Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2011.0642 Security update available for LiveCycle Data Services, LiveCycle ES, and BlazeDS 16 June 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: LiveCycle Data Services LiveCycle BlazeDS Publisher: Adobe Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Denial of Service -- Unknown/Unspecified Increased Privileges -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2011-2093 CVE-2011-2092 Original Bulletin: http://www.adobe.com/support/security/bulletins/apsb11-15.html - --------------------------BEGIN INCLUDED TEXT-------------------- Security update available for LiveCycle Data Services, LiveCycle ES, and BlazeDS Release date: June 14, 2011 Vulnerability identifier: APSB11-15 CVE number: CVE-2011-2092, CVE-2011-2093 Platform: All Platforms Summary Two important security vulnerabilities have been identified in LiveCycle Data Services and BlazeDS. These vulnerabilities affect LiveCycle Data Services 3.1, 2.6.1, 2.5.1 and earlier versions for Windows, Macintosh and UNIX, and LiveCycle 9.0.0.2, 8.2.1.3, 8.0.1.3 and earlier versions for Windows, Linux and UNIX. These vulnerabilities also affect BlazeDS 4.0.1 and earlier versions. Adobe recommends users update their product installations using the instructions provided in the "Solution" section below. Affected software versions * LiveCycle Data Services 3.1, 2.6.1, 2.5.1 and earlier versions for Windows, Macintosh and UNIX * LiveCycle 9.0.0.2, 8.2.1.3, 8.0.1.3 and earlier versions for Windows, Linux and UNIX * BlazeDS 4.0.1 and earlier versions Solution Adobe recommends users update their LiveCycle Data Services, LiveCycle, and/or BlazeDS installations by applying the relevant update(s) using the instructions below: LiveCycle Data Services Flex Data Services 2.0.1 Prerequisite: Requires that Flex Data Services 2.0.1 is already installed. Installation Instructions: 1. Download the patch zip file for FDS 2.0.1, and extract the contents to your local file system. 2. Copy the files flex-messaging-common.jar and flex-messaging.jar to the /WEB-INF/lib/ directory of the Flex Data Services Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server. 3. Copy the file flex-messaging-common.jar to the /lib directory of your Flex SDK. This is only necessary if you need to compile your application against a services-config.xml file with the validators configuration. It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server-side changes. LiveCycle Data Services 2.5 Prerequisite: Requires that LiveCycle Data Services 2.5 is already installed. Installation Instructions: 1. Download the patch zip file for LCDS 2.5, and extract the contents to your local file system. 2. Copy the files flex-messaging-common.jar and flex-messaging.jar to the /WEB-INF/lib/ directory of the LiveCycle Data Services Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server. 3. Copy the file flex-messaging-common.jar to the /lib directory of your Flex SDK. This is only necessary if you need to compile your application against a services-config.xml file with the validators configuration. It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server-side changes. LiveCycle Data Services 2.5.1 Prerequisite: Requires that LiveCycle Data Services 2.5.1 is already installed. Installation Instructions: 1. Download the patch zip file for LCDS 2.5.1, and extract the contents to your local file system. 2. Copy the files flex-messaging-common.jar and flex-messaging.jar to the /WEB-INF/lib/ directory of the LiveCycle Data Services Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server. 3. Copy the file flex-messaging-common.jar to the /lib directory of your Flex SDK. This is only necessary if you need to compile your application against a services-config.xml file with the validators configuration. It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server-side changes. LiveCycle Data Services 2.6 Prerequisite: Requires that LiveCycle Data Services 2.6 is already installed. Installation Instructions: 1. Download the patch zip file for LCDS 2.6, and extract the contents to your local file system. 2. Copy the files flex-messaging-common.jar, flex-messaging-core.jar and flex-messaging-data.jar to the /WEB-INF/lib/ directory of the LiveCycle Data Services Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server. 3. Copy the file flex-messaging-common.jar to the /lib directory of your Flex SDK. This is only necessary if you need to compile your application against a services-config.xml file with the validators configuration. It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server-side changes. LiveCycle Data Services 2.6.1 Prerequisite: Requires that LiveCycle Data Services 2.6.1 is already installed. Installation Instructions: 1. Download the patch zip file for LCDS 2.6.1, and extract the contents to your local file system. 2. Copy the files flex-messaging-common.jar, flex-messaging-core.jar and flex-messaging-data.jar to the /WEB-INF/lib/ directory of the LiveCycle Data Services Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server. 3. Copy the file flex-messaging-common.jar to the /lib directory of your Flex SDK. This is only necessary if you need to compile your application against a services-config.xml file with the validators configuration. It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server-side changes. LiveCycle Data Services 3 Prerequisite: Requires that LiveCycle Data Services 3 is already installed. Installation Instructions: 1. Download the patch zip file for LCDS 3, and extract the contents to your local file system. 2. Copy the files flex-messaging-common.jar, flex-messaging-core.jar and flex-messaging-data.jar to the /WEB-INF/lib/ directory of the LiveCycle Data Services Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server. 3. It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server-side changes. LiveCycle Data Services 3.1 Prerequisite: Requires that LiveCycle Data Services 3.1 is already installed. Installation Instructions: 1. Download the patch zip file for LCDS 3.1, and extract the contents to your local file system. 2. Copy the files flex-messaging-common.jar, flex-messaging-core.jar and flex-messaging-data.jar to the /WEB-INF/lib/ directory of the LiveCycle Data Services Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server. 3. It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server-side changes. LiveCycle 9.0.0.2, 8.2.1.3 and 8.0.1.3 Download the appropriate Quick Fix for your version and respective platform/operating system of LiveCycle. Then review the Readme and follow the directions contained within to install: LiveCycle 9.0.0.2: Readme: QF2.73_9002 Download JBoss Operating System Windows Filename JBoss_build_configuration.zip MD5 1eec5f0840f909443e0604fc5139dd1b File Size 346M Download WebLogic Operating System Windows Filename WebLogic_build_configuration.zip MD5 e9d9807023226ae272043804a329067f File Size 346M Download WebSphere Operating System Windows Filename WebSphere_build_configuration.zip MD5 f4c185d5fbec5653b135851562439ee4 File Size 405M Download JBoss Operating System Unix Filename jboss_build_configuration_unix.tar.gz MD5 19522f1ef1141d0176af78afeb32b3b1 File Size 346M Download WebLogic Operating System Unix Filename weblogic_build_configuration_unix.tar.gz MD5 d8d7bbaa3c0ece73fe816e19a4466258 File Size 346M Download WebSphere Operating System Unix Filename websphere_build_configuration_unix.tar.gz MD5 562a15de38f1c5647b0ef0fa2805ea03 File Size 405M LiveCycle 8.2.1.3: Readme: QF3.134_8213 Operating System Windows Filename x86_win32_build_configuration.zip MD5 38821142e06f9550ddfacef957ce4137 File Size 238M Operating System Linux Filename x86_linux_build_configuration.tar.gz MD5 bc9e9d5719e2d2d261043fa3a9a585e8 File Size 213M Operating System Sun OS Filename sunos_build_configuration.tar.gz MD5 d71331deb3522ed663a670280b2d514d File Size 213M Operating System AIX Filename aix_build_configuration.tar.gz MD5 4b01a13e220d8493fda3c8d1500188f0 File Size 213M LiveCycle 8.0.1.3: Readme: QF3.24_801 Operating System Windows Filename x86_win32_build_configuration.zip MD5 4f36c6ebdb59b3d67cf4df55c0c38bdc File Size 274M Operating System Linux Filename x86_linux_build_configuration.tar.gz MD5 e6bb84903879929aa5a6eab5fab2dc81 File Size 249M Operating System Sun OS Filename sunos_build_configuration.tar.gz MD5 40b1dda0d6bca92b3b807cacb20ae0b0 File Size 249M Operating System AIX Filename aix_build_configuration.tar.gz MD5 678ead1d58cc3f1e57d0aed44919e4a3 File Size BlazeDS 4.0.1 Prerequisite: Requires that BlazeDS 4.0.1 is already installed. Installation Instructions: 1. Download the patch zip file for BlazeDS 4.0.1, and extract the contents to your local file system. 2. Copy the files flex-messaging-common.jar and flex-messaging-core.jar to the /WEB-INF/lib/ directory of the BlazeDS Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server. 3. It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server side-changes. Note: For earlier versions of BlazeDS, it is strongly recommended that you upgrade to the latest release build of BlazeDS 4.0.1 and then apply the security patch by following the installation instructions above. Severity rating Adobe categorizes these as important updates and recommends that users apply the latest update for their product installations by following the instructions in the "Solution" section above. Details Two important security vulnerabilities have been identified in LiveCycle Data Services and BlazeDS. These vulnerabilities affect LiveCycle Data Services 3.1, 2.6.1, 2.5.1 and earlier versions for Windows, Macintosh and UNIX, and LiveCycle 9.0.0.2, 8.2.1.3, 8.0.1.3 and earlier versions for Windows, Linux and UNIX. These vulnerabilities also affect BlazeDS 4.0.1 and earlier versions. Adobe recommends users update their product installations using the instructions provided in the "Solution" section above. These updates resolve an unrestricted class creation during AMF/AMFX deserialization vulnerability that poses a security risk (CVE-2011-2092). These updates resolve a complex object graph vulnerability that could lead to a denial of service (CVE-2011-2093). Acknowledgments Adobe would like to thank Wouter Coekaerts (CVE-2011-2092, CVE-2011-2093) for reporting the relevant issues and for working with Adobe to help protect our customers. Copyright © 2011 Adobe Systems Incorporated. All rights reserved. Reviewed by TRUSTe: site privacy statement - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://www.auscert.org.au/1967 iD8DBQFN+V1C/iFOrG6YcBERAnNkAKDQh5WH2PZNcPtJDfdMIZCBukDsmACgrg5U uWmzO5dcKPVwc1eYmUBr5dI= =m+tY -----END PGP SIGNATURE-----