FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2009-0217

This CVE name corresponds to:

Entered	Topic
2010-02-25	openoffice.org -- multiple vulnerabilities
2009-07-29	mono -- XML signature HMAC truncation spoofing

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2009-0217 at cve.mitre.org

Details

Type	Candidate
Name	CVE-2009-0217
Phase	Assigned(20090120)

Description

The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.

References

Source	Reference
MISC	http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html
CONFIRM	http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg21384925
CONFIRM	http://www.aleksey.com/xmlsec/
CONFIRM	http://www.mono-project.com/Vulnerabilities
CONFIRM	http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html
CONFIRM	http://www.w3.org/2008/06/xmldsigcore-errata.html#e03
CONFIRM	https://issues.apache.org/bugzilla/show_bug.cgi?id=47527
CONFIRM	http://www.kb.cert.org/vuls/id/MAPG-7TSKXQ
CONFIRM	http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1
CONFIRM	http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161
CONFIRM	http://www.kb.cert.org/vuls/id/WDON-7TY529
CONFIRM	https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
CONFIRM	http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html
CONFIRM	http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7
CONFIRM	http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7
CONFIRM	http://svn.apache.org/viewvc?revision=794013&view=revision
CONFIRM	https://bugzilla.redhat.com/show_bug.cgi?id=511915
CONFIRM	http://www.openoffice.org/security/cves/CVE-2009-0217.html
CONFIRM	http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
AIXAPAR	PK80596
AIXAPAR	PK80627
APPLE	APPLE-SA-2009-09-03-1
DEBIAN	DSA-1995
FEDORA	FEDORA-2009-8329
FEDORA	FEDORA-2009-8337
FEDORA	FEDORA-2009-8456
FEDORA	FEDORA-2009-8473
GENTOO	GLSA-201408-19
HP	HPSBUX02476
HP	SSRT090250
MANDRIVA	MDVSA-2009:209
MS	MS10-041
REDHAT	RHSA-2009:1200
REDHAT	RHSA-2009:1201
REDHAT	RHSA-2009:1428
REDHAT	RHSA-2009:1636
REDHAT	RHSA-2009:1637
REDHAT	RHSA-2009:1649
REDHAT	RHSA-2009:1650
REDHAT	RHSA-2009:1694
SUNALERT	263429
SUNALERT	269208
SUNALERT	1020710
SUSE	SUSE-SA:2009:053
SUSE	SUSE-SA:2010:017
UBUNTU	USN-826-1
UBUNTU	USN-903-1
CERT	TA09-294A
CERT	TA10-159B
CERT-VN	VU#466161
BID	35671
OSVDB	55895
OSVDB	55907
OVAL	oval:org.mitre.oval:def:10186
OVAL	oval:org.mitre.oval:def:7158
OVAL	oval:org.mitre.oval:def:8717
SECTRACK	1022561
SECTRACK	1022567
SECTRACK	1022661
SECUNIA	35776
SECUNIA	35853
SECUNIA	35854
SECUNIA	35855
SECUNIA	35858
SECUNIA	36162
SECUNIA	36176
SECUNIA	36180
SECUNIA	35852
SECUNIA	36494
SECUNIA	37300
SECUNIA	37671
SECUNIA	37841
SECUNIA	38567
SECUNIA	38568
SECUNIA	38695
SECUNIA	38921
SECUNIA	34461
SECUNIA	60799
SECUNIA	41818
VUPEN	ADV-2009-1900
VUPEN	ADV-2009-1908
VUPEN	ADV-2009-1911
VUPEN	ADV-2009-1909
VUPEN	ADV-2009-2543
VUPEN	ADV-2009-3122
VUPEN	ADV-2010-0366
VUPEN	ADV-2010-0635