CVE-2009-0217

CVE Details

Release Date:	2009-07-14
Impact:	Moderate	What is this?

Description

The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.

See more information about CVE-2009-0217 from MITRE CVE dictionary and NIST NVD

NOTE: The following CVSS metrics and score provided are preliminary and subject to review.

CVSS v2 metrics

Base Score:	5.0
Vector String:	AV:N/AC:L/Au:N/C:N/I:P/A:N
Version:	2.0
Attack Vector:	Network
Attack Complexity:	Low
Authentication:	None
Confidentiality Impact:	None
Integrity Impact:	Partial
Availability Impact:	None

Errata information

Platform	Errata	Release Date
Oracle Enterprise Linux version 4 (xmlsec1)	ELSA-2009-1428	2009-09-09
Oracle Linux version 5 (java-1.6.0-openjdk)	ELSA-2009-1201	2009-08-06
Oracle Linux version 5 (xmlsec1)	ELSA-2009-1428	2009-09-09