IETF and W3C XML Digital Signature Specification HMAC Truncation Authentication Bypass Vulnerability

Bugtraq ID: 35671
Class: Design Error
CVE: CVE-2009-0217
Remote: Yes
Local: No
Published: Jul 14 2009 12:00AM
Updated: Sep 02 2014 12:04AM
Credit: Thomas Roessler
Vulnerable: XML Security Library XML Security Library 1.2.11
Ubuntu Ubuntu Linux 9.10 sparc
Ubuntu Ubuntu Linux 9.10 powerpc
Ubuntu Ubuntu Linux 9.10 lpia
Ubuntu Ubuntu Linux 9.10 i386
Ubuntu Ubuntu Linux 9.10 amd64
Ubuntu Ubuntu Linux 9.04 sparc
Ubuntu Ubuntu Linux 9.04 powerpc
Ubuntu Ubuntu Linux 9.04 lpia
Ubuntu Ubuntu Linux 9.04 i386
Ubuntu Ubuntu Linux 9.04 amd64
Ubuntu Ubuntu Linux 8.10 sparc
Ubuntu Ubuntu Linux 8.10 powerpc
Ubuntu Ubuntu Linux 8.10 lpia
Ubuntu Ubuntu Linux 8.10 i386
Ubuntu Ubuntu Linux 8.10 amd64
Ubuntu Ubuntu Linux 8.04 LTS sparc
Ubuntu Ubuntu Linux 8.04 LTS powerpc
Ubuntu Ubuntu Linux 8.04 LTS lpia
Ubuntu Ubuntu Linux 8.04 LTS i386
Ubuntu Ubuntu Linux 8.04 LTS amd64
SuSE SUSE Linux Enterprise Server 11
SuSE SUSE Linux Enterprise SDK 10 SP3
SuSE SUSE Linux Enterprise SDK 10 SP2
SuSE SUSE Linux Enterprise Desktop 11
SuSE SUSE Linux Enterprise Desktop 10 SP3
SuSE SUSE Linux Enterprise Desktop 10 SP2
SuSE SUSE Linux Enterprise 11
SuSE OpenOffice for Windows 0
Sun OpenSSO Enterprise 8.0
Sun OpenSSO Enterprise 0
Sun OpenJDK 6 Build b12
Sun JRE (Linux Production Release) 1.6 _13
Sun JRE (Linux Production Release) 1.6 _12
Sun JRE (Linux Production Release) 1.6 _10
Sun JRE (Linux Production Release) 1.6 _07
Sun JRE (Linux Production Release) 1.6 _06
Sun JRE (Linux Production Release) 1.6 _05
Sun JRE (Linux Production Release) 1.6 _04
Sun JRE (Linux Production Release) 1.6.0_14
Sun JRE (Linux Production Release) 1.6.0_11
Sun JRE (Linux Production Release) 1.6.0_03
Sun JRE (Linux Production Release) 1.6.0_02
Sun JRE (Linux Production Release) 1.6.0_01
Sun JDK (Windows Production Release) 1.6.0_03
Sun JDK (Windows Production Release) 1.6.0_02
Sun JDK (Windows Production Release) 1.6.0_01-b06
Sun JDK (Windows Production Release) 1.6.0_01
Sun JDK (Solaris Production Release) 1.6.0_03
Sun JDK (Solaris Production Release) 1.6.0_02
Sun JDK (Solaris Production Release) 1.6.0_01
Sun JDK (Linux Production Release) 1.6 _14
Sun JDK (Linux Production Release) 1.6 _13
Sun JDK (Linux Production Release) 1.6 _11
Sun JDK (Linux Production Release) 1.6 _10
Sun JDK (Linux Production Release) 1.6 _07
Sun JDK (Linux Production Release) 1.6 _06
Sun JDK (Linux Production Release) 1.6 _05
Sun JDK (Linux Production Release) 1.6 _04
Sun JDK (Linux Production Release) 1.6 _01
Sun JDK (Linux Production Release) 1.6
Sun JDK (Linux Production Release) 1.6.0_03
Sun JDK (Linux Production Release) 1.6.0_02
Sun Glassfish Enterprise Server 2.1
S.u.S.E. openSUSE 11.2
S.u.S.E. openSUSE 11.1
S.u.S.E. openSUSE 11.0
S.u.S.E. Novell Linux Desktop 9.0
RSA Security Federated Identity Manager 0
RSA Security BSAFE SSL-J 0
RSA Security BSAFE Cert-J 0
