5

CVE-2009-0217

The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
IbmWebsphere Application Server Version6.0.0.1
IbmWebsphere Application Server Version6.0.0.2
IbmWebsphere Application Server Version6.0.0.3
IbmWebsphere Application Server Version6.0.1.1
IbmWebsphere Application Server Version6.0.1.2
IbmWebsphere Application Server Version6.0.1.3
IbmWebsphere Application Server Version6.0.1.5
IbmWebsphere Application Server Version6.0.1.7
IbmWebsphere Application Server Version6.0.1.9
IbmWebsphere Application Server Version6.0.1.11
IbmWebsphere Application Server Version6.0.1.13
IbmWebsphere Application Server Version6.0.1.15
IbmWebsphere Application Server Version6.0.1.17
IbmWebsphere Application Server Version6.0.2 Editionfp17
IbmWebsphere Application Server Version6.0.2.1
IbmWebsphere Application Server Version6.0.2.2
IbmWebsphere Application Server Version6.0.2.3
IbmWebsphere Application Server Version6.0.2.10
IbmWebsphere Application Server Version6.0.2.11
IbmWebsphere Application Server Version6.0.2.12
IbmWebsphere Application Server Version6.0.2.13
IbmWebsphere Application Server Version6.0.2.14
IbmWebsphere Application Server Version6.0.2.15
IbmWebsphere Application Server Version6.0.2.16
IbmWebsphere Application Server Version6.0.2.17
IbmWebsphere Application Server Version6.0.2.18
IbmWebsphere Application Server Version6.0.2.19
IbmWebsphere Application Server Version6.0.2.20
IbmWebsphere Application Server Version6.0.2.21
IbmWebsphere Application Server Version6.0.2.22
IbmWebsphere Application Server Version6.0.2.23
IbmWebsphere Application Server Version6.0.2.24
IbmWebsphere Application Server Version6.0.2.25
IbmWebsphere Application Server Version6.0.2.28
IbmWebsphere Application Server Version6.0.2.29
IbmWebsphere Application Server Version6.0.2.30
IbmWebsphere Application Server Version6.0.2.31
IbmWebsphere Application Server Version6.0.2.32
IbmWebsphere Application Server Version6.0.2.33
IbmWebsphere Application Server Version6.1.0.0
IbmWebsphere Application Server Version6.1.0.1
IbmWebsphere Application Server Version6.1.0.2
IbmWebsphere Application Server Version6.1.0.3
IbmWebsphere Application Server Version6.1.0.4
IbmWebsphere Application Server Version6.1.0.5
IbmWebsphere Application Server Version6.1.0.6
IbmWebsphere Application Server Version6.1.0.7
IbmWebsphere Application Server Version6.1.0.8
IbmWebsphere Application Server Version6.1.0.9
IbmWebsphere Application Server Version6.1.0.10
IbmWebsphere Application Server Version6.1.0.11
IbmWebsphere Application Server Version6.1.0.12
IbmWebsphere Application Server Version6.1.0.13
IbmWebsphere Application Server Version6.1.0.14
IbmWebsphere Application Server Version6.1.0.15
IbmWebsphere Application Server Version6.1.0.16
IbmWebsphere Application Server Version6.1.0.17
IbmWebsphere Application Server Version6.1.0.18
IbmWebsphere Application Server Version6.1.0.19
IbmWebsphere Application Server Version6.1.0.20
IbmWebsphere Application Server Version6.1.0.21
IbmWebsphere Application Server Version6.1.0.22
IbmWebsphere Application Server Version6.1.0.23
IbmWebsphere Application Server Version7.0.0.1
Mono ProjectMono Version1.2.1
Mono ProjectMono Version1.2.2
Mono ProjectMono Version1.2.3
Mono ProjectMono Version1.2.4
Mono ProjectMono Version1.2.5
Mono ProjectMono Version1.2.6
Mono ProjectMono Version1.9
Mono ProjectMono Version2.0
OracleApplication Server Version10.1.2.3
OracleApplication Server Version10.1.3.4
OracleApplication Server Version10.1.4.3im
OracleBea Product Suite Version8.1 Updatesp6
OracleBea Product Suite Version9.0
OracleBea Product Suite Version9.1
OracleBea Product Suite Version9.2 Updatemp3
OracleBea Product Suite Version10.0 Updatemp1
OracleBea Product Suite Version10.3
OracleWeblogic Server Component Version8.1 Updatesp6
OracleWeblogic Server Component Version9.2 Updatemp3
OracleWeblogic Server Component Version10.0 Updatemp1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 6.35% 0.927
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:P/A:N
Es wurden noch keine Informationen zu CWE veröffentlicht.
