REDHAT-BUG-511915
First published: Wed Jul 15 2009(Updated: )
Common Vulnerabilities and Exposures assigned an identifier <a href="https://access.redhat.com/security/cve/CVE-2009-0217">CVE-2009-0217</a> to the following vulnerability: The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits. References: ----------- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0217">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0217</a> <a href="http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html">http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html</a> <a href="http://www.kb.cert.org/vuls/id/466161">http://www.kb.cert.org/vuls/id/466161</a> <a href="http://secunia.com/advisories/35855/2/">http://secunia.com/advisories/35855/2/</a> <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=47526">https://issues.apache.org/bugzilla/show_bug.cgi?id=47526</a> <a href="http://www.w3.org/2008/06/xmldsigcore-errata.html#e03">http://www.w3.org/2008/06/xmldsigcore-errata.html#e03</a> <a href="http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html">http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html</a> References from US-CERT's VU#466161: ------------------------------------- <a href="http://www.w3.org/2008/06/xmldsigcore-errata.html#e03">http://www.w3.org/2008/06/xmldsigcore-errata.html#e03</a> <a href="http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html">http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html</a> <a href="http://www.rsa.com/blog/blog_entry.aspx?id=1492">http://www.rsa.com/blog/blog_entry.aspx?id=1492</a> <a href="http://www.w3.org/TR/xmldsig-core/">http://www.w3.org/TR/xmldsig-core/</a> <a href="http://www.w3.org/TR/xmldsig-core/#sec-HMAC">http://www.w3.org/TR/xmldsig-core/#sec-HMAC</a> <a href="http://tools.ietf.org/html/rfc2104#section-5">http://tools.ietf.org/html/rfc2104#section-5</a> <a href="http://www.oasis-open.org/specs/index.php#wss">http://www.oasis-open.org/specs/index.php#wss</a> <a href="http://www.w3.org/2000/xp/Group/">http://www.w3.org/2000/xp/Group/</a> <a href="http://msdn.microsoft.com/en-us/library/ms996502.aspx">http://msdn.microsoft.com/en-us/library/ms996502.aspx</a> <a href="http://www.ibm.com/support/docview.wss?rs=180&uid=swg21384925">http://www.ibm.com/support/docview.wss?rs=180&uid=swg21384925</a> <a href="http://santuario.apache.org/download.html">http://santuario.apache.org/download.html</a> <a href="http://www.mono-project.com/Vulnerabilities">http://www.mono-project.com/Vulnerabilities</a> <a href="http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html">http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html</a> <a href="http://www.aleksey.com/xmlsec/downloads.html">http://www.aleksey.com/xmlsec/downloads.html</a> Credit: ------- Thomas Roessler of the W3C
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle Java System Application Server | >=10.1.2.3<10.1.4.3 | |
| Oracle WebLogic Server | >=8.1<10.3 | |
| Mono | <2.4.2.2 | |
| Apache XML Security for C++ | <1.2.12 | |
| IBM WebSphere Application Server | >=6.0<7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/security/cve/CVE-2009-0217
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0217
- http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html
- http://www.kb.cert.org/vuls/id/466161
- http://secunia.com/advisories/35855/2/
- https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
- http://www.w3.org/2008/06/xmldsigcore-errata.html#e03
- http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html
- http://www.rsa.com/blog/blog_entry.aspx?id=1492
- http://www.w3.org/TR/xmldsig-core/
- http://www.w3.org/TR/xmldsig-core/#sec-HMAC
- http://tools.ietf.org/html/rfc2104#section-5
- http://www.oasis-open.org/specs/index.php#wss
- http://www.w3.org/2000/xp/Group/
- http://msdn.microsoft.com/en-us/library/ms996502.aspx
- http://www.ibm.com/support/docview.wss?rs=180&uid=swg21384925
- http://santuario.apache.org/download.html
- http://www.mono-project.com/Vulnerabilities
- http://www.aleksey.com/xmlsec/downloads.html
- http://svn.apache.org/viewvc?view=rev&revision=794013
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=355945&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=355945&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=355946&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=355946&action=edit
- https://rhn.redhat.com/errata/RHSA-2009-1200.html
- https://rhn.redhat.com/errata/RHSA-2009-1201.html
- http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7
- http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7
- http://koji.fedoraproject.org/koji/buildinfo?buildID=114947
- http://admin.fedoraproject.org/updates/xmlsec1-1.2.12-1.fc11
- http://admin.fedoraproject.org/updates/xmlsec1-1.2.12-1.fc10
- https://rhn.redhat.com/errata/RHSA-2009-1428.html
- https://rhn.redhat.com/errata/RHSA-2009-1636.html
- https://rhn.redhat.com/errata/RHSA-2009-1637.html
- https://rhn.redhat.com/errata/RHSA-2009-1649.html
- https://rhn.redhat.com/errata/RHSA-2009-1650.html
- https://rhn.redhat.com/errata/RHSA-2009-1694.html
- https://rhn.redhat.com/errata/RHSA-2010-0043.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=513078
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=694167
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=715014
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=715020
- https://bugzilla.redhat.com/show_bug.cgi?id=511915
Frequently Asked Questions
What is the severity of REDHAT-BUG-511915?
The severity of REDHAT-BUG-511915 is critical due to its potential for XML signature misuse.
How do I fix REDHAT-BUG-511915?
To fix REDHAT-BUG-511915, ensure you upgrade to the patched versions of the affected software listed in the security advisory.
What software is affected by REDHAT-BUG-511915?
Affected software includes Oracle Application Server, BEA WebLogic Server, Mono, Apache XML Security Library, and IBM WebSphere Application Server.
What is the CVE associated with REDHAT-BUG-511915?
The CVE associated with REDHAT-BUG-511915 is CVE-2009-0217.
What are the potential impacts of REDHAT-BUG-511915?
Potential impacts of REDHAT-BUG-511915 include unauthorized access and manipulation of XML data.
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2009-0217
- agent/references
- agent/severity
- agent/description
- agent/event
- agent/source
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- vendor/oracle
- canonical/oracle java system application server
- vendor/bea
- canonical/oracle weblogic server
- vendor/mono
- canonical/mono
- vendor/apache
- canonical/apache xml security for c++
- vendor/ibm
- canonical/ibm websphere application server