Adobe Hotfix Patches XXE Vulnerability in ColdFusion

Adobe today pushed out a hotfix to ColdFusion implementations, patching a vulnerability it had already patched nine days ago on the LiveCycle Data Services application framework.

Today’s hotfix affects ColdFusion 11, update 5 and earlier, and ColdFusion 10, update 16 and earlier. Hotfixes, unlike patches, are usually pushed by the vendor directly to software implementations and do not require a reboot.

The vulnerability, CVE-2015-3269, is an XML External Entity issue, found in the Apache Flex BlazeDS component of ColdFusion and LiveCycle Data Services.

“This hotfix resolves an issue associated with the parsing of crafted XML external entities in BlazeDS that could lead to information disclosure,” Adobe said in its advisory, adding that it’s not aware of any public exploits against the flaw.

According to the National Vulnerability Database description, attackers can exploit this vulnerability to remotely read files. XXE vulnerabilities are found in web applications that parse XML input and can be exploited to leak protected files from the network.

“This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser,” said OWASP in its description of XXE.

The LiveCycle Data Services hotfix was pushed out Aug. 18, and it affected versions 4.7, 4.6.2, 4.5 and 3.0 on Windows, Mac OS X and UNIX systems.

LiveCycle Data Services, formerly known as Flex Data Services, is a development tool sold by Adobe that streamlines development processes, including data and client integration and application deployment.

Provided from: Techcrunch.