TechNote (Archived)

Security Advisory: LiveCycle information disclosure to OBSOLETE users

Advisory Name: LiveCycle information disclosure to OBSOLETE users

Release Date: April 11, 2006

Vulnerability Identifier: CVE-2006-1628

Products: Adobe LiveCycle Workflow 7.01 and Adobe LiveCycle Form Manager 7.01

Platform: Windows, AIX, Solaris, Linux

Overview: Adobe has been made aware of a potential vulnerability in LiveCycle user authorization management that could enable disclosure of LiveCycle data to users who have been marked OBSOLETE.

Effect: If exploited, this vulnerability would allow a LiveCycle user who has been marked OBSOLETE to continue to access information within LiveCycle.

Details: This vulnerability occurs as a user can successfully authenticate to LiveCycle Workflow or LiveCycle Form Manager if the user is active within the authentication system (LDAP, Active Directory, eDirectory), even if the user is OBSOLETE within the LiveCycle User Manager tables. In some instances it may be possible for a user who is active in LDAP but OBSOLETE in LiveCycle to access resources that were available before that user was marked OBSOLETE.

Severity: Adobe categorizes this issue as a moderate issue and recommends that this upgrade be applied to affected systems.

Recommendation: Adobe recommends that users apply the following upgrade to their systems. For instructions for installing the patch, see the ReadMe for the appropriate platform.

-- For LiveCycle Workflow: www.adobe.com/support/products/enterprise/support_knowledge_center_workflow.html

-- For LiveCycle Form Manager: www.adobe.com/support/products/enterprise/support_knowledge_center_lc_form_manager.html

Workaround: When users are marked OBSOLETE, it may also be appropriate to mark their account disabled or to remove the account from your authentication system (for example, LDAP, Active Directory). If a user account is removed or disabled in the authentication system, the user is denied access to resources protected by LiveCycle.

Revisions: April 11, 2006 - Bulletin first created

Reporting Security Issues

Adobe is committed to addressing security issues and providing customers with the information on how to protect themselves. If you identify what you believe may be a security issue with an Adobe product, please send an email to PSIRT@adobe.com . We will work to appropriately address and communicate the issue.

Receiving Security Bulletins

When Adobe becomes aware of a security issue that we believe significantly affects our products or customers, we will notify customers when appropriate. Typically this notification will be in the form of a security bulletin explaining the issue and the response. Adobe customers who would like to receive notification of new security bulletins when they are released can sign up for our security notification service.

For additional information on security issues at Adobe, please visit the Adobe website at www.adobe.com/support/security/ .

Adobe Disclaimer

DISCLAIMER OF WARRANTIES: ANY INFORMATION, PATCHES, DOWNLOADS, WORKAROUNDS OR FIXES PROVIDED BY ADOBE IN THIS BULLETIN ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. ADOBE AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED OR OTHERWISE, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ALSO, THERE IS NO WARRANTY OF NON-INFRINGEMENT, TITLE OR QUIET ENJOYMENT. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU.

LIMIT OF LIABILITY: IN NO EVENT SHALL ADOBE, INC., OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, COVER, LOSS OF PROFITS, BUSINESS INTERRUPTION OR THE LIKE, OR LOSS OF BUSINESS DAMAGES, BASED ON ANY THEORY OF LIABILITY INCLUDING BREACH OF CONTRACT, BREACH OF WARRANTY, TORT(INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, EVEN IF ADOBE, INC. OR ITS SUPPLIERS OR THEIR REPRESENTATIVES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE EXCLUSION OR LIMITATION MAY NOT APPLY TO YOU AND YOU MAY ALSO HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE.

Adobe reserves the right, from time to time, to update the information in this document with current information.