Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.0642
Security update available for LiveCycle Data Services,
LiveCycle ES, and BlazeDS
16 June 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: LiveCycle Data Services
LiveCycle
BlazeDS
Publisher: Adobe
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Denial of Service -- Unknown/Unspecified
Increased Privileges -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2011-2093 CVE-2011-2092
Original Bulletin:
http://www.adobe.com/support/security/bulletins/apsb11-15.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Security update available for LiveCycle Data Services, LiveCycle ES, and
BlazeDS
Release date: June 14, 2011
Vulnerability identifier: APSB11-15
CVE number: CVE-2011-2092, CVE-2011-2093
Platform: All Platforms
Summary
Two important security vulnerabilities have been identified in
LiveCycle Data Services and BlazeDS. These vulnerabilities affect
LiveCycle Data Services 3.1, 2.6.1, 2.5.1 and earlier versions for
Windows, Macintosh and UNIX, and LiveCycle 9.0.0.2, 8.2.1.3, 8.0.1.3
and earlier versions for Windows, Linux and UNIX. These vulnerabilities
also affect BlazeDS 4.0.1 and earlier versions. Adobe recommends users
update their product installations using the instructions provided in
the "Solution" section below.
Affected software versions
* LiveCycle Data Services 3.1, 2.6.1, 2.5.1 and earlier versions for
Windows, Macintosh and UNIX
* LiveCycle 9.0.0.2, 8.2.1.3, 8.0.1.3 and earlier versions for
Windows, Linux and UNIX
* BlazeDS 4.0.1 and earlier versions
Solution
Adobe recommends users update their LiveCycle Data Services, LiveCycle,
and/or BlazeDS installations by applying the relevant update(s) using
the instructions below:
LiveCycle Data Services
Flex Data Services 2.0.1
Prerequisite: Requires that Flex Data Services 2.0.1 is already
installed.
Installation Instructions:
1. Download the patch zip file for FDS 2.0.1, and extract the
contents to your local file system.
2. Copy the files flex-messaging-common.jar and flex-messaging.jar to
the /WEB-INF/lib/ directory of the Flex Data Services Web
application you want to apply the hotfix to, overwriting the
existing versions of these files, and then restart your server.
3. Copy the file flex-messaging-common.jar to the /lib directory of
your Flex SDK. This is only necessary if you need to compile your
application against a services-config.xml file with the validators
configuration. It is not necessary to recompile your application to
apply any of the changes that are part of this security hotfix.
They are all server-side changes.
LiveCycle Data Services 2.5
Prerequisite: Requires that LiveCycle Data Services 2.5 is already
installed.
Installation Instructions:
1. Download the patch zip file for LCDS 2.5, and extract the
contents to your local file system.
2. Copy the files flex-messaging-common.jar and flex-messaging.jar to
the /WEB-INF/lib/ directory of the LiveCycle Data Services Web
application you want to apply the hotfix to, overwriting the
existing versions of these files, and then restart your server.
3. Copy the file flex-messaging-common.jar to the /lib directory of
your Flex SDK. This is only necessary if you need to compile your
application against a services-config.xml file with the validators
configuration. It is not necessary to recompile your application to
apply any of the changes that are part of this security hotfix.
They are all server-side changes.
LiveCycle Data Services 2.5.1
Prerequisite: Requires that LiveCycle Data Services 2.5.1 is already
installed.
Installation Instructions:
1. Download the patch zip file for LCDS 2.5.1, and extract the
contents to your local file system.
2. Copy the files flex-messaging-common.jar and flex-messaging.jar to
the /WEB-INF/lib/ directory of the LiveCycle Data Services Web
application you want to apply the hotfix to, overwriting the
existing versions of these files, and then restart your server.
3. Copy the file flex-messaging-common.jar to the /lib directory of
your Flex SDK. This is only necessary if you need to compile your
application against a services-config.xml file with the validators
configuration. It is not necessary to recompile your application to
apply any of the changes that are part of this security hotfix.
