IETF and W3C XML Digital Signature Specification HMAC Truncation Authentication Bypass Vulnerability

Bugtraq ID: 35671
Class: Design Error
CVE: CVE-2009-0217
Remote: Yes
Local: No
Published: Jul 14 2009 12:00AM
Updated: Mar 16 2010 04:42PM
Credit: Thomas Roessler
Vulnerable: XML Security Library XML Security Library 1.2.11
Ubuntu Ubuntu Linux 9.10 sparc
Ubuntu Ubuntu Linux 9.10 powerpc
Ubuntu Ubuntu Linux 9.10 lpia
Ubuntu Ubuntu Linux 9.10 i386
Ubuntu Ubuntu Linux 9.10 amd64
Ubuntu Ubuntu Linux 9.04 sparc
Ubuntu Ubuntu Linux 9.04 powerpc
Ubuntu Ubuntu Linux 9.04 lpia
Ubuntu Ubuntu Linux 9.04 i386
Ubuntu Ubuntu Linux 9.04 amd64
Ubuntu Ubuntu Linux 8.10 sparc
Ubuntu Ubuntu Linux 8.10 powerpc
Ubuntu Ubuntu Linux 8.10 lpia
Ubuntu Ubuntu Linux 8.10 i386
Ubuntu Ubuntu Linux 8.10 amd64
Ubuntu Ubuntu Linux 8.04 LTS sparc
Ubuntu Ubuntu Linux 8.04 LTS powerpc
Ubuntu Ubuntu Linux 8.04 LTS lpia
Ubuntu Ubuntu Linux 8.04 LTS i386
Ubuntu Ubuntu Linux 8.04 LTS amd64
SuSE SUSE Linux Enterprise SDK 10 SP3
SuSE SUSE Linux Enterprise SDK 10 SP2
SuSE OpenOffice for Windows 0
Sun OpenJDK 6 Build b12
Sun JRE (Linux Production Release) 1.6 _13
Sun JRE (Linux Production Release) 1.6 _12
Sun JRE (Linux Production Release) 1.6 _10
Sun JRE (Linux Production Release) 1.6 _07
Sun JRE (Linux Production Release) 1.6 _06
Sun JRE (Linux Production Release) 1.6 _05
Sun JRE (Linux Production Release) 1.6 _04
Sun JRE (Linux Production Release) 1.6.0_14
Sun JRE (Linux Production Release) 1.6.0_11
Sun JRE (Linux Production Release) 1.6.0_03
Sun JRE (Linux Production Release) 1.6.0_02
Sun JRE (Linux Production Release) 1.6.0_01
Sun JDK (Windows Production Release) 1.6.0_03
Sun JDK (Windows Production Release) 1.6.0_02
Sun JDK (Windows Production Release) 1.6.0_01-b06
Sun JDK (Windows Production Release) 1.6.0_01
Sun JDK (Solaris Production Release) 1.6.0_03
Sun JDK (Solaris Production Release) 1.6.0_02
Sun JDK (Solaris Production Release) 1.6.0_01
Sun JDK (Linux Production Release) 1.6 _14
Sun JDK (Linux Production Release) 1.6 _13
Sun JDK (Linux Production Release) 1.6 _11
Sun JDK (Linux Production Release) 1.6 _10
Sun JDK (Linux Production Release) 1.6 _07
Sun JDK (Linux Production Release) 1.6 _06
Sun JDK (Linux Production Release) 1.6 _05
Sun JDK (Linux Production Release) 1.6 _04
Sun JDK (Linux Production Release) 1.6 _01
Sun JDK (Linux Production Release) 1.6
Sun JDK (Linux Production Release) 1.6.0_03
Sun JDK (Linux Production Release) 1.6.0_02
Sun Glassfish Enterprise Server 2.1
S.u.S.E. SUSE Linux Enterprise Server 11
S.u.S.E. SUSE Linux Enterprise Desktop 11
S.u.S.E. SUSE Linux Enterprise Desktop 10 SP3
S.u.S.E. SUSE Linux Enterprise Desktop 10 SP2
S.u.S.E. SUSE Linux Enterprise 11
S.u.S.E. openSUSE 11.2
S.u.S.E. openSUSE 11.1
S.u.S.E. openSUSE 11.0
S.u.S.E. Novell Linux Desktop 9
RSA Security Federated Identity Manager 0
RSA Security BSAFE SSL-J 0
RSA Security BSAFE Cert-J 0
RedHat Network Satellite (for RHEL 5 Server) 5.3
RedHat Network Satellite (for RHEL 4 AS) 5.3
RedHat JBoss Enterprise Application Platform 4.3 EL5
RedHat JBoss Enterprise Application Platform 4.3 EL4
RedHat JBoss Enterprise Application Platform 4.3
RedHat JBoss Enterprise Application Platform 4.2 EL5
RedHat JBoss Enterprise Application Platform 4.2 EL4
RedHat JBoss Enterprise Application Platform 4.2
RedHat Fedora 11
RedHat Fedora 10
RedHat Enterprise Linux WS Extras 4
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux Supplementary EUS 5.3.z
RedHat Enterprise Linux Supplementary 5 server
RedHat Enterprise Linux Extras 4.8.z
RedHat Enterprise Linux Extras 4
RedHat Enterprise Linux EUS 5.3.z server
RedHat Enterprise Linux ES Extras 4
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux Desktop Workstation 5 client
RedHat Enterprise Linux Desktop Supplementary 5 client
RedHat Enterprise Linux Desktop 5 client
RedHat Enterprise Linux AS Extras 4
RedHat Enterprise Linux AS 4
RedHat Enterprise Linux Desktop version 4
RedHat Enterprise Linux 5 server
RedHat Desktop Extras 4
Pardus Linux 2008 0
Oracle Weblogic Server 9.3 MP3
Oracle Weblogic Server 9.2
Oracle Weblogic Server 9.1 GA
Oracle Weblogic Server 9.0 GA
Oracle Weblogic Server 8.1 SP6
Oracle Weblogic Server 8.1
Oracle Weblogic Server 10.3
Oracle Weblogic Server 10.0 MP1
Oracle Oracle10g Application Server 10.1.3 .4.0
Oracle Oracle10g Application Server 10.1.3 .3.0
Oracle Oracle10g Application Server 10.1.3 .2.0
Oracle Oracle10g Application Server 10.1.2.3.0
Oracle JRockit R27.6.3
Oracle JRockit R27.6.2
Oracle JRockit R27.6.0
Oracle JRockit R27.1.0
OpenOffice OpenOffice 3.1.1
OpenOffice OpenOffice 3.1
OpenOffice OpenOffice 2.4.3
OpenOffice OpenOffice 2.4.2
OpenOffice OpenOffice 2.4.1
OpenOffice OpenOffice 2.3.1
OpenOffice OpenOffice 2.3
OpenOffice OpenOffice 2.2.1
OpenOffice OpenOffice 2.2
OpenOffice OpenOffice 2.0.4
OpenOffice OpenOffice 2.0.3 -1
OpenOffice OpenOffice 2.0.3
OpenOffice OpenOffice 2.0.2
OpenOffice OpenOffice 2.0.1
OpenOffice OpenOffice 2.0 Beta
OpenOffice OpenOffice 2.4
OpenOffice OpenOffice 2.2
OpenOffice OpenOffice 2.1
Mono Mono 2.4.2 .1
Mono Mono 2.4.2
Mono Mono 2.0
Mono Mono 1.2.5 2
Mono Mono 1.2.5 1
Mono Mono 1.1.18
Mono Mono 1.1.17
Mono Mono 1.1.13
Mono Mono 1.1.4
Mono Mono 1.0.5
Mono Mono 1.0
Mono Mono 1.1.8.3
Mono Mono 1.1.17.1
Mono Mono 1.1.13.7
Mono Mono 1.1.13.6
Mono Mono 1.1.13.4
MandrakeSoft Linux Mandrake 2009.1 x86_64
