CVE-2009-3474
First published: Tue Sep 29 2009(Updated: )
OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Internet2 OpenSAML | =2.0 | |
| Internet2 OpenSAML | =2.1.0 | |
| Internet2 OpenSAML | =2.2.0 | |
| Shibboleth XMLTooling-C | =1.0.1 | |
| Shibboleth XMLTooling-C | =1.1.0 | |
| Shibboleth XMLTooling-C | =1.1.1 | |
| Shibboleth XMLTooling-C | =1.2.0 | |
| Shibboleth Service Provider | =1.3.1 | |
| Shibboleth Service Provider | =1.3.2 | |
| Shibboleth Service Provider | =1.3b | |
| Shibboleth Service Provider | =1.3f | |
| Shibboleth Service Provider | =2.0 | |
| Shibboleth Service Provider | =2.1 | |
| Shibboleth Service Provider | =2.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://secunia.com/advisories/36876
- http://www.securityfocus.com/bid/36516
- http://secunia.com/advisories/36855
- http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt
- http://secunia.com/advisories/36868
- http://www.debian.org/security/2009/dsa-1895
- https://bugs.internet2.edu/jira/browse/CPPOST-28
- http://www.debian.org/security/2009/dsa-1896
- https://exchange.xforce.ibmcloud.com/vulnerabilities/53474
Frequently Asked Questions
What is the severity of CVE-2009-3474?
CVE-2009-3474 is classified as a high-severity vulnerability due to its potential for remote exploitation.
How do I fix CVE-2009-3474?
To fix CVE-2009-3474, upgrade to OpenSAML version 2.2.1 or XMLTooling version 1.2.1 or later.
What systems are affected by CVE-2009-3474?
CVE-2009-3474 affects OpenSAML versions 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, particularly when used with Shibboleth Service Provider 2.x before 2.2.1.
What are the risks associated with CVE-2009-3474?
The risks of CVE-2009-3474 include allowing attackers to use a certificate intended for single purpose (signing or encryption) for both roles.
Is there a workaround for CVE-2009-3474?
Currently, there are no specified workarounds for CVE-2009-3474, and it is recommended to apply an upgrade as soon as possible.
- collector/nvd-historical
- agent/type
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/severity
- agent/author
- agent/weakness
- agent/first-publish-date
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/internet2
- canonical/internet2 opensaml
- version/internet2 opensaml/2.0
- version/internet2 opensaml/2.1.0
- version/internet2 opensaml/2.2.0
- canonical/shibboleth xmltooling-c
- version/shibboleth xmltooling-c/1.0.1
- version/shibboleth xmltooling-c/1.1.0
- version/shibboleth xmltooling-c/1.1.1
- version/shibboleth xmltooling-c/1.2.0
- canonical/shibboleth service provider
- version/shibboleth service provider/1.3.1
- version/shibboleth service provider/1.3.2
- version/shibboleth service provider/1.3b
- version/shibboleth service provider/1.3f
- version/shibboleth service provider/2.0
- version/shibboleth service provider/2.1
- version/shibboleth service provider/2.2