http://secunia.com/advisories/38567
http://secunia.com/advisories/38568
http://secunia.com/advisories/41818
http://secunia.com/advisories/60799
http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml
http://www.vupen.com/english/advisories/2010/0366
http://secunia.com/advisories/36494
Vendor Advisory
https://usn.ubuntu.com/826-1/
http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
http://secunia.com/advisories/34461
http://secunia.com/advisories/35776
Vendor Advisory
http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html
http://www.vupen.com/english/advisories/2009/1900
Patch
Vendor Advisory
http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161
http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7
http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7
http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html
http://marc.info/?l=bugtraq&m=125787273209737&w=2
http://osvdb.org/55895
http://osvdb.org/55907
http://secunia.com/advisories/35852
Vendor Advisory
http://secunia.com/advisories/35853
Vendor Advisory
http://secunia.com/advisories/35854
Vendor Advisory
http://secunia.com/advisories/35855
Vendor Advisory
http://secunia.com/advisories/35858
Vendor Advisory
http://secunia.com/advisories/36162
Vendor Advisory
http://secunia.com/advisories/36176
Vendor Advisory
http://secunia.com/advisories/36180
Vendor Advisory
http://secunia.com/advisories/37300
http://secunia.com/advisories/37671
http://secunia.com/advisories/37841
http://secunia.com/advisories/38695
http://secunia.com/advisories/38921
http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-263429-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269208-1
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020710.1-1
http://svn.apache.org/viewvc?revision=794013&view=revision
http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023545&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere
Patch
Vendor Advisory
http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023723&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere
Patch
Vendor Advisory
http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg21384925
Patch
Vendor Advisory
http://www.aleksey.com/xmlsec/
http://www.debian.org/security/2010/dsa-1995
http://www.kb.cert.org/vuls/id/466161
US Government Resource
http://www.kb.cert.org/vuls/id/MAPG-7TSKXQ
http://www.kb.cert.org/vuls/id/WDON-7TY529
http://www.mandriva.com/security/advisories?name=MDVSA-2009:209
http://www.mono-project.com/Vulnerabilities
Vendor Advisory
http://www.openoffice.org/security/cves/CVE-2009-0217.html
http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html
http://www.redhat.com/support/errata/RHSA-2009-1694.html
http://www.securityfocus.com/bid/35671
Patch
http://www.securitytracker.com/id?1022561
http://www.securitytracker.com/id?1022567
http://www.securitytracker.com/id?1022661
http://www.ubuntu.com/usn/USN-903-1
http://www.us-cert.gov/cas/techalerts/TA09-294A.html
US Government Resource
http://www.us-cert.gov/cas/techalerts/TA10-159B.html
US Government Resource
http://www.vupen.com/english/advisories/2009/1908
Patch
Vendor Advisory
http://www.vupen.com/english/advisories/2009/1909
Patch
Vendor Advisory
http://www.vupen.com/english/advisories/2009/1911
Patch
Vendor Advisory
http://www.vupen.com/english/advisories/2009/2543
http://www.vupen.com/english/advisories/2009/3122
http://www.vupen.com/english/advisories/2010/0635
http://www.w3.org/2008/06/xmldsigcore-errata.html#e03
Vendor Advisory
http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=511915
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-041
https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
https://issues.apache.org/bugzilla/show_bug.cgi?id=47527
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10186
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7158
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8717
https://rhn.redhat.com/errata/RHSA-2009-1200.html
https://rhn.redhat.com/errata/RHSA-2009-1201.html
https://rhn.redhat.com/errata/RHSA-2009-1428.html
https://rhn.redhat.com/errata/RHSA-2009-1636.html
https://rhn.redhat.com/errata/RHSA-2009-1637.html
https://rhn.redhat.com/errata/RHSA-2009-1649.html
https://rhn.redhat.com/errata/RHSA-2009-1650.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00494.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00505.html