VMware has warned users of its vCenter, vCloud Director and Horizon products that they need to patch a flaw in Flex BlazeDS.

The flaw, CVE-2015-3269, means Apache Flex BlazeDS “allows remote attackers to read arbitrary files via an AMF message containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.” The Apache software creates problems when “used in flex-messaging-core.jar in Adobe LiveCycle Data Services”. The CVE notice we've linked to above explains the many versions of the Adobe software that has the problem.

There's a silver lining in this bug for VMware, as vCenter 6.0 is immune to it. Users of 5.x need to implement a fix, so perhaps some will go all the way and just go to version 6.0 while they're at it. Horizon View 6.0 users and those running the current version of vCloud Director (5.6) aren't so lucky: they can either download the updates VMware suggests or leave themselves exposed to the risk that “A specially crafted XML request sent to the server could lead to unintended information be disclosed.” ®