They are all server-side changes.
LiveCycle Data Services 2.6
Prerequisite: Requires that LiveCycle Data Services 2.6 is already
installed.
Installation Instructions:
1. Download the patch zip file for LCDS 2.6, and extract the
contents to your local file system.
2. Copy the files flex-messaging-common.jar, flex-messaging-core.jar
and flex-messaging-data.jar to the /WEB-INF/lib/ directory of the
LiveCycle Data Services Web application you want to apply the
hotfix to, overwriting the existing versions of these files, and
then restart your server.
3. Copy the file flex-messaging-common.jar to the /lib directory of
your Flex SDK. This is only necessary if you need to compile your
application against a services-config.xml file with the validators
configuration. It is not necessary to recompile your application to
apply any of the changes that are part of this security hotfix.
They are all server-side changes.
LiveCycle Data Services 2.6.1
Prerequisite: Requires that LiveCycle Data Services 2.6.1 is already
installed.
Installation Instructions:
1. Download the patch zip file for LCDS 2.6.1, and extract the
contents to your local file system.
2. Copy the files flex-messaging-common.jar, flex-messaging-core.jar
and flex-messaging-data.jar to the /WEB-INF/lib/ directory of the
LiveCycle Data Services Web application you want to apply the
hotfix to, overwriting the existing versions of these files, and
then restart your server.
3. Copy the file flex-messaging-common.jar to the /lib directory of
your Flex SDK. This is only necessary if you need to compile your
application against a services-config.xml file with the validators
configuration. It is not necessary to recompile your application to
apply any of the changes that are part of this security hotfix.
They are all server-side changes.
LiveCycle Data Services 3
Prerequisite: Requires that LiveCycle Data Services 3 is already
installed.
Installation Instructions:
1. Download the patch zip file for LCDS 3, and extract the
contents to your local file system.
2. Copy the files flex-messaging-common.jar, flex-messaging-core.jar
and flex-messaging-data.jar to the /WEB-INF/lib/ directory of the
LiveCycle Data Services Web application you want to apply the
hotfix to, overwriting the existing versions of these files, and
then restart your server.
3. It is not necessary to recompile your application to apply any of
the changes that are part of this security hotfix. They are all
server-side changes.
LiveCycle Data Services 3.1
Prerequisite: Requires that LiveCycle Data Services 3.1 is already
installed.
Installation Instructions:
1. Download the patch zip file for LCDS 3.1, and extract the
contents to your local file system.
2. Copy the files flex-messaging-common.jar, flex-messaging-core.jar
and flex-messaging-data.jar to the /WEB-INF/lib/ directory of the
LiveCycle Data Services Web application you want to apply the
hotfix to, overwriting the existing versions of these files, and
then restart your server.
3. It is not necessary to recompile your application to apply any of
the changes that are part of this security hotfix. They are all
server-side changes.