MandrakeSoft Linux Mandrake 2009.1
MandrakeSoft Linux Mandrake 2009.0 x86_64
MandrakeSoft Linux Mandrake 2009.0
MandrakeSoft Linux Mandrake 2008.1 x86_64
MandrakeSoft Linux Mandrake 2008.1
MandrakeSoft Linux Mandrake 2008.0 x86_64
MandrakeSoft Linux Mandrake 2008.0
MandrakeSoft Enterprise Server 5 x86_64
MandrakeSoft Enterprise Server 5
IBM Websphere Application Server 6.1 .9
IBM Websphere Application Server 6.1 .8
IBM Websphere Application Server 6.1 .7
IBM Websphere Application Server 6.1 .6
IBM Websphere Application Server 6.1 .5
IBM Websphere Application Server 6.1 .4
IBM Websphere Application Server 6.1 .3
IBM Websphere Application Server 6.1 .23
IBM Websphere Application Server 6.1 .22
IBM Websphere Application Server 6.1 .21
IBM Websphere Application Server 6.1 .20
IBM Websphere Application Server 6.1 .2
IBM Websphere Application Server 6.1 .19
IBM Websphere Application Server 6.1 .18
IBM Websphere Application Server 6.1 .17
IBM Websphere Application Server 6.1 .15
IBM Websphere Application Server 6.1 .14
IBM Websphere Application Server 6.1 .13
IBM Websphere Application Server 6.1 .12
IBM Websphere Application Server 6.1 .11
IBM Websphere Application Server 6.1 .10
IBM Websphere Application Server 6.1 .1
IBM Websphere Application Server 6.1
IBM Websphere Application Server 6.0.2 .9
IBM Websphere Application Server 6.0.2 .7
IBM Websphere Application Server 6.0.2 .5
IBM Websphere Application Server 6.0.2 .33
IBM Websphere Application Server 6.0.2 .31
IBM Websphere Application Server 6.0.2 .3
IBM Websphere Application Server 6.0.2 .29
IBM Websphere Application Server 6.0.2 .27
IBM Websphere Application Server 6.0.2 .25
IBM Websphere Application Server 6.0.2 .24
IBM Websphere Application Server 6.0.2 .23
IBM Websphere Application Server 6.0.2 .22
IBM Websphere Application Server 6.0.2 .21
IBM Websphere Application Server 6.0.2 .19
IBM Websphere Application Server 6.0.2 .17
IBM Websphere Application Server 6.0.2 .15
IBM Websphere Application Server 6.0.2 .13
IBM Websphere Application Server 6.0.2 .11
IBM Websphere Application Server 6.0.2 .1
IBM Websphere Application Server 6.0.2
IBM Websphere Application Server 6.0.1
IBM Websphere Application Server 6.0
IBM Websphere Application Server 7.0.0.1
IBM Websphere Application Server 7.0
IBM Websphere Application Server 6.0.2.19
IBM Websphere Application Server 6.0.2 Fix Pack 17
IBM Java SE 6.0 SR5
HP HP-UX 11.23
HP HP-UX 11.11
HP HP-UX 11.31
Debian Linux 5.0 sparc
Debian Linux 5.0 s/390
Debian Linux 5.0 powerpc
Debian Linux 5.0 mipsel
Debian Linux 5.0 mips
Debian Linux 5.0 m68k
Debian Linux 5.0 ia-64
Debian Linux 5.0 ia-32
Debian Linux 5.0 hppa
Debian Linux 5.0 armel
Debian Linux 5.0 arm
