the LCDS web application you want to apply the hotfix to.
 
LiveCycle Data Services 2.6.1
Prerequisite: Requires that LiveCycle Data Services 2.6.1 already be installed.
Installation Instructions:
1. Download the patch zip file for Live Cycle Data Services 2.6.1, and extract the contents to your local file system.
2. Copy the files flex-messaging-core.jar and flex-messaging-common.jar to the /WEB-INF/lib/ directory of the LCDS web application you want to apply the hotfix to.
 
LiveCycle Data Services 3.0
Prerequisite: Requires that LiveCycle Data Services 3.0 already be installed.
Installation Instructions:
1. Download the patch zip file for LiveCycle Data Services 3.0, and extract the contents to your local file system.
2. Copy the file flex-messaging-core.jar to the /WEB-INF/lib/ directory of the LCDS web application you want to apply the hotfix to.

Flex Data Services 2.0.1
Prerequisite: Requires that Flex Data Services 2.0.1 already be installed.
Installation Instructions:
1. Download the patch zip file for Flex Data Services 2.0.1, and extract the contents to your local file system.
2. Copy the files flex-messaging.jar and flex-messaging-common.jar to the /WEB-INF/lib/ directory of the FDS web application you want to apply the hotfix to.

ColdFusion
Installation Instructions available here: http://kb2.adobe.com/cps/822/cpsid_82241.html.
Note: Technote description was updated on February 18, 2010. All ColdFusion users should review the technote.

Severity rating

Adobe categorizes these as important updates and recommends that users apply each update for their respective product installation(s).

Details

An important vulnerability (CVE-2009-3960) has been identified in BlazeDS 3.2 and earlier versions. When processing incoming requests, XML external entity references and injected tags can result in disclosure of information. Information disclosure is limited to files readable by the server process running BlazeDS, which may include sensitive information in certain customer environments. This issue affects LiveCycle 9.0, 8.2.1 and 8.0.1, and ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2, which are installed with different versions of Data Services products. Adobe has provided a solution for the reported vulnerability for each affected Adobe product. It is recommended that users update their installations of each affected Adobe product to the latest version using the instructions provided above.

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:

Revisions

March 5, 2010 - Bulletin updated with updated patch zip file for the BlazeDS 3.2 solution; added in flex-messaging-common.jar file.
February 18, 2010 - Bulletin updated with a note that the ColdFusion technote description was updated.
February 11, 2010 - Bulletin created.