RedHat Network Satellite (for RHEL 5 Server) 5.3
RedHat Network Satellite (for RHEL 4 AS) 5.3
RedHat Enterprise Linux WS Extras 4
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux Supplementary EUS 5.3.z
RedHat Enterprise Linux Extras 4.8.z
RedHat Enterprise Linux Extras 4
RedHat Enterprise Linux ES Extras 4
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux Desktop Workstation 5 client
RedHat Enterprise Linux AS Extras 4
RedHat Enterprise Linux Desktop version 4
RedHat Desktop Extras 4
Red Hat JBoss Enterprise Application Platform 4.3 EL5
Red Hat JBoss Enterprise Application Platform 4.3 EL4
Red Hat JBoss Enterprise Application Platform 4.3
Red Hat JBoss Enterprise Application Platform 4.2 EL5
Red Hat JBoss Enterprise Application Platform 4.2 EL4
Red Hat JBoss Enterprise Application Platform 4.2
Red Hat Fedora 11
Red Hat Fedora 10
Red Hat Enterprise Linux Supplementary 5 server
Red Hat Enterprise Linux EUS 5.3.z server
Red Hat Enterprise Linux Desktop Supplementary 5 client
Red Hat Enterprise Linux Desktop 5 client
Red Hat Enterprise Linux AS 4
Red Hat Enterprise Linux 5 Server
Pardus Linux 2009 0
Pardus Linux 2008 0
Oracle Weblogic Server 9.3 MP3
Oracle Weblogic Server 9.2
Oracle Weblogic Server 9.1 GA
Oracle Weblogic Server 9.0 GA
Oracle Weblogic Server 8.1 SP6
Oracle Weblogic Server 8.1
Oracle Weblogic Server 10.3
Oracle Weblogic Server 10.0 MP1
Oracle Oracle10g Application Server 10.1.3 .4.0
Oracle Oracle10g Application Server 10.1.3 .3.0
Oracle Oracle10g Application Server 10.1.3 .2.0
Oracle Oracle10g Application Server 10.1.2.3.0
Oracle JRockit R27.6.3
Oracle JRockit R27.6.2
Oracle JRockit R27.6.0
Oracle JRockit R27.1.0
OpenOffice OpenOffice 3.1.1
OpenOffice OpenOffice 3.1
OpenOffice OpenOffice 2.4.3
OpenOffice OpenOffice 2.4.2
OpenOffice OpenOffice 2.4.1
OpenOffice OpenOffice 2.3.1
OpenOffice OpenOffice 2.3
OpenOffice OpenOffice 2.2.1
OpenOffice OpenOffice 2.2
OpenOffice OpenOffice 2.0.4
OpenOffice OpenOffice 2.0.3 -1
OpenOffice OpenOffice 2.0.3
OpenOffice OpenOffice 2.0.2
OpenOffice OpenOffice 2.0.1
OpenOffice OpenOffice 2.0 Beta
OpenOffice OpenOffice 2.4
OpenOffice OpenOffice 2.2
OpenOffice OpenOffice 2.1
Mono Mono 2.4.2 .1
Mono Mono 2.4.2
Mono Mono 2.0
Mono Mono 1.2.5 2
Mono Mono 1.2.5 1
Mono Mono 1.1.18
Mono Mono 1.1.17
Mono Mono 1.1.13
Mono Mono 1.1.4
Mono Mono 1.0.5
Mono Mono 1.0
Mono Mono 1.1.8.3
Mono Mono 1.1.17.1
Mono Mono 1.1.13.7
Mono Mono 1.1.13.6
Mono Mono 1.1.13.4
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 2.0 SP2
Microsoft .NET Framework 1.1 SP3
Microsoft .NET Framework 1.1 SP2
Microsoft .NET Framework 1.1 SP1
Mandriva Linux Mandrake 2009.1 x86_64
Mandriva Linux Mandrake 2009.1
Mandriva Linux Mandrake 2009.0 x86_64
Mandriva Linux Mandrake 2009.0
Mandriva Linux Mandrake 2008.1 x86_64
Mandriva Linux Mandrake 2008.1
Mandriva Linux Mandrake 2008.0 x86_64
Mandriva Linux Mandrake 2008.0
MandrakeSoft Enterprise Server 5 x86_64
