- Siemens Mitigation Plan for Simatic App
- Chemicals Leak at DE Refinery
- Microsoft Engineer Charged with Money Laundering
- Schneider Software Plan for InduSoft, InTouch Hole
- Schneider Updates its Triconex Tricon
- Rockwell Plan on Stratix Services Router Fix
- Rockwell Updates Stratix, ArmorStratix Switches
- Rockwell Mitigation Plan for Ethernet Switch
Chemical Safety Incidents
Adobe Issues Hotfix
Thursday, August 20, 2015 @ 05:08 PM gHale
Adobe issued a hotfix to address an XML External Entity (XXE) vulnerability in LiveCycle Data Services (DS).
Adobe LiveCycle Data Services is a framework that simplifies the development of Flex and AIR applications.
RELATED STORIES
Exploit Kit Uses Flash Vulnerabilities
Flash Zero Days Abound
Espionage Group Leverages Flash Zero Day
Adobe Patches Flash Zero Day
The solution provides data enabling capabilities such as synchronization, paging, conflict management and publish-subscribe messaging.
BlazeDS, a free and open-source server-based Java remoting and web messaging technology, suffers from an XXE vulnerability that can result in information disclosure, said Matthias Kaiser of Code White, who discovered the vulnerability. BlazeDS can work separately, but the catch is, it is also embedded in LiveCycle DS.
The vulnerability affects LiveCycle DS versions 4.7, 4.6.2, 4.5 and 3.0.x for Windows, Mac and Linux.
The fix includes changes in the flex-messaging-core.jar file. Users should download the flex-messaging-core.jar file for their product and replace the file in their installation with the patched version.
The classification for the XXE bug is “important” with a priority rating of 3. This means the flaw can end up exploited to compromise data security, but it affects a product historically not targeted by malicious actors.
Adobe said there are no attacks leveraging the vulnerability.
Leave a Reply
You must be logged in to post a comment.