CVE-2009-0217 Information

Feb 14, 2021 cve

Description

The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3 10.1.3.4 and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3 10.0 MP1 9.2 MP3 9.1 9.0 and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33 6.1 through 6.1.0.23 and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2 3.5 and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.

Reference

http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161 http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7 http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7 http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html http://marc.info/?l=bugtraq&m=125787273209737&w=2 http://osvdb.org/55895 http://osvdb.org/55907 http://secunia.com/advisories/34461 http://secunia.com/advisories/35776 http://secunia.com/advisories/35852 http://secunia.com/advisories/35853 http://secunia.com/advisories/35854 http://secunia.com/advisories/35855 http://secunia.com/advisories/35858 http://secunia.com/advisories/36162 http://secunia.com/advisories/36176 http://secunia.com/advisories/36180 http://secunia.com/advisories/36494 http://secunia.com/advisories/37300 http://secunia.com/advisories/37671 http://secunia.com/advisories/37841 http://secunia.com/advisories/38567 http://secunia.com/advisories/38568 http://secunia.com/advisories/38695 http://secunia.com/advisories/38921 http://secunia.com/advisories/41818 http://secunia.com/advisories/60799 http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-263429-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-269208-1 http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020710.1-1 http://svn.apache.org/viewvc?revision=794013&view=revision http://www.aleksey.com/xmlsec/ http://www.debian.org/security/2010/dsa-1995 http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml http://www.kb.cert.org/vuls/id/466161 http://www.kb.cert.org/vuls/id/MAPG-7TSKXQ http://www.kb.cert.org/vuls/id/WDON-7TY529 http://www.mandriva.com/security/advisories?name=MDVSA-2009:209 http://www.mono-project.com/Vulnerabilities http://www.openoffice.org/security/cves/CVE-2009-0217.html http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html http://www.redhat.com/support/errata/RHSA-2009-1694.html http://www.securityfocus.com/bid/35671 http://www.securitytracker.com/id?1022561 http://www.securitytracker.com/id?1022567 http://www.securitytracker.com/id?1022661 http://www.ubuntu.com/usn/USN-903-1 http://www.us-cert.gov/cas/techalerts/TA09-294A.html http://www.us-cert.gov/cas/techalerts/TA10-159B.html http://www.vupen.com/english/advisories/2009/1900 http://www.vupen.com/english/advisories/2009/1908 http://www.vupen.com/english/advisories/2009/1909 http://www.vupen.com/english/advisories/2009/1911 http://www.vupen.com/english/advisories/2009/2543 http://www.vupen.com/english/advisories/2009/3122 http://www.vupen.com/english/advisories/2010/0366 http://www.vupen.com/english/advisories/2010/0635 http://www.w3.org/2008/06/xmldsigcore-errata.htmle03 http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023545&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023723&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg21384925 https://bugzilla.redhat.com/show_bug.cgi?id=511915 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-041 https://issues.apache.org/bugzilla/show_bug.cgi?id=47526 https://issues.apache.org/bugzilla/show_bug.cgi?id=47527 https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A10186 https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A7158 https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A8717 https://rhn.redhat.com/errata/RHSA-2009-1200.html https://rhn.redhat.com/errata/RHSA-2009-1201.html https://rhn.redhat.com/errata/RHSA-2009-1428.html https://rhn.redhat.com/errata/RHSA-2009-1636.html https://rhn.redhat.com/errata/RHSA-2009-1637.html https://rhn.redhat.com/errata/RHSA-2009-1649.html https://rhn.redhat.com/errata/RHSA-2009-1650.html https://usn.ubuntu.com/826-1/ https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00494.html https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00505.html

Share on: