Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2009-0217

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2009-0217
Last Modified 13 Nov 2014 09:59:23
Published 14 Jul 2009 07:30:00
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2009-0217

Summary

The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.

Vulnerable Systems

Application

  • Ibm Websphere Application Server 6.0

  • Ibm Websphere Application Server 6.0.0.1

  • Ibm Websphere Application Server 6.0.0.2

  • Ibm Websphere Application Server 6.0.0.3

  • Ibm Websphere Application Server 6.0.1

  • Ibm Websphere Application Server 6.0.1.1

  • Ibm Websphere Application Server 6.0.1.11

  • Ibm Websphere Application Server 6.0.1.13

  • Ibm Websphere Application Server 6.0.1.15

  • Ibm Websphere Application Server 6.0.1.17

  • Ibm Websphere Application Server 6.0.1.2

  • Ibm Websphere Application Server 6.0.1.3

  • Ibm Websphere Application Server 6.0.1.5

  • Ibm Websphere Application Server 6.0.1.7

  • Ibm Websphere Application Server 6.0.1.9

  • Ibm Websphere Application Server 6.0.2

  • Ibm Websphere Application Server 6.0.2.1

  • Ibm Websphere Application Server 6.0.2.10

  • Ibm Websphere Application Server 6.0.2.11

  • Ibm Websphere Application Server 6.0.2.12

  • Ibm Websphere Application Server 6.0.2.13

  • Ibm Websphere Application Server 6.0.2.14

  • Ibm Websphere Application Server 6.0.2.15

  • Ibm Websphere Application Server 6.0.2.16

  • Ibm Websphere Application Server 6.0.2.17

  • Ibm Websphere Application Server 6.0.2.18

  • Ibm Websphere Application Server 6.0.2.19

  • Ibm Websphere Application Server 6.0.2.2

  • Ibm Websphere Application Server 6.0.2.20

  • Ibm Websphere Application Server 6.0.2.21

  • Ibm Websphere Application Server 6.0.2.22

  • Ibm Websphere Application Server 6.0.2.23

  • Ibm Websphere Application Server 6.0.2.24

  • Ibm Websphere Application Server 6.0.2.25

  • Ibm Websphere Application Server 6.0.2.28

  • Ibm Websphere Application Server 6.0.2.29

  • Ibm Websphere Application Server 6.0.2.3

  • Ibm Websphere Application Server 6.0.2.30

  • Ibm Websphere Application Server 6.0.2.31

  • Ibm Websphere Application Server 6.0.2.32

  • Ibm Websphere Application Server 6.0.2.33

  • Ibm Websphere Application Server 6.1

  • Ibm Websphere Application Server 6.1.0

  • Ibm Websphere Application Server 6.1.0.0

  • Ibm Websphere Application Server 6.1.0.1

  • Ibm Websphere Application Server 6.1.0.10

  • Ibm Websphere Application Server 6.1.0.11

  • Ibm Websphere Application Server 6.1.0.12

  • Ibm Websphere Application Server 6.1.0.13

  • Ibm Websphere Application Server 6.1.0.14

  • Ibm Websphere Application Server 6.1.0.15

  • Ibm Websphere Application Server 6.1.0.16

  • Ibm Websphere Application Server 6.1.0.17

  • Ibm Websphere Application Server 6.1.0.18

  • Ibm Websphere Application Server 6.1.0.19

  • Ibm Websphere Application Server 6.1.0.2

  • Ibm Websphere Application Server 6.1.0.20

  • Ibm Websphere Application Server 6.1.0.21

  • Ibm Websphere Application Server 6.1.0.22

  • Ibm Websphere Application Server 6.1.0.23

  • Ibm Websphere Application Server 6.1.0.3

  • Ibm Websphere Application Server 6.1.0.4

  • Ibm Websphere Application Server 6.1.0.5

  • Ibm Websphere Application Server 6.1.0.6

  • Ibm Websphere Application Server 6.1.0.7

  • Ibm Websphere Application Server 6.1.0.8

  • Ibm Websphere Application Server 6.1.0.9

  • Ibm Websphere Application Server 7.0

  • Ibm Websphere Application Server 7.0.0.1

  • Mono Project Mono 1.2.1

  • Mono Project Mono 1.2.2

  • Mono Project Mono 1.2.3

  • Mono Project Mono 1.2.4

  • Mono Project Mono 1.2.5

  • Mono Project Mono 1.2.6

  • Mono Project Mono 1.9

  • Mono Project Mono 2.0

  • Oracle Application Server 10.1.2.3

  • Oracle Application Server 10.1.3.4

  • Oracle Application Server 10.1.4.3im

  • Oracle Bea Product Suite 10.0

  • Oracle Bea Product Suite 10.3

  • Oracle Bea Product Suite 8.1

