Home > Vulnerability Database > CVE-2009-0217

Mend.io Vulnerability Database

New vulnerability? Tell us about it!

CVE-2009-0217

Good to know:

Date: July 14, 2009

The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.

Language: Java

Severity Score

5.3

Related Resources (90)

Url: http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023723&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere

Url: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10186

Url: https://bugzilla.redhat.com/show_bug.cgi?id=511915

Url: http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html

Url: http://www.securitytracker.com/id?1022661

Url: http://secunia.com/advisories/38695

Url: http://www.securityfocus.com/bid/35671

Url: http://secunia.com/advisories/37841

Url: http://www.aleksey.com/xmlsec/

Url: https://rhn.redhat.com/errata/RHSA-2009-1650.html

Url: http://www.kb.cert.org/vuls/id/WDON-7TY529

Url: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7158

Url: http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html

Url: http://www.mandriva.com/security/advisories?name=MDVSA-2009:209

Url: http://www.vupen.com/english/advisories/2009/1908

Url: http://secunia.com/advisories/36162

Url: http://www.vupen.com/english/advisories/2009/1909

Url: http://svn.apache.org/viewvc?revision=794013&view=revision

Url: http://www.vupen.com/english/advisories/2009/1900

Url: http://secunia.com/advisories/35776

Url: http://secunia.com/advisories/35853

Url: http://secunia.com/advisories/60799

Url: http://secunia.com/advisories/35854

Url: http://www.vupen.com/english/advisories/2010/0366

Url: http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml

Url: http://marc.info/?l=bugtraq&m=125787273209737&w=2

Url: http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html

Url: http://secunia.com/advisories/35855

Url: http://secunia.com/advisories/41818

Url: http://www.redhat.com/support/errata/RHSA-2009-1694.html

Url: http://secunia.com/advisories/35858

Url: https://rhn.redhat.com/errata/RHSA-2009-1637.html

Url: http://secunia.com/advisories/37671

Url: http://secunia.com/advisories/38568

Url: http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7

Url: http://secunia.com/advisories/38921

Url: http://www.ubuntu.com/usn/USN-903-1

Url: http://secunia.com/advisories/35852

Url: http://secunia.com/advisories/38567

Url: http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html

Url: http://www.w3.org/2008/06/xmldsigcore-errata.html#e03

Url: https://issues.apache.org/bugzilla/show_bug.cgi?id=47526

Url: http://osvdb.org/55895

Url: http://www.vupen.com/english/advisories/2009/1911

Url: http://www.securitytracker.com/id?1022567

Url: http://www.vupen.com/english/advisories/2009/2543

Url: https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00494.html

Url: http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html

Url: http://www.us-cert.gov/cas/techalerts/TA10-159B.html

Url: http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020710.1-1

Url: https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html

Url: https://rhn.redhat.com/errata/RHSA-2009-1636.html

Url: http://www.securitytracker.com/id?1022561

Url: http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html

Url: http://sunsolve.sun.com/search/document.do?assetkey=1-66-263429-1

Url: https://rhn.redhat.com/errata/RHSA-2009-1200.html

Url: http://secunia.com/advisories/36176

Url: http://secunia.com/advisories/36494

Url: http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html

Url: http://www.vupen.com/english/advisories/2010/0635

Url: http://secunia.com/advisories/37300

Url: https://issues.apache.org/bugzilla/show_bug.cgi?id=47527

Url: http://www.kb.cert.org/vuls/id/466161

Url: https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html

Url: http://secunia.com/advisories/36180

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2009-0217

Url: http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023545&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere

Url: https://rhn.redhat.com/errata/RHSA-2009-1649.html

Url: http://www.openoffice.org/security/cves/CVE-2009-0217.html

Url: http://www.debian.org/security/2010/dsa-1995

Url: https://rhn.redhat.com/errata/RHSA-2009-1201.html

Url: http://sunsolve.sun.com/search/document.do?assetkey=1-66-269208-1

Url: http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg21384925

Url: http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161

Url: http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7

Url: http://www.vupen.com/english/advisories/2009/3122

Url: http://osvdb.org/55907

Url: http://www.us-cert.gov/cas/techalerts/TA09-294A.html

Url: http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1

Url: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-041

Url: http://secunia.com/advisories/34461

Url: http://www.kb.cert.org/vuls/id/MAPG-7TSKXQ

Url: http://www.mono-project.com/Vulnerabilities

Url: https://nvd.nist.gov/vuln/detail/CVE-2009-0217

Url: https://usn.ubuntu.com/826-1/

Url: https://access.redhat.com/security/cve/CVE-2009-0217

Url: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8717

Url: https://rhn.redhat.com/errata/RHSA-2009-1428.html

Url: https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00505.html

Url: https://www.mend.io/vulnerability-database/CVE-2009-0217

Severity Score

5.3

Top Fix

Upgrade Version

Upgrade to version org.apache.santuario:xmlsec:1.4.3

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Do you need more information?

Contact Us