CVE-2009-3960

What is Adobe BlazeDS?

Adobe BlazeDS is an open-source Java remoting and messaging technology that enables communication between server-side Java applications and Adobe Flex/Flash clients using the AMF (Action Message Format) binary protocol. BlazeDS was bundled with Adobe ColdFusion (Adobe's Java-based web application platform), Adobe LiveCycle (an enterprise forms and document management platform), and was available as a standalone Java library for other applications. In the late 2000s, BlazeDS-based applications were widely deployed in enterprise environments for data-rich Flex/Flash front-end applications — financial dashboards, HR portals, and enterprise reporting tools.

Overview

CVE-2009-3960 is a medium-severity information disclosure vulnerability (CVSS 6.5) in Adobe BlazeDS, as used in Adobe ColdFusion and LiveCycle. BlazeDS's XML processing fails to prevent XML External Entity (XXE) injection — a class of attack where a malicious XML document references external entities to cause the server to read local files or make server-side HTTP requests. An attacker who can submit XML to a BlazeDS-powered endpoint can exfiltrate server-side files (including configuration files, credential stores, and application data) or perform server-side request forgery (SSRF). Adobe patched this in APSB10-05 (February 2010). The ransomwareUse: true designation and unusually long 6-month CISA remediation deadline reflect its use in sophisticated attack chains that culminated in ransomware or other high-impact outcomes.

Affected Versions

Technical Details

The vulnerability is an XML External Entity (XXE) injection flaw in BlazeDS's XML processing code. XXE is a class of attacks that exploit insecure XML parser configurations. The XML specification supports "external entities" — references to external resources (files, URLs) that the XML parser resolves and substitutes into the document during processing.

In the vulnerable BlazeDS code path:

1. A client submits a request to a BlazeDS-powered web endpoint with a crafted XML body
2. The XML body defines an external entity reference pointing to a local file (e.g., file:///etc/passwd or Windows credential files) or an internal network URL
3. BlazeDS's XML parser resolves the external entity — reading the referenced file or making the HTTP request
4. The resolved content is included in the XML document and returned in the response or processed by the application
5. An attacker can read arbitrary files accessible to the Java application server process, including ColdFusion or LiveCycle configuration files containing database credentials, LDAP passwords, and other secrets

The SSRF aspect allows attackers to use the vulnerable server as a proxy to scan and interact with internal network resources not directly accessible from the attacker's position.

Discovery

Identified through security research into XML processing in enterprise Java applications. APSB10-05 was released in February 2010, addressing the XXE issue in BlazeDS and the products that embed it. XXE was a widespread vulnerability class in Java XML libraries of this era — Java's XML parsers enabled external entity resolution by default, requiring explicit configuration to disable it.

Exploitation Context

The ransomwareUse: true flag and the unusually long 6-month remediation deadline reflect how this vulnerability was used in sophisticated multi-stage attacks:

• RSA SecurID breach (2011): CVE-2009-3960 was identified as one of the vulnerabilities used in the 2011 attack against RSA Security, which ultimately compromised the seeds for RSA SecurID two-factor authentication tokens. Attackers used the Flash/BlazeDS XXE to exfiltrate data from RSA's internal servers as part of the broader intrusion campaign.
• Credential harvesting as ransomware precursor: XXE attacks against ColdFusion and LiveCycle servers often yielded database credentials, LDAP passwords, and application service account passwords stored in server configuration files. Attackers used these credentials to pivot laterally through enterprise networks before deploying ransomware.
• Enterprise application targeting: ColdFusion and LiveCycle were widely deployed in financial services, healthcare, and government — sectors with high-value data and systems targeted by ransomware operators.
• Long remediation window: CISA's 6-month deadline (vs. the typical 2–3 week window for critical vulnerabilities) reflects the operational complexity of patching enterprise ColdFusion/LiveCycle deployments without disrupting business applications.

Remediation

1. Apply APSB10-05: Update Adobe BlazeDS, ColdFusion, and LiveCycle to patched versions per the security bulletin.
2. Upgrade to current ColdFusion: ColdFusion 7 and 8 are end-of-life. Upgrade to current supported ColdFusion versions.
3. Disable BlazeDS XXE at the XML parser level: Configure Java XML parsers to disable external entity resolution by setting XMLConstants.FEATURE_SECURE_PROCESSING and disabling DTD processing. This is a defense-in-depth measure even on patched systems.
4. Review exposed BlazeDS endpoints: Audit which BlazeDS AMF/XML endpoints are accessible to untrusted clients and implement authentication and input validation at those endpoints.
5. Monitor for XXE exploitation: Log and alert on XML processing errors and unusual file access patterns from the Java application server process — indicators of XXE exploitation attempts.