CVE-2009-0217
Published: 14 July 2009
The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
libreoffice Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Does not exist
|
|
| intrepid |
Does not exist
|
|
| jaunty |
Does not exist
|
|
| karmic |
Does not exist
|
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| natty |
Not vulnerable
|
|
| oneiric |
Not vulnerable
|
|
| precise |
Not vulnerable
|
|
| quantal |
Not vulnerable
|
|
| raring |
Not vulnerable
|
|
| saucy |
Not vulnerable
|
|
| upstream |
Not vulnerable
|
|
|
libxml-security-java Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Does not exist
|
|
| intrepid |
Ignored
(end of life, was needed)
|
|
| jaunty |
Ignored
(end of life)
|
|
| karmic |
Not vulnerable
(1.4.3-0ubuntu1)
|
|
| lucid |
Not vulnerable
(1.4.3-0ubuntu1)
|
|
| maverick |
Not vulnerable
(1.4.3-0ubuntu1)
|
|
| natty |
Not vulnerable
(1.4.3-0ubuntu1)
|
|
| oneiric |
Not vulnerable
(1.4.3-0ubuntu1)
|
|
| precise |
Not vulnerable
(1.4.3-0ubuntu1)
|
|
| quantal |
Not vulnerable
(1.4.3-0ubuntu1)
|
|
| raring |
Not vulnerable
(1.4.3-0ubuntu1)
|
|
| saucy |
Not vulnerable
(1.4.3-0ubuntu1)
|
|
| upstream |
Released
(1.4.3)
|
|
|
mono Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
| hardy |
Released
(1.2.6+dfsg-6ubuntu3.1)
|
|
| intrepid |
Released
(1.9.1+dfsg-4ubuntu2.1)
|
|
| jaunty |
Released
(2.0.1-4ubuntu0.1)
|
|
| karmic |
Not vulnerable
(2.4.2.3+dfsg-1)
|
|
| lucid |
Not vulnerable
(2.4.2.3+dfsg-1)
|
|
| maverick |
Not vulnerable
(2.4.2.3+dfsg-1)
|
|
| natty |
Not vulnerable
(2.4.2.3+dfsg-1)
|
|
| oneiric |
Not vulnerable
(2.4.2.3+dfsg-1)
|
|
| precise |
Not vulnerable
(2.4.2.3+dfsg-1)
|
|
| quantal |
Not vulnerable
(2.4.2.3+dfsg-1)
|
|
| raring |
Not vulnerable
(2.4.2.3+dfsg-1)
|
|
| saucy |
Not vulnerable
(2.4.2.3+dfsg-1)
|
|
| upstream |
Released
(2.4.2.3+dfsg-1)
|
|
|
Patches: upstream: http://anonsvn.mono-project.com/viewvc?view=rev&revision=137892 upstream: http://anonsvn.mono-project.com/viewvc?view=rev&revision=137891 upstream: http://anonsvn.mono-project.com/viewvc?view=rev&revision=137890 upstream: http://anonsvn.mono-project.com/viewvc?view=rev&revision=137889 upstream: http://anonsvn.mono-project.com/viewvc?view=rev&revision=137888 upstream: http://anonsvn.mono-project.com/viewvc?view=rev&revision=137886 |
||
|
openjdk-6 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Released
(6b18-1.8.2-4ubuntu1~8.04.1)
|
|
| intrepid |
Released
(6b12-0ubuntu6.5)
|
|
| jaunty |
Released
(6b14-1.4.1-0ubuntu11)
|
|
| karmic |
Not vulnerable
|
|
| lucid |
Not vulnerable
|
|
| maverick |
Not vulnerable
|
|
| natty |
Not vulnerable
|
|
| oneiric |
Not vulnerable
|
|
| precise |
Not vulnerable
|
|
| quantal |
Not vulnerable
|
|
| raring |
Not vulnerable
|
|
| saucy |
Not vulnerable
|
|
| upstream |
Needs triage
|
|
|
openoffice.org Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
| hardy |
Released
(1:2.4.1-1ubuntu2.3)
|
|
| intrepid |
Released
(1:2.4.1-11ubuntu2.3)
|
|
| jaunty |
Released
(1:3.0.1-9ubuntu3.2)
|
|
| karmic |
Released
(1:3.1.1-5ubuntu1.1)
|
|
| lucid |
Not vulnerable
(1:3.2.0~rc4-1ubuntu1)
|
|
| maverick |
Not vulnerable
(1:3.2.0~rc4-1ubuntu1)
|
|
| natty |
Not vulnerable
(transitional package)
|
|
| oneiric |
Not vulnerable
(transitional package)
|
|
| precise |
Not vulnerable
(transitional package)
|
|
| quantal |
Does not exist
|
|
| raring |
Does not exist
|
|
| saucy |
Does not exist
|
|
| upstream |
Released
(3.2)
|
|
|
xml-security-c Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Ignored
(end of life)
|
|
| intrepid |
Ignored
(end of life, was needed)
|
|
| jaunty |
Released
(1.4.0-3+lenny2build0.9.04.1)
|
|
| karmic |
Not vulnerable
(1.4.0-4)
|
|
| lucid |
Not vulnerable
(1.4.0-4)
|
|
| maverick |
Not vulnerable
(1.4.0-4)
|
|
| natty |
Not vulnerable
(1.4.0-4)
|
|
| oneiric |
Not vulnerable
(1.4.0-4)
|
|
| precise |
Not vulnerable
(1.4.0-4)
|
|
| quantal |
Not vulnerable
(1.4.0-4)
|
|
| raring |
Not vulnerable
(1.4.0-4)
|
|
| saucy |
Not vulnerable
(1.4.0-4)
|
|
| upstream |
Released
(1.4.0-4)
|
|
|
xmlsec1 Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
| hardy |
Ignored
(end of life)
|
|
| intrepid |
Ignored
(end of life, was needed)
|
|
| jaunty |
Ignored
(end of life)
|
|
| karmic |
Ignored
(end of life)
|
|
| lucid |
Ignored
(end of life)
|
|
| maverick |
Not vulnerable
(1.2.14-1)
|
|
| natty |
Not vulnerable
(1.2.14-1)
|
|
| oneiric |
Not vulnerable
(1.2.14-1)
|
|
| precise |
Not vulnerable
(1.2.14-1)
|
|
| quantal |
Not vulnerable
(1.2.14-1)
|
|
| raring |
Not vulnerable
(1.2.14-1)
|
|
| saucy |
Not vulnerable
(1.2.14-1)
|
|
| upstream |
Released
(1.2.12)
|
|
|
Patches: vendor: http://www.aleksey.com/xmlsec/download.html |
||
References
- http://www.mono-project.com/Vulnerabilities#XML_signature_HMAC_truncation_authentication_bypass
- http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html
- https://ubuntu.com/security/notices/USN-814-1
- https://ubuntu.com/security/notices/USN-826-1
- https://ubuntu.com/security/notices/USN-903-1
- https://www.cve.org/CVERecord?id=CVE-2009-0217
- NVD
- Launchpad
- Debian