Accessibility
Adobe
Sign in Privacy My Adobe

Security bulletin

Security update available for Flex SDK

Release date: November 30, 2011

Vulnerability identifier: APSB11-25

CVE number: CVE-2011-2461

Platform: Windows, Macintosh and Linux

Summary

An important vulnerability has been identified in the Adobe Flex SDK 4.5.1 and earlier 4.x versions and 3.x versions on the Windows, Macintosh and Linux operating systems. This vulnerability could lead to cross-site scripting issues in Flex applications. Adobe recommends users of the Adobe Flex SDK 4.5.1 and earlier 4.x versions, and the Adobe Flex SDK 3.6 and earlier 3.x versions update their software, verify whether any SWF files in their applications are vulnerable, and update any vulnerable SWF files using the instructions and tools provided as outlined in the tech note linked in the "Solutions" section below.

Affected software versions

  • Adobe Flex SDK 4.5.1 and earlier 4.x versions for Windows, Macintosh and Linux
  • Adobe Flex SDK 3.6 and earlier 3.x versions for Windows, Macintosh and Linux

Solution

Adobe recommends users of the Adobe Flex SDK 4.5.1 and earlier 4.x versions and 3.x versions update their installations and verify any relevant SWF files in their applications using the instructions provided in this tech note.

Severity rating

Adobe categorizes this as an important update and recommends that users apply the latest update for their product installation by following the instructions in the "Solution" section above.

Details

An important vulnerability has been identified in the Adobe Flex SDK 4.5.1 and earlier 4.x versions and 3.x versions on the Windows, Macintosh and Linux operating systems:

  • All Web-based (not AIR-based) Flex applications built using any release of Flex 3.x (including 3.0, 3.0.1, 3.1, 3.2, 3.3, 3.4, 3.4.1, 3.5, 3.5A and 3.6) may be vulnerable.
  • Web-based (not AIR-based) Flex applications built using any release of Flex 4.x (including 4.0, 4.1, 4.5 and 4.5.1) that were compiled using static linkage of the Flex libraries rather than RSL (runtime shared library) linkage are vulnerable.
  • Most Flex 4.x applications that were compiled in the default way (specifically, using RSL linkage) are not vulnerable; however, there are rare cases in which they may be vulnerable.  To determine whether an application is vulnerable, customers should use the SWF patching tool described in the tech note.

This vulnerability could lead to cross-site scripting issues in Flex applications. Adobe recommends users of the Adobe Flex SDK 4.5.1 and earlier 4.x versions and 3.x versions update their software, verify whether any SWF files in their applications are vulnerable, and update any vulnerable SWF files using the instructions and tools provided as outlined in the tech note linked in the "Solution" section above.

NOTE: Users of Adobe Flash Builder 4.5.x can update to Flash Builder 4.6. Other Flash Builder users should update their Flex SDK and note instructions related to data visualization components (e.g. Charts, AdvancedDataGrid, and OLAPDataGrid) and automated testing support in the tech note.