BlazeDS and GraniteDS AMF/AMFX Remote Code Execution Vulnerability

Release date:
Updated on:

Affected Systems:
Adobe LiveCycle 9.0.0.2
Adobe LiveCycle 8.2.1.3
Adobe LiveCycle 8.0.1.3
Adobe LifeCycle Data Services 3.1
Adobe LifeCycle Data Services 2.6.1
Adobe LifeCycle Data Services 2.5.1
HP Systems Insight Manager 6.x
HP Systems Insight Manager 5.x
HP Systems Insight Manager 4.x
Granite Software GraniteDS 2.2
Unaffected system:
HP Systems Insight Manager 7.0
Granite Software GraniteDS 2.2.1
Description:
--------------------------------------------------------------------------------
Bugtraq id: 48279
Cve id: CVE-2011-2092

Adobe LiveCycle Data Services is a service that provides real-time Data management and message transmission in RIA. BlazeDS is a new open-source project of Adobe about Remoting and Web Messaging, similar to JMS. GraniteDS 2.2.1 GA is released for Bug and security fixes. It has major features: Gravity is now supported by WebLogic 9.1 + servers.

The implementation of BlazeDS and GraniteDS has a remote code execution vulnerability. After successful exploitation, attackers can execute arbitrary code to bypass certain security restrictions.

<* Source: Wouter Coekaerts

Link: http://granitedataservices.com/blog/2011/06/14/granite-data-services-2-2-1-ga-released/
Http://www.adobe.com/support/security/bulletins/apsb11-15.html
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Adobe
-----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.adobe.com/support/security/