LiveCycle 9.0.0.2, 8.2.1.3 and 8.0.1.3
Download the appropriate Quick Fix for your version and respective
platform/operating system of LiveCycle. Then review the Readme and
follow the directions contained within to install:
LiveCycle 9.0.0.2:
Readme: QF2.73_9002
Download JBoss
Operating System Windows
Filename JBoss_build_configuration.zip
MD5 1eec5f0840f909443e0604fc5139dd1b
File Size 346M
Download WebLogic
Operating System Windows
Filename WebLogic_build_configuration.zip
MD5 e9d9807023226ae272043804a329067f
File Size 346M
Download WebSphere
Operating System Windows
Filename WebSphere_build_configuration.zip
MD5 f4c185d5fbec5653b135851562439ee4
File Size 405M
Download JBoss
Operating System Unix
Filename jboss_build_configuration_unix.tar.gz
MD5 19522f1ef1141d0176af78afeb32b3b1
File Size 346M
Download WebLogic
Operating System Unix
Filename weblogic_build_configuration_unix.tar.gz
MD5 d8d7bbaa3c0ece73fe816e19a4466258
File Size 346M
Download WebSphere
Operating System Unix
Filename websphere_build_configuration_unix.tar.gz
MD5 562a15de38f1c5647b0ef0fa2805ea03
File Size 405M
LiveCycle 8.2.1.3:
Readme: QF3.134_8213
Operating System Windows
Filename x86_win32_build_configuration.zip
MD5 38821142e06f9550ddfacef957ce4137
File Size 238M
Operating System Linux
Filename x86_linux_build_configuration.tar.gz
MD5 bc9e9d5719e2d2d261043fa3a9a585e8
File Size 213M
Operating System Sun OS
Filename sunos_build_configuration.tar.gz
MD5 d71331deb3522ed663a670280b2d514d
File Size 213M
Operating System AIX
Filename aix_build_configuration.tar.gz
MD5 4b01a13e220d8493fda3c8d1500188f0
File Size 213M
LiveCycle 8.0.1.3:
Readme: QF3.24_801
Operating System Windows
Filename x86_win32_build_configuration.zip
MD5 4f36c6ebdb59b3d67cf4df55c0c38bdc
File Size 274M
Operating System Linux
Filename x86_linux_build_configuration.tar.gz
MD5 e6bb84903879929aa5a6eab5fab2dc81
File Size 249M
Operating System Sun OS
Filename sunos_build_configuration.tar.gz
MD5 40b1dda0d6bca92b3b807cacb20ae0b0
File Size 249M
Operating System AIX
Filename aix_build_configuration.tar.gz
MD5 678ead1d58cc3f1e57d0aed44919e4a3
File Size
BlazeDS 4.0.1
Prerequisite: Requires that BlazeDS 4.0.1 is already installed.
Installation Instructions:
1. Download the patch zip file for BlazeDS 4.0.1, and extract the
contents to your local file system.
2. Copy the files flex-messaging-common.jar and
flex-messaging-core.jar to the /WEB-INF/lib/ directory of the
BlazeDS Web application you want to apply the hotfix to,
overwriting the existing versions of these files, and then restart
your server.
3. It is not necessary to recompile your application to apply any of
the changes that are part of this security hotfix. They are all
server side-changes.
Note: For earlier versions of BlazeDS, it is strongly recommended
that you upgrade to the latest release build of BlazeDS 4.0.1 and
then apply the security patch by following the installation
instructions above.
Severity rating
Adobe categorizes these as important updates and recommends that
users apply the latest update for their product installations by
following the instructions in the "Solution" section above.
Details
Two important security vulnerabilities have been identified in
LiveCycle Data Services and BlazeDS. These vulnerabilities affect
LiveCycle Data Services 3.1, 2.6.1, 2.5.1 and earlier versions for
Windows, Macintosh and UNIX, and LiveCycle 9.0.0.2, 8.2.1.3, 8.0.1.3
and earlier versions for Windows, Linux and UNIX. These vulnerabilities
also affect BlazeDS 4.0.1 and earlier versions. Adobe recommends users
update their product installations using the instructions provided in
the "Solution" section above.
These updates resolve an unrestricted class creation during AMF/AMFX
deserialization vulnerability that poses a security risk
(CVE-2011-2092).
These updates resolve a complex object graph vulnerability that could
lead to a denial of service (CVE-2011-2093).
Acknowledgments
Adobe would like to thank Wouter Coekaerts (CVE-2011-2092,
CVE-2011-2093) for reporting the relevant issues and for working with
Adobe to help protect our customers.
Copyright © 2011 Adobe Systems Incorporated. All rights reserved.
Reviewed by TRUSTe: site privacy statement
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://www.auscert.org.au/1967
iD8DBQFN+V1C/iFOrG6YcBERAnNkAKDQh5WH2PZNcPtJDfdMIZCBukDsmACgrg5U
uWmzO5dcKPVwc1eYmUBr5dI=
=m+tY
-----END PGP SIGNATURE-----