Podatność CVE-2009-0217


Publikacja: 2009-07-14   Modyfikacja: 2012-02-13

Opis:
The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.

Typ:

CWE-Other

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Ogólna skala CVSS
Znaczenie
Łatwość wykorzystania
5/10
2.9/10
10/10
Wymagany dostęp
Złożoność ataku
Autoryzacja
Zdalny
Niska
Nie wymagana
Wpływ na poufność
Wpływ na integralność
Wpływ na dostępność
Brak
Częściowy
Brak
Affected software
Oracle -> Application server 
Oracle -> Bea product suite 
Oracle -> Weblogic server component 
Mono project -> MONO 
IBM -> Websphere application server 

 Referencje:
http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161
http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7
http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7
http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html
http://marc.info/?l=bugtraq&m=125787273209737&w=2
http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-263429-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269208-1
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020710.1-1
http://svn.apache.org/viewvc?revision=794013&view=revision
http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023545&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere
http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023723&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere
http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg21384925
http://www.aleksey.com/xmlsec/
http://www.debian.org/security/2010/dsa-1995
http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml
http://www.kb.cert.org/vuls/id/466161
http://www.kb.cert.org/vuls/id/MAPG-7TSKXQ
http://www.kb.cert.org/vuls/id/WDON-7TY529
http://www.mandriva.com/security/advisories?name=MDVSA-2009:209
http://www.mono-project.com/Vulnerabilities
http://www.openoffice.org/security/cves/CVE-2009-0217.html
http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html
http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html
http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
http://www.redhat.com/support/errata/RHSA-2009-1694.html
http://www.securityfocus.com/bid/35671
http://www.securitytracker.com/id?1022561
http://www.securitytracker.com/id?1022567
http://www.securitytracker.com/id?1022661
http://www.ubuntu.com/usn/USN-903-1
http://www.us-cert.gov/cas/techalerts/TA09-294A.html
http://www.us-cert.gov/cas/techalerts/TA10-159B.html
http://www.vupen.com/english/advisories/2009/1900
http://www.vupen.com/english/advisories/2009/1908
http://www.vupen.com/english/advisories/2009/1909
http://www.vupen.com/english/advisories/2009/1911
http://www.vupen.com/english/advisories/2009/2543
http://www.vupen.com/english/advisories/2009/3122
http://www.vupen.com/english/advisories/2010/0366
http://www.vupen.com/english/advisories/2010/0635
http://www.w3.org/2008/06/xmldsigcore-errata.html#e03
http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html
https://bugzilla.redhat.com/show_bug.cgi?id=511915
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-041
https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
https://issues.apache.org/bugzilla/show_bug.cgi?id=47527
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10186
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7158
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8717
https://rhn.redhat.com/errata/RHSA-2009-1200.html
https://rhn.redhat.com/errata/RHSA-2009-1201.html
https://rhn.redhat.com/errata/RHSA-2009-1428.html
https://rhn.redhat.com/errata/RHSA-2009-1636.html
https://rhn.redhat.com/errata/RHSA-2009-1637.html
https://rhn.redhat.com/errata/RHSA-2009-1649.html
https://rhn.redhat.com/errata/RHSA-2009-1650.html
https://usn.ubuntu.com/826-1/
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00494.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00505.html

Copyright 2022, cxsecurity.com

 

Back to Top