5

CVE-2009-0217

EPSS 18.55%
Published 14.07.2009 23:30:00
Last modified 09.04.2025 00:30:58
Source cret@cert.org
Teams watchlist Login
Open Login

The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.

Affected products Warnungen 0 Metrics 2 CWE 0 References 89

Data is provided by the National Vulnerability Database (NVD)

Ibm ≫ Websphere Application Server Version6.0

Ibm ≫ Websphere Application Server Version6.0.0.1

Ibm ≫ Websphere Application Server Version6.0.0.2

Ibm ≫ Websphere Application Server Version6.0.0.3

Ibm ≫ Websphere Application Server Version6.0.1

Ibm ≫ Websphere Application Server Version6.0.1.1

Ibm ≫ Websphere Application Server Version6.0.1.2

Ibm ≫ Websphere Application Server Version6.0.1.3

Ibm ≫ Websphere Application Server Version6.0.1.5

Ibm ≫ Websphere Application Server Version6.0.1.7

Ibm ≫ Websphere Application Server Version6.0.1.9

Ibm ≫ Websphere Application Server Version6.0.1.11

Ibm ≫ Websphere Application Server Version6.0.1.13

Ibm ≫ Websphere Application Server Version6.0.1.15

Ibm ≫ Websphere Application Server Version6.0.1.17

Ibm ≫ Websphere Application Server Version6.0.2

Ibm ≫ Websphere Application Server Version6.0.2 Editionfp17

Ibm ≫ Websphere Application Server Version6.0.2.1

Ibm ≫ Websphere Application Server Version6.0.2.2

Ibm ≫ Websphere Application Server Version6.0.2.3

Ibm ≫ Websphere Application Server Version6.0.2.10

Ibm ≫ Websphere Application Server Version6.0.2.11

Ibm ≫ Websphere Application Server Version6.0.2.12

Ibm ≫ Websphere Application Server Version6.0.2.13

Ibm ≫ Websphere Application Server Version6.0.2.14

Ibm ≫ Websphere Application Server Version6.0.2.15

Ibm ≫ Websphere Application Server Version6.0.2.16

Ibm ≫ Websphere Application Server Version6.0.2.17

Ibm ≫ Websphere Application Server Version6.0.2.18

Ibm ≫ Websphere Application Server Version6.0.2.19

Ibm ≫ Websphere Application Server Version6.0.2.20

Ibm ≫ Websphere Application Server Version6.0.2.21

Ibm ≫ Websphere Application Server Version6.0.2.22

Ibm ≫ Websphere Application Server Version6.0.2.23

Ibm ≫ Websphere Application Server Version6.0.2.24

Ibm ≫ Websphere Application Server Version6.0.2.25

Ibm ≫ Websphere Application Server Version6.0.2.28

Ibm ≫ Websphere Application Server Version6.0.2.29

Ibm ≫ Websphere Application Server Version6.0.2.30

Ibm ≫ Websphere Application Server Version6.0.2.31

Ibm ≫ Websphere Application Server Version6.0.2.32

Ibm ≫ Websphere Application Server Version6.0.2.33

Ibm ≫ Websphere Application Server Version6.1

Ibm ≫ Websphere Application Server Version6.1.0

Ibm ≫ Websphere Application Server Version6.1.0.0

Ibm ≫ Websphere Application Server Version6.1.0.1

Ibm ≫ Websphere Application Server Version6.1.0.2

Ibm ≫ Websphere Application Server Version6.1.0.3

Ibm ≫ Websphere Application Server Version6.1.0.4

Ibm ≫ Websphere Application Server Version6.1.0.5

Ibm ≫ Websphere Application Server Version6.1.0.6

Ibm ≫ Websphere Application Server Version6.1.0.7

Ibm ≫ Websphere Application Server Version6.1.0.8

Ibm ≫ Websphere Application Server Version6.1.0.9

Ibm ≫ Websphere Application Server Version6.1.0.10

Ibm ≫ Websphere Application Server Version6.1.0.11

Ibm ≫ Websphere Application Server Version6.1.0.12

Ibm ≫ Websphere Application Server Version6.1.0.13

Ibm ≫ Websphere Application Server Version6.1.0.14

Ibm ≫ Websphere Application Server Version6.1.0.15

Ibm ≫ Websphere Application Server Version6.1.0.16

Ibm ≫ Websphere Application Server Version6.1.0.17

Ibm ≫ Websphere Application Server Version6.1.0.18

Ibm ≫ Websphere Application Server Version6.1.0.19

Ibm ≫ Websphere Application Server Version6.1.0.20

Ibm ≫ Websphere Application Server Version6.1.0.21

Ibm ≫ Websphere Application Server Version6.1.0.22

Ibm ≫ Websphere Application Server Version6.1.0.23

Ibm ≫ Websphere Application Server Version7.0

Ibm ≫ Websphere Application Server Version7.0.0.1

Mono Project ≫ Mono Version1.2.1

Mono Project ≫ Mono Version1.2.2

Mono Project ≫ Mono Version1.2.3

Mono Project ≫ Mono Version1.2.4

Mono Project ≫ Mono Version1.2.5

Mono Project ≫ Mono Version1.2.6

Mono Project ≫ Mono Version1.9

Mono Project ≫ Mono Version2.0

Oracle ≫ Application Server Version10.1.2.3

Oracle ≫ Application Server Version10.1.3.4

Oracle ≫ Application Server Version10.1.4.3im

Oracle ≫ Bea Product Suite Version8.1 Updatesp6

Oracle ≫ Bea Product Suite Version9.0

Oracle ≫ Bea Product Suite Version9.1

Oracle ≫ Bea Product Suite Version9.2 Updatemp3

Oracle ≫ Bea Product Suite Version10.0 Updatemp1

Oracle ≫ Bea Product Suite Version10.3

Oracle ≫ Weblogic Server Component Version8.1 Updatesp6

Oracle ≫ Weblogic Server Component Version9.0

Oracle ≫ Weblogic Server Component Version9.1

Oracle ≫ Weblogic Server Component Version9.2 Updatemp3

Oracle ≫ Weblogic Server Component Version10.0 Updatemp1

Oracle ≫ Weblogic Server Component Version10.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	18.55%	0.95

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N

http://secunia.com/advisories/38567

http://secunia.com/advisories/38568

http://secunia.com/advisories/41818

http://secunia.com/advisories/60799

http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml

http://www.vupen.com/english/advisories/2010/0366

http://secunia.com/advisories/36494

Vendor Advisory

https://usn.ubuntu.com/826-1/

http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html

http://secunia.com/advisories/34461

http://secunia.com/advisories/35776

Vendor Advisory

http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html

http://www.vupen.com/english/advisories/2009/1900

Patch

Vendor Advisory

http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161

http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7

http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7

http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html

http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html

http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html

http://marc.info/?l=bugtraq&m=125787273209737&w=2

http://osvdb.org/55895

http://osvdb.org/55907

http://secunia.com/advisories/35852

Vendor Advisory

http://secunia.com/advisories/35853

Vendor Advisory

http://secunia.com/advisories/35854

Vendor Advisory

http://secunia.com/advisories/35855

Vendor Advisory

http://secunia.com/advisories/35858

Vendor Advisory

http://secunia.com/advisories/36162

Vendor Advisory

http://secunia.com/advisories/36176

Vendor Advisory

http://secunia.com/advisories/36180

Vendor Advisory

http://secunia.com/advisories/37300

http://secunia.com/advisories/37671

http://secunia.com/advisories/37841

http://secunia.com/advisories/38695

http://secunia.com/advisories/38921

http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1

http://sunsolve.sun.com/search/document.do?assetkey=1-66-263429-1

http://sunsolve.sun.com/search/document.do?assetkey=1-66-269208-1

http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020710.1-1

http://svn.apache.org/viewvc?revision=794013&view=revision

http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023545&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere

Patch

Vendor Advisory

http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023723&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere

Patch

Vendor Advisory

http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg21384925

Patch

Vendor Advisory

http://www.aleksey.com/xmlsec/

http://www.debian.org/security/2010/dsa-1995

http://www.kb.cert.org/vuls/id/466161

US Government Resource

http://www.kb.cert.org/vuls/id/MAPG-7TSKXQ

http://www.kb.cert.org/vuls/id/WDON-7TY529

http://www.mandriva.com/security/advisories?name=MDVSA-2009:209

http://www.mono-project.com/Vulnerabilities

Vendor Advisory

http://www.openoffice.org/security/cves/CVE-2009-0217.html

http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html

http://www.redhat.com/support/errata/RHSA-2009-1694.html

http://www.securityfocus.com/bid/35671

Patch

http://www.securitytracker.com/id?1022561

http://www.securitytracker.com/id?1022567

http://www.securitytracker.com/id?1022661

http://www.ubuntu.com/usn/USN-903-1

http://www.us-cert.gov/cas/techalerts/TA09-294A.html

US Government Resource

http://www.us-cert.gov/cas/techalerts/TA10-159B.html

US Government Resource

http://www.vupen.com/english/advisories/2009/1908

Patch

Vendor Advisory

http://www.vupen.com/english/advisories/2009/1909

Patch

Vendor Advisory

http://www.vupen.com/english/advisories/2009/1911

Patch

Vendor Advisory

http://www.vupen.com/english/advisories/2009/2543

http://www.vupen.com/english/advisories/2009/3122

http://www.vupen.com/english/advisories/2010/0635

http://www.w3.org/2008/06/xmldsigcore-errata.html#e03

Vendor Advisory

http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=511915

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-041

https://issues.apache.org/bugzilla/show_bug.cgi?id=47526

https://issues.apache.org/bugzilla/show_bug.cgi?id=47527

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10186

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7158

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8717

https://rhn.redhat.com/errata/RHSA-2009-1200.html

https://rhn.redhat.com/errata/RHSA-2009-1201.html

https://rhn.redhat.com/errata/RHSA-2009-1428.html

https://rhn.redhat.com/errata/RHSA-2009-1636.html

https://rhn.redhat.com/errata/RHSA-2009-1637.html

https://rhn.redhat.com/errata/RHSA-2009-1649.html

https://rhn.redhat.com/errata/RHSA-2009-1650.html

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00494.html

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00505.html

https://nvd.nist.gov/vuln/detail/CVE-2009-0217

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2009-0217

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2009-0217

EUVD