Skip to navigation

CVE Database

CVE-2009-0217

Impact: Moderate
Public: 2009-07-14
Bugzilla: 511915: CVE-2009-0217 xmlsec1, mono, xml-security-c, xml-security-1.3.0-1jpp.ep1.*: XMLDsig HMAC-based signatures spoofing and authentication bypass
IAVA: 2010-B-0046

Details

The MITRE CVE dictionary describes this issue as:

The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.

Find out more about CVE-2009-0217 from the MITRE CVE dictionary and NIST NVD.

CVSS v2 metrics

Base Score: 5.0
Base Metrics: AV:N/AC:L/Au:N/C:N/I:P/A:N
Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: Partial
Availability Impact: None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat security errata

Platform Errata Release Date
Red Hat Enterprise Linux Server Supplementary (v. 5) (java-1.6.0-ibm) RHSA-2009:1694 December 23, 2009
Red Hat Enterprise Linux Server Supplementary (v. 5) (java-1.6.0-sun) RHSA-2009:1200 August 06, 2009
Red Hat Enterprise Linux version 4 (xmlsec1) RHSA-2009:1428 September 08, 2009
Red Hat Enterprise Linux version 4 Extras (java-1.6.0-ibm) RHSA-2009:1694 December 23, 2009
Red Hat Enterprise Linux version 4 Extras (java-1.6.0-sun) RHSA-2009:1200 August 06, 2009
Red Hat Enterprise Linux version 5 (java-1.6.0-openjdk) RHSA-2009:1201 August 06, 2009
Red Hat Enterprise Linux version 5 (xmlsec1) RHSA-2009:1428 September 08, 2009
Red Hat JBoss Enterprise Application Platform 4.2.0 for RHEL 4 AS (jbossas) RHSA-2009:1637 December 09, 2009
Red Hat JBoss Enterprise Application Platform 4.2.0 for RHEL 5 Server (jbossas) RHSA-2009:1650 December 10, 2009
Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS (jbossas) RHSA-2009:1636 December 09, 2009
Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server (jbossas) RHSA-2009:1649 December 09, 2009
Red Hat Satellite 5.3 (RHEL v.4) (java-1.6.0-ibm) RHSA-2010:0043 January 14, 2010
Red Hat Satellite 5.3 (RHEL v.5) (java-1.6.0-ibm) RHSA-2010:0043 January 14, 2010

External References

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact the Red Hat Security Response Team.