Debian Linux 5.0 amd64
Debian Linux 5.0 alpha
Debian Linux 5.0
Debian Linux 4.0 sparc
Debian Linux 4.0 s/390
Debian Linux 4.0 powerpc
Debian Linux 4.0 mipsel
Debian Linux 4.0 mips
Debian Linux 4.0 m68k
Debian Linux 4.0 ia-64
Debian Linux 4.0 ia-32
Debian Linux 4.0 hppa
Debian Linux 4.0 armel
Debian Linux 4.0 arm
Debian Linux 4.0 amd64
Debian Linux 4.0 alpha
Debian Linux 4.0
BEA Systems Weblogic Server 9.2.2
BEA Systems Weblogic Server 9.2.1
BEA Systems Weblogic Server 9.2
BEA Systems Weblogic Server 9.1
BEA Systems Weblogic Server 8.1.6
BEA Systems Weblogic Server 8.1.4
BEA Systems Weblogic Server 8.1 SP 6
BEA Systems Weblogic Server 8.1 SP 5
BEA Systems Weblogic Server 8.1 SP 4
BEA Systems Weblogic Server 8.1 SP 3
BEA Systems Weblogic Server 8.1 SP 2
BEA Systems Weblogic Server 8.1 SP 1
BEA Systems Weblogic Server 8.1
BEA Systems Weblogic Server 1.0 .1
BEA Systems Weblogic Server 1.0 .0
BEA Systems Weblogic Server 9.2 Maintenance Pack
BEA Systems Weblogic Server 9.2
BEA Systems Weblogic Server 9.1
BEA Systems Weblogic Server 9.1
BEA Systems Weblogic Server 9.0
BEA Systems Weblogic Server 8.1 SP6
BEA Systems Weblogic Server 8.1
BEA Systems Weblogic Server 10.3
BEA Systems Weblogic Server 10.0 MP1
BEA Systems Weblogic Server 10.0 Maintenance Pac
BEA Systems Weblogic Server 10.0
BEA Systems Weblogic Server 10.0
Avaya Messaging Storage Server MSS 3.0
Avaya Messaging Storage Server MM3.0
Avaya Messaging Storage Server 5.0
Avaya Messaging Storage Server 4.0
Avaya Messaging Storage Server 3.1
Avaya Message Networking MN 3.1
Avaya Message Networking 3.1
Avaya Message Networking
Avaya Intuity AUDIX LX 2.0 SP2
Avaya Intuity AUDIX LX 2.0 SP1
Avaya Intuity AUDIX LX 2.0
Apple Mac OS X Server 10.5.8
Apple Mac OS X Server 10.5.7
Apple Mac OS X Server 10.5.6
Apple Mac OS X Server 10.5.5
Apple Mac OS X Server 10.5.4
Apple Mac OS X Server 10.5.3
Apple Mac OS X Server 10.5.2
Apple Mac OS X Server 10.5.1
Apple Mac OS X Server 10.5
Apple Mac OS X 10.5.8
Apple Mac OS X 10.5.7
Apple Mac OS X 10.5.6
Apple Mac OS X 10.5.5
Apple Mac OS X 10.5.4
Apple Mac OS X 10.5.3
Apple Mac OS X 10.5.2
Apple Mac OS X 10.5.1
Apple Mac OS X 10.5
Apache Software Foundation XML Security 1.4.2
Apache Software Foundation XML Security 1.0.4
Not Vulnerable: XML Security Library XML Security Library 1.2.12
Sun JRE (Linux Production Release) 1.6.0_15
Sun JDK (Windows Production Release) 1.6.0_15
Sun JDK (Solaris Production Release) 1.6.0_15
Sun JDK (Linux Production Release) 1.6.0_15
OpenOffice OpenOffice 3.2
IBM Websphere Application Server 7.0 3
IBM Websphere Application Server 6.1 .25
IBM Websphere Application Server 6.0.2 .35


 

Privacy Statement
Copyright 2010, SecurityFocus