Adobe issues hotfix patch for ColdFusion vulnerability

The XXE security flaw could result in user information leaks and theft.


Adobe has issued a hotfix for ColdFusion which fixes the same data loss flaw recently patched in the LiveCycle Data Services application framework.

A hotfix, otherwise known as a Quick Fix Engineering update (QFE update), is a lightweight software patch which does not require a reboot. On Thursday, Adobe issued a hotfix which prevents the exploit of CVE-2015-3269, an XML External Entity (XXE) issue.

"This hotfix resolves an issue associated with the parsing of crafted XML external entities in BlazeDS that could lead to information disclosure," the security advisory states.

According to the National Vulnerability Database, the medium-severity issue is found within the Apache Flex BlazeDS element of Adobe LiveCycle Data Services (LCDS) and ColdFusion.

If exploited, the flaw could allow remote attackers to read arbitrary files through the parsing of crafted XML external entities.

See also: How to disable Flash on Windows, Mac

Discovered by Matthias Kaiser of German cybersecurity firm Code White, the issue affects ColdFusion 10, update 16 and earlier versions, and ColdFusion 11, update 5 and earlier.

There are currently no known exploits, but Adobe recommends that administrators ensure their products have been updated within the next 30 days.

In July, Adobe issued fixes for two zero-day exploits uncovered through the Hacking Team information leak. The two critical flaws allowed attackers to remotely take control of vulnerable victim machines.

Read on: Top picks

In pictures: