Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

CVE-2009-0217

Disclosure Date: July 14, 2009
CVE-2009-0217
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

Products

References

Canonical
CVE-2009-0217 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0217)
BID-35671 (http://www.securityfocus.com/bid/35671)
Advisory
https://rhn.redhat.com/errata/RHSA-2009-1428.html
ADV-2009-3122 (http://www.vupen.com/english/advisories/2009/3122)
http://www.openoffice.org/security/cves/CVE-2009-0217.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
SECUNIA-60799 (http://secunia.com/advisories/60799)
GLSA-201408-19 (http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml)
PK80596 (http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023545&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere)
https://rhn.redhat.com/errata/RHSA-2009-1200.html
SECUNIA-35776 (http://secunia.com/advisories/35776)
SECUNIA-36162 (http://secunia.com/advisories/36162)
SECUNIA-36494 (http://secunia.com/advisories/36494)
ADV-2009-2543 (http://www.vupen.com/english/advisories/2009/2543)
SECUNIA-35858 (http://secunia.com/advisories/35858)
SECUNIA-38695 (http://secunia.com/advisories/38695)
SUNALERT-269208 (http://sunsolve.sun.com/search/document.do?assetkey=1-66-269208-1)
DSA-1995 (http://www.debian.org/security/2010/dsa-1995)
HPSBUX02476 (http://marc.info?l=bugtraq&m=125787273209737&w=2)
SECUNIA-35853 (http://secunia.com/advisories/35853)
https://rhn.redhat.com/errata/RHSA-2009-1637.html
http://www.redhat.com/support/errata/RHSA-2009-1694.html
SECUNIA-35852 (http://secunia.com/advisories/35852)
SECUNIA-35854 (http://secunia.com/advisories/35854)
SECUNIA-34461 (http://secunia.com/advisories/34461)
http://www.kb.cert.org/vuls/id/WDON-7TY529
http://www.mono-project.com/Vulnerabilities
SUNALERT-1020710 (http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020710.1-1)
USN-903-1 (http://www.ubuntu.com/usn/USN-903-1)
https://issues.apache.org/bugzilla/show_bug.cgi?id=47527
ADV-2010-0366 (http://www.vupen.com/english/advisories/2010/0366)
OSVDB-55907 (http://osvdb.org/55907)
http://www.mandriva.com/security/advisories?name=MDVSA-2009:209
http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html
SECUNIA-38567 (http://secunia.com/advisories/38567)
FEDORA-2009-8329 (https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html)
SUNALERT-263429 (http://sunsolve.sun.com/search/document.do?assetkey=1-66-263429-1)
http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161
ADV-2009-1900 (http://www.vupen.com/english/advisories/2009/1900)
SECTRACK-1022561 (http://www.securitytracker.com/id?1022561)
http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
SECUNIA-37671 (http://secunia.com/advisories/37671)
VU#466161 (http://www.kb.cert.org/vuls/id/466161)
SECTRACK-1022567 (http://www.securitytracker.com/id?1022567)
https://rhn.redhat.com/errata/RHSA-2009-1636.html
PK80627 (http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023723&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere)
https://rhn.redhat.com/errata/RHSA-2009-1649.html
http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html
TA09-294A (http://www.us-cert.gov/cas/techalerts/TA09-294A.html)
ADV-2009-1909 (http://www.vupen.com/english/advisories/2009/1909)
ADV-2010-0635 (http://www.vupen.com/english/advisories/2010/0635)
http://svn.apache.org/viewvc?revision=794013&view=revision
SECUNIA-38568 (http://secunia.com/advisories/38568)
SECUNIA-36180 (http://secunia.com/advisories/36180)
FEDORA-2009-8456 (https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00494.html)
http://www.w3.org/2008/06/xmldsigcore-errata.html#e03
USN-826-1 (https://usn.ubuntu.com/826-1)
SECUNIA-37841 (http://secunia.com/advisories/37841)
http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html
http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1
SECUNIA-35855 (http://secunia.com/advisories/35855)
FEDORA-2009-8473 (https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00505.html)
SECUNIA-36176 (http://secunia.com/advisories/36176)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7158
ADV-2009-1908 (http://www.vupen.com/english/advisories/2009/1908)
FEDORA-2009-8337 (https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html)
http://git.gnome.org/cgit/xmlsec/commit?id=34b349675af9f72eb822837a8772cc1ead7115c7
http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg21384925
SECUNIA-41818 (http://secunia.com/advisories/41818)
SECTRACK-1022661 (http://www.securitytracker.com/id?1022661)
SECUNIA-37300 (http://secunia.com/advisories/37300)
ADV-2009-1911 (http://www.vupen.com/english/advisories/2009/1911)
APPLE-SA-2009-09-03-1 (http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html)
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8717
https://rhn.redhat.com/errata/RHSA-2009-1201.html
http://git.gnome.org/cgit/xmlsec/patch?id=34b349675af9f72eb822837a8772cc1ead7115c7
http://www.kb.cert.org/vuls/id/MAPG-7TSKXQ
TA10-159B (http://www.us-cert.gov/cas/techalerts/TA10-159B.html)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10186
OSVDB-55895 (http://osvdb.org/55895)
http://www.aleksey.com/xmlsec
MS10-041 (https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-041)
SECUNIA-38921 (http://secunia.com/advisories/38921)
https://rhn.redhat.com/errata/RHSA-2009-1650.html
https://bugzilla.redhat.com/show_bug.cgi?id=511915
Miscellaneous
http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis