• info
• discussion
• exploit
• solution
• references

Adobe BlazeDS XML and XML External Entity Injection Vulnerabilities

Solution:
The vendor has released an advisory and updates. Please see the references for details.

UPDATE (February 18, 2010): Updated fixes for ColdFusion are available. Please see the references for more information.


Adobe LiveCycle Data Services 3.0

• Adobe lcds3_hf_262986.zip
  http://download.macromedia.com/pub/security/bulletins/lcds3_hf_262986. zip

Adobe ColdFusion 9.0

• Adobe Coldfusion9BlazeDS.zip
  http://kb2.adobe.com/cps/822/cpsid_82241/attachments/Coldfusion9BlazeD S.zip


• Adobe Coldfusion9LCDS.zip
  http://kb2.adobe.com/cps/822/cpsid_82241/attachments/Coldfusion9LCDS.z ip

Adobe ColdFusion 8

• Adobe Coldfusion8LCDS.zip
  http://kb2.adobe.com/cps/822/cpsid_82241/attachments/Coldfusion8LCDS.z ip

Adobe LiveCycle 9.0

• Adobe livecycle9_0.zip
  http://download.macromedia.com/pub/security/bulletins/livecycle9_0.zip

Adobe ColdFusion 8.0

• Adobe Coldfusion8LCDS.zip
  http://kb2.adobe.com/cps/822/cpsid_82241/attachments/Coldfusion8LCDS.z ip

Adobe BlazeDS 3.2

• Adobe blz32_hf_12617.zip
  http://download.macromedia.com/pub/security/bulletins/blz32_hf_12617.z ip

Adobe Flex Data Services 2.0.1

• Adobe fds201_hf_262793b.zip
  http://download.macromedia.com/pub/security/bulletins/fds201_hf_262793 b.zip

Adobe LiveCycle Data Services 2.5.1

• Adobe lcds251_hf_262793.zip
  http://download.macromedia.com/pub/security/bulletins/lcds251_hf_26279 3.zip

Adobe LiveCycle Data Services 2.6.1

• Adobe lcds261_hf_262977.zip
  http://download.macromedia.com/pub/security/bulletins/lcds261_hf_26297 7.zip

Adobe ColdFusion 7.0.2

• Adobe Coldfusion7.zip
  http://kb2.adobe.com/cps/822/cpsid_82241/attachments/Coldfusion7.zip


• Adobe Coldfusion7FlexDS.zip
  http://kb2.adobe.com/cps/822/cpsid_82241/attachments/Coldfusion7FlexDS .zip

Adobe LiveCycle 8.0.1

• Adobe livecycle8_0_1.zip
  http://download.macromedia.com/pub/security/bulletins/livecycle8_0_1.z ip

Adobe ColdFusion 8.0.1

• Adobe Coldfusion8LCDS.zip
  http://kb2.adobe.com/cps/822/cpsid_82241/attachments/Coldfusion8LCDS.z ip

Adobe LiveCycle 8.2.1

• Adobe livecycle8_2_1.zip
  http://download.macromedia.com/pub/security/bulletins/livecycle8_2_1.z ip