FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2009-0217

This CVE name corresponds to:

Entered Topic
2010-02-25 openoffice.org -- multiple vulnerabilities
2009-07-29 mono -- XML signature HMAC truncation spoofing

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

Details

Type Candidate
Name CVE-2009-0217
Phase Assigned(20090120)

Description

The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.

References

Source Reference
MISC http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html
CONFIRM http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg21384925
CONFIRM http://www.aleksey.com/xmlsec/
CONFIRM http://www.mono-project.com/Vulnerabilities
CONFIRM http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html
CONFIRM http://www.w3.org/2008/06/xmldsigcore-errata.html#e03
CONFIRM https://issues.apache.org/bugzilla/show_bug.cgi?id=47527
CONFIRM http://www.kb.cert.org/vuls/id/MAPG-7TSKXQ
CONFIRM http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1
CONFIRM http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161
CONFIRM http://www.kb.cert.org/vuls/id/WDON-7TY529
CONFIRM https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
CONFIRM http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html
CONFIRM http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7
CONFIRM http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7
CONFIRM http://svn.apache.org/viewvc?revision=794013&view=revision
CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=511915
CONFIRM http://www.openoffice.org/security/cves/CVE-2009-0217.html
CONFIRM http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
AIXAPAR PK80596
AIXAPAR PK80627
APPLE APPLE-SA-2009-09-03-1
DEBIAN DSA-1995
FEDORA FEDORA-2009-8329
FEDORA FEDORA-2009-8337
FEDORA FEDORA-2009-8456
FEDORA FEDORA-2009-8473
GENTOO GLSA-201408-19
HP HPSBUX02476
HP SSRT090250
MANDRIVA MDVSA-2009:209
MS MS10-041
REDHAT RHSA-2009:1200
REDHAT RHSA-2009:1201
REDHAT RHSA-2009:1428
REDHAT RHSA-2009:1636
REDHAT RHSA-2009:1637
REDHAT RHSA-2009:1649
REDHAT RHSA-2009:1650
REDHAT RHSA-2009:1694
SUNALERT 263429
SUNALERT 269208
SUNALERT 1020710
SUSE SUSE-SA:2009:053
SUSE SUSE-SA:2010:017
UBUNTU USN-826-1
UBUNTU USN-903-1
CERT TA09-294A
CERT TA10-159B
CERT-VN VU#466161
BID 35671
OSVDB 55895
OSVDB 55907
OVAL oval:org.mitre.oval:def:10186
OVAL oval:org.mitre.oval:def:7158
OVAL oval:org.mitre.oval:def:8717
SECTRACK 1022561
SECTRACK 1022567
SECTRACK 1022661
SECUNIA 35776
SECUNIA 35853
SECUNIA 35854
SECUNIA 35855
SECUNIA 35858
SECUNIA 36162
SECUNIA 36176
SECUNIA 36180
SECUNIA 35852
SECUNIA 36494
SECUNIA 37300
SECUNIA 37671
SECUNIA 37841
SECUNIA 38567
SECUNIA 38568
SECUNIA 38695
SECUNIA 38921
SECUNIA 34461
SECUNIA 60799
VUPEN ADV-2009-1900
VUPEN ADV-2009-1908
VUPEN ADV-2009-1911
VUPEN ADV-2009-1909
VUPEN ADV-2009-2543
VUPEN ADV-2009-3122
VUPEN ADV-2010-0366
VUPEN ADV-2010-0635