CVE-2015-3269

Here's a reason to bite the bullet upgrade to vCenter 6.0

VMware has warned users of its vCenter, vCloud Director and Horizon products that they need to patch a flaw in Flex BlazeDS. The flaw, CVE-2015-3269, means Apache Flex BlazeDS “allows remote attackers to read arbitrary files via an AMF message containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.” The Apache software creates problems when “used in flex-messaging-core.jar in Adobe LiveCycle Data Services”. The...

Adobe patches data-slurping flaw in web app builder

Adobe is advising users and administrators running ColdFusion to patch their software following the release of a security fix for an information disclosure vulnerability. The ColdFusion HotFix addresses a vulnerability in the handling of XML data for ColdFusion 10 and 11. Both patches address a single CVE-listed security vulnerability, CVE-2015-3269. The flaw, if exploited, would allow an attacker to potentially view files on the targeted system, leading to information disclosure. Adobe has list...

Patch now. Just do it (but 70 percent of you won't)

Security bod Kevin Watkins says Apple is storing enterprise credentials in a readable-by-anybody directory that is ripe for data theft. The sandbox vulnerability (CVE-2015-3269) affects all apps that use the managed app configuration setting in devices that have not applied the most recent iOS 8.4.1 update. Watkins says sensitive enterprise data is exposed when IT issues autofill corporate credentials to managed devices to simplify login processes. "IT will commonly send the credential and authe...