VMware Patches Pesky XXE Bug in Flex BlazeDS

VMware has patched an information disclosure vulnerability affecting a number of its products that use Flex BlazeDS.

The original vulnerability was discovered and disclosed in August by Matthias Kaiser of Code White GmbH. Researchers there found a XML External Entity

flaw in Apache Flex BlazeDS. XXE vulnerabilities are found in web applications that parse XML input and can be exploited to leak protected files from the network.

The Apache Foundation said in its advisory for CVE-2015-3269 that Apache Flex BalzeDS 4.7.0 was affected.

“When receiving XML encoded AMF messages containing DTD entities, the default XML parser configurations allows expanding of entities to local resources,” the Apache advisory reads. “A request that included a specially crafted request parameter could be used to access content that would otherwise be protected.”

In VMware’s advisory, it said the following products are affected:

• VMware vCenter Server 5.5 prior to version 5.5 update 3
• VMware vCenter Server 5.1 prior to version 5.1 update u3b
• VMware vCenter Server 5.0 prior to version 5.0 update u3e
• vCloud Director 5.6 prior to version 5.6.4
• vCloud Director 5.5 prior to version 5.5.3
• VMware Horizon View 6.0 prior to version 6.1
• VMware Horizon View 5.0 prior to version 5.3.4

“VMware products that use Flex BlazeDS may be affected by a flaw in the processing of XML External Entity (XXE) requests,” VMware said. “A specially crafted XML request sent to the server could lead to unintended information be disclosed.”