int(5119)

Vulnerability Bulletins

Aumento de privilegios en Adobe BlazeDS, Flex y ColdFusion

Vulnerability classification
Property Value
Confidence level Oficial
Impact Aumento de privilegios
Dificulty Experto
Required attacker level Acceso remoto sin cuenta a un servicio estandar

System information
Property Value
Affected manufacturer Comercial Software
Affected software Adobe BlazeDS 3.2
Adobe LiveCycle 8 y 9
Adobe LiveCycle Data Services
Adobe Flex Data Services
Adobe ColdFusion 7, 8 y 9

Description
Se ha descubierto una vulnerabilidad en BlazeDS 3.2, LiveCycle 8 y 9, LiveCycle Data Services, Flex Data Services y ColdFusion.

Un atacante remoto podría obtener información privilegiada mediante métodos relacionados con peticiones con referencias a entidades externas en documentos XML.

Prueba de concepto disponible.

Solution


Actualización de software

Adobe
BlazeDS
http://download.macromedia.com/pub/security/bulletins/blz32_hf_12617.zip
LiveCycle 9.0
http://download.macromedia.com/pub/security/bulletins/livecycle9_0.zip
LiveCycle 8.2.1
http://download.macromedia.com/pub/security/bulletins/livecycle8_2_1.zip
LiveCycle 8.0.1
http://download.macromedia.com/pub/security/bulletins/livecycle8_0_1.zip
LiveCycle Data Services 2.5.1
http://download.macromedia.com/pub/security/bulletins/lcds251_hf_262793.zip
LiveCycle Data Services 2.6.1
http://download.macromedia.com/pub/security/bulletins/lcds261_hf_262977.zip
LiveCycle Data Services 3.0
http://download.macromedia.com/pub/security/bulletins/lcds3_hf_262986.zip
Flex Data Services 2.0.1
http://download.macromedia.com/pub/security/bulletins/fds201_hf_262793b.zip
ColdFusion
http://kb2.adobe.com/cps/822/cpsid_82241.html

Standar resources
Property Value
CVE CVE-2009-3960
BID 38197

Other resources
Adobe Security Bulletin (APSB10-05)
http://www.adobe.com/support/security/bulletins/apsb10-05.html

Version history
Version Comments Date
1.0 Aviso emitido 2010-02-23
1.1 Aviso actualizado por Adobe (APSA10-05) 2010-03-22
Ministerio de Defensa
CNI
CCN
CCN-CERT