Server-side request forgery (SSRF) vulnerability in BlazeDS

Server-side request forgery (SSRF) vulnerability in BlazeDS

Search
Adobe LiveCycle User Guide
Applies to: AEM Forms on JEE Adobe LiveCycle Digital Enterprise Platform

某些 Creative Cloud 应用程序、服务和功能在中国不可用。

Adobe has been notified of an SSRF vulnerability (CVE-2015-5255) in BlazeDS. To fix the vulnerability retrospectively in BlazeDS distributions embedded in LiveCycle Data Services (LCDS), Adobe has released a patch that includes fixes in the flex-messaging-core.jar file.

Perform the following steps to obtain and apply the patch:

  1. Patches are available for the following LCDS versions. See Adobe Security Bulletin for more information and to download the patch for your LCDS version.

    • LCDS 3.0.0.354175
    • LCDS 3.1.0.354180
    • LCDS 4.5.1.354177
    • LCDS 4.6.2.354178
    • LCDS 4.7.0.354178

  2. Navigate to the patch directory and copy the flex-messaging-core.jar file.

  3. Replace the flex-messaging-core.jar file in your LCDS application with the file copied in step 2.

  4. Edit the services-config.xml file in your LCDS application. Add the property allow-xml-doctype-declaration under channels/channel-definition/properties/serialization and set its value to false. For example:

    <services-config>

  |

  ---- <channels>

     |

     ---- <channel-definition ...>

         |

         ---- <properties>

            |

            ---- <serialization>

                |

                ---- <allow-xml-doctype-declaration>
                        false
                      </allow-xml-doctype-declaration>

Note:

After applying the patch, if you encounter the following error, it implies that your XML parser does not support the disallow-doctype-decl feature. In this case, you would need to update your XML parser to one that supports it. For example, Xerces 2.9.1.

Error deserializing XML type jaxp_feature_not_supported:
Feature "http://apache.org/xml/features/disallow-doctype-decl" is not supported