VMware has patched an information disclosure vulnerability affecting a number of its products that use Flex BlazeDS.
The original vulnerability was discovered and disclosed in August by Matthias Kaiser of Code White GmbH. Researchers there found a XML External Entity
flaw in Apache Flex BlazeDS. XXE vulnerabilities are found in web applications that parse XML input and can be exploited to leak protected files from the network.
The Apache Foundation said in its advisory for CVE-2015-3269 that Apache Flex BalzeDS 4.7.0 was affected.
βWhen receiving XML encoded AMF messages containing DTD entities, the default XML parser configurations allows expanding of entities to local resources,β the Apache advisory reads. βA request that included a specially crafted request parameter could be used to access content that would otherwise be protected.β
In VMwareβs advisory, it said the following products are affected:
βVMware products that use Flex BlazeDS may be affected by a flaw in the processing of XML External Entity (XXE) requests,β VMware said. βA specially crafted XML request sent to the server could lead to unintended information be disclosed.β