  • Oracle Bea Product Suite 9.0

  • Oracle Bea Product Suite 9.1

  • Oracle Bea Product Suite 9.2

  • Oracle Weblogic Server Component 10.0

  • Oracle Weblogic Server Component 10.3

  • Oracle Weblogic Server Component 8.1

  • Oracle Weblogic Server Component 9.0

  • Oracle Weblogic Server Component 9.1

  • Oracle Weblogic Server Component 9.2


References

CERT - TA10-159B

CERT - TA09-294A

CERT-VN - VU#466161

VUPEN - ADV-2009-1911

VUPEN - ADV-2009-1909

VUPEN - ADV-2009-1908

VUPEN - ADV-2009-1900

BID - 35671

CONFIRM - http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html

CONFIRM - http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg21384925

AIXAPAR - PK80627

AIXAPAR - PK80596

FEDORA - FEDORA-2009-8473

FEDORA - FEDORA-2009-8456

FEDORA - FEDORA-2009-8337

FEDORA - FEDORA-2009-8329

REDHAT - RHSA-2009:1650

REDHAT - RHSA-2009:1649

REDHAT - RHSA-2009:1637

REDHAT - RHSA-2009:1636

REDHAT - RHSA-2009:1428

REDHAT - RHSA-2009:1201

REDHAT - RHSA-2009:1200

CONFIRM - https://issues.apache.org/bugzilla/show_bug.cgi?id=47527

CONFIRM - https://issues.apache.org/bugzilla/show_bug.cgi?id=47526

CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=511915

MISC - http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html

CONFIRM - http://www.w3.org/2008/06/xmldsigcore-errata.html#e03

VUPEN - ADV-2010-0635

VUPEN - ADV-2010-0366

VUPEN - ADV-2009-3122

VUPEN - ADV-2009-2543

UBUNTU - USN-826-1

UBUNTU - USN-903-1

SECTRACK - 1022661

SECTRACK - 1022567

SECTRACK - 1022561

REDHAT - RHSA-2009:1694

CONFIRM - http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html

CONFIRM - http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html

CONFIRM - http://www.openoffice.org/security/cves/CVE-2009-0217.html

CONFIRM - http://www.mono-project.com/Vulnerabilities

MS - MS10-041

MANDRIVA - MDVSA-2009:209

CONFIRM - http://www.kb.cert.org/vuls/id/WDON-7TY529

CONFIRM - http://www.kb.cert.org/vuls/id/MAPG-7TSKXQ

DEBIAN - DSA-1995

CONFIRM - http://www.aleksey.com/xmlsec/

CONFIRM - http://svn.apache.org/viewvc?revision=794013&view=revision

SUNALERT - 1020710

SUNALERT - 269208

SUNALERT - 263429

CONFIRM - http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1

SECUNIA - 38921

SECUNIA - 38695

SECUNIA - 38568

SECUNIA - 38567

SECUNIA - 37841

SECUNIA - 37671

SECUNIA - 37300

SECUNIA - 36494

SECUNIA - 36180

SECUNIA - 36176

SECUNIA - 36162

SECUNIA - 35858

SECUNIA - 35855

SECUNIA - 35854

SECUNIA - 35853

SECUNIA - 35852

SECUNIA - 35776

OSVDB - 55907

OSVDB - 55895

HP - HPSBUX02476

SUSE - SUSE-SA:2010:017

SUSE - SUSE-SA:2009:053

APPLE - APPLE-SA-2009-09-03-1

CONFIRM - http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7

CONFIRM - http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7

CONFIRM - http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161

CONFIRM - http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html

CONFIRM - http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html

CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html

HP - SSRT090250

GENTOO - GLSA-201408-19

SECUNIA - 60799

SECUNIA - 34461

SECUNIA - 41818

Related Patches

MS10-041 981343 979906 Security Update for .NET Framework 1.1 SP1 (All Languages) (Rev 2)

MS10-041 981343 979909 979910 979911 Security Update for .NET Framework 2.0 SP2 and 3.5 SP1 (All Languages)

MS10-041 .NET Framework 3.5, Windows Vista SP1, and Windows Server 2008 Security Update for x64 (KB979913)

MS10-041 981343 979909 Security Update for .NET Framework 2.0 SP2 in Windows 2000 (All Languages)

MS10-041 981343 982865 979913 Security Update for .NET Framework 2.0 SP1 and 3.5 (All Languages)

MS10-041 Microsoft .NET Framework 3.5 SP1 Security Update for Windows Vista SP1 and Windows Server 2008 x86 (KB979911)

MS10-041 .NET Framework 3.5 SP1 Security Update for Windows Vista SP1 and Windows Server 2008 for x64 (KB979911)

Microsoft .NET Framework 3.0 SP1 (See Notes) (Rev 3)


Last Updated: 27 May 2016 11:01:06