Accessibility

Security bulletin

Security update available for LiveCycle Data Services, LiveCycle ES, and BlazeDS

Release date: June 14, 2011

Last updated: July 11, 2011

Vulnerability identifier: APSB11-15

CVE number: CVE-2011-2092, CVE-2011-2093

Platform: All Platforms

Summary

Two important security vulnerabilities have been identified in LiveCycle Data Services and BlazeDS. These vulnerabilities affect LiveCycle Data Services 3.1, 2.6.1, 2.5.1 and earlier versions for Windows, Macintosh and UNIX, and LiveCycle 9.0.0.2, 8.2.1.3, 8.0.1.3 and earlier versions for Windows, Linux and UNIX. These vulnerabilities also affect BlazeDS 4.0.0 and earlier versions. Adobe recommends users update their product installations using the instructions provided in the "Solution" section below.

Affected software versions

  • LiveCycle Data Services 3.1, 2.6.1, 2.5.1 and earlier versions for Windows, Macintosh and UNIX
  • LiveCycle 9.0.0.2, 8.2.1.3, 8.0.1.3 and earlier versions for Windows, Linux and UNIX
  • BlazeDS 4.0.0 and earlier versions

Solution

Adobe recommends users update their LiveCycle Data Services, LiveCycle, and/or BlazeDS installations by applying the relevant update(s) using the instructions below:

LiveCycle Data Services

Flex Data Services 2.0.1
Prerequisite: Requires that Flex Data Services 2.0.1 is already installed.
Installation Instructions (please follow any additional instructions in the readme file included with the patch) :

  1. Download the patch zip file for FDS 2.0.1, and extract the contents to your local file system.
  2. Copy the files flex-messaging-common.jar and flex-messaging.jar to the /WEB-INF/lib/ directory of the Flex Data Services Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server.
  3. Copy the file flex-messaging-common.jar to the /lib directory of your Flex SDK. This is only necessary if you need to compile your application against a services-config.xml file with the validators configuration. It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server-side changes.

LiveCycle Data Services 2.5
Prerequisite: Requires that LiveCycle Data Services 2.5 is already installed.
Installation Instructions (please follow any additional instructions in the readme file included with the patch) :

  1. Download the patch zip file for LCDS 2.5, and extract the contents to your local file system.
  2. Copy the files flex-messaging-common.jar and flex-messaging.jar to the /WEB-INF/lib/ directory of the LiveCycle Data Services Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server.
  3. Copy the file flex-messaging-common.jar to the /lib directory of your Flex SDK. This is only necessary if you need to compile your application against a services-config.xml file with the validators configuration. It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server-side changes.

LiveCycle Data Services 2.5.1
Prerequisite: Requires that LiveCycle Data Services 2.5.1 is already installed.
Installation Instructions (please follow any additional instructions in the readme file included with the patch) :

  1. Download the patch zip file for LCDS 2.5.1, and extract the contents to your local file system.
  2. Copy the files flex-messaging-common.jar and flex-messaging.jar to the /WEB-INF/lib/ directory of the LiveCycle Data Services Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server.
  3. Copy the file flex-messaging-common.jar to the /lib directory of your Flex SDK. This is only necessary if you need to compile your application against a services-config.xml file with the validators configuration. It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server-side changes.

LiveCycle Data Services 2.6
Prerequisite: Requires that LiveCycle Data Services 2.6 is already installed.
Installation Instructions (please follow any additional instructions in the readme file included with the patch) :

  1. Download the patch zip file for LCDS 2.6, and extract the contents to your local file system.
  2. Copy the files flex-messaging-common.jar, flex-messaging-core.jar and flex-messaging-data.jar to the /WEB-INF/lib/ directory of the LiveCycle Data Services Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server.
  3. Copy the file flex-messaging-common.jar to the /lib directory of your Flex SDK. This is only necessary if you need to compile your application against a services-config.xml file with the validators configuration. It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server-side changes.

LiveCycle Data Services 2.6.1
Prerequisite: Requires that LiveCycle Data Services 2.6.1 is already installed.
Installation Instructions (please follow any additional instructions in the readme file included with the patch) :

  1. Download the patch zip file for LCDS 2.6.1, and extract the contents to your local file system.
  2. Copy the files flex-messaging-common.jar, flex-messaging-core.jar and flex-messaging-data.jar to the /WEB-INF/lib/ directory of the LiveCycle Data Services Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server.
  3. Copy the file flex-messaging-common.jar to the /lib directory of your Flex SDK. This is only necessary if you need to compile your application against a services-config.xml file with the validators configuration. It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server-side changes.