MandrakeSoft Enterprise Server 5
IBM Websphere Application Server 6.1 .9
IBM Websphere Application Server 6.1 .8
IBM Websphere Application Server 6.1 .7
IBM Websphere Application Server 6.1 .6
IBM Websphere Application Server 6.1 .5
IBM Websphere Application Server 6.1 .4
IBM Websphere Application Server 6.1 .3
IBM Websphere Application Server 6.1 .23
IBM Websphere Application Server 6.1 .22
IBM Websphere Application Server 6.1 .21
IBM Websphere Application Server 6.1 .20
IBM Websphere Application Server 6.1 .2
IBM Websphere Application Server 6.1 .19
IBM Websphere Application Server 6.1 .18
IBM Websphere Application Server 6.1 .17
IBM Websphere Application Server 6.1 .15
IBM Websphere Application Server 6.1 .14
IBM Websphere Application Server 6.1 .13
IBM Websphere Application Server 6.1 .12
IBM Websphere Application Server 6.1 .11
IBM Websphere Application Server 6.1 .10
IBM Websphere Application Server 6.1 .1
IBM Websphere Application Server 6.1
IBM Websphere Application Server 6.0.2 .9
IBM Websphere Application Server 6.0.2 .7
IBM Websphere Application Server 6.0.2 .5
IBM Websphere Application Server 6.0.2 .33
IBM Websphere Application Server 6.0.2 .31
IBM Websphere Application Server 6.0.2 .3
IBM Websphere Application Server 6.0.2 .29
IBM Websphere Application Server 6.0.2 .27
IBM Websphere Application Server 6.0.2 .25
IBM Websphere Application Server 6.0.2 .24
IBM Websphere Application Server 6.0.2 .23
IBM Websphere Application Server 6.0.2 .22
IBM Websphere Application Server 6.0.2 .21
IBM Websphere Application Server 6.0.2 .17
IBM Websphere Application Server 6.0.2 .15
IBM Websphere Application Server 6.0.2 .13
IBM Websphere Application Server 6.0.2 .11
IBM Websphere Application Server 6.0.2 .1
IBM Websphere Application Server 6.0.2
IBM Websphere Application Server 6.0.1
IBM Websphere Application Server 6.0
IBM Websphere Application Server 7.0.0.1
IBM Websphere Application Server 7.0
IBM Websphere Application Server 6.0.2.19
IBM Websphere Application Server 6.0.2 Fix Pack 17
IBM Java SE 6.0 SR5
HP HP-UX 11.23
HP HP-UX 11.11
HP HP-UX 11.31
Gentoo Linux
Debian Linux 5.0 sparc
Debian Linux 5.0 s/390
Debian Linux 5.0 powerpc
Debian Linux 5.0 mipsel
Debian Linux 5.0 mips
Debian Linux 5.0 m68k
Debian Linux 5.0 ia-64
Debian Linux 5.0 ia-32
Debian Linux 5.0 hppa
Debian Linux 5.0 armel
Debian Linux 5.0 arm
Debian Linux 5.0 amd64
Debian Linux 5.0 alpha
Debian Linux 5.0
Debian Linux 4.0 sparc
Debian Linux 4.0 s/390
Debian Linux 4.0 powerpc
Debian Linux 4.0 mipsel
Debian Linux 4.0 mips
Debian Linux 4.0 m68k
Debian Linux 4.0 ia-64
Debian Linux 4.0 ia-32
Debian Linux 4.0 hppa
Debian Linux 4.0 armel
Debian Linux 4.0 arm
Debian Linux 4.0 amd64
Debian Linux 4.0 alpha
Debian Linux 4.0
BEA Systems Weblogic Server 9.2.2
BEA Systems Weblogic Server 9.2.1
BEA Systems Weblogic Server 9.2
BEA Systems Weblogic Server 9.1
BEA Systems Weblogic Server 8.1.6
BEA Systems Weblogic Server 