LiveCycle Data Services 3
Prerequisite: Requires that LiveCycle Data Services 3 is already installed.
Installation Instructions (please follow any additional instructions in the readme file included with the patch) :

  1. Download the patch zip file for LCDS 3, and extract the contents to your local file system.
  2. Copy the files flex-messaging-common.jar, flex-messaging-core.jar and flex-messaging-data.jar to the /WEB-INF/lib/ directory of the LiveCycle Data Services Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server.
  3. It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server-side changes.

LiveCycle Data Services 3.1
Prerequisite: Requires that LiveCycle Data Services 3.1 is already installed.
Installation Instructions (please follow any additional instructions in the readme file included with the patch) :

  1. Download the patch zip file for LCDS 3.1, and extract the contents to your local file system.
  2. Copy the files flex-messaging-common.jar, flex-messaging-core.jar and flex-messaging-data.jar to the /WEB-INF/lib/ directory of the LiveCycle Data Services Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server.
  3. It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server-side changes.

LiveCycle 9.0.0.2, 8.2.1.3 and 8.0.1.3
Download the appropriate Quick Fix for your version and respective platform/operating system of LiveCycle. Then review the Readme and follow the directions contained within to install:

LiveCycle 9.0.0.2:
Readme: QF2.111_9002

Download

Operating System

Filename

MD5

File Size

JBoss

Windows

JBoss_build_configuration.zip

c770edba242e430a22eee8965f16792f

346M

WebLogic

Windows

WebLogic_build_configuration.zip

f949c1b11af785331ff79d07d5e36597

346M

WebSphere

Windows

86a9b3952c1b31e118d84a70b5c85e20

405M

JBoss
Unix

7bde6fea7d69b14c6921db6e1698647c
346M
WebLogic
Unix

885ddb78ab49ba2851353b1acad833b0
346M
WebSphere
Unix

6e583aaf23bff784898bb1d1f9271676
405M


LiveCycle 8.2.1.3:
Readme: QF3.134_8213

Operating System

Filename

MD5

File Size

Windows

x86_win32_build_configuration.zip

38821142e06f9550ddfacef957ce4137

238M

Linux

x86_linux_build_configuration.tar.gz

bc9e9d5719e2d2d261043fa3a9a585e8

213M

Sun OS

d71331deb3522ed663a670280b2d514d

213M

AIX

4b01a13e220d8493fda3c8d1500188f0
213M

LiveCycle 8.0.1.3:
Readme: QF3.24_801

Operating System

Filename

MD5

File Size

Windows

x86_win32_build_configuration.zip

4f36c6ebdb59b3d67cf4df55c0c38bdc

274M

Linux

x86_linux_build_configuration.tar.gz

e6bb84903879929aa5a6eab5fab2dc81

249M

Sun OS

40b1dda0d6bca92b3b807cacb20ae0b0

249M

AIX

678ead1d58cc3f1e57d0aed44919e4a3


BlazeDS 4.0.0
Prerequisite: Requires that BlazeDS 4.0.0 is already installed.
Installation Instructions (please follow any additional instructions in the readme file included with the patch) :

  1. Download the patch zip file for BlazeDS 4.0.1, and extract the contents to your local file system.
  2. Copy the files flex-messaging-common.jar and flex-messaging-core.jar to the /WEB-INF/lib/ directory of the BlazeDS Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server.
  3. It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server side-changes.

Note: For earlier versions of BlazeDS, it is strongly recommended that you upgrade to the latest release build of BlazeDS 4 (v4.0.0 as of June 22, 2011) and then apply the security patch by following the installation instructions above.

Severity rating

Adobe categorizes these as important updates and recommends that users apply the latest update for their product installations by following the instructions in the "Solution" section above.

Details

Two important security vulnerabilities have been identified in LiveCycle Data Services and BlazeDS. These vulnerabilities affect LiveCycle Data Services 3.1, 2.6.1, 2.5.1 and earlier versions for Windows, Macintosh and UNIX, and LiveCycle 9.0.0.2, 8.2.1.3, 8.0.1.3 and earlier versions for Windows, Linux and UNIX. These vulnerabilities also affect BlazeDS 4.0.0 and earlier versions. Adobe recommends users update their product installations using the instructions provided in the "Solution" section above.

These updates resolve an unrestricted class creation during AMF/AMFX deserialization vulnerability that poses a security risk (CVE-2011-2092).

These updates resolve a complex object graph vulnerability that could lead to a denial of service (CVE-2011-2093).

Acknowledgments

Adobe would like to thank Wouter Coekaerts (CVE-2011-2092, CVE-2011-2093) for reporting the relevant issues and for working with Adobe to help protect our customers.

Revisions

July 11, 2011 - Updated instructions to note additional instructions in readme files
June 22, 2011 - Updated the version information for updating earlier versions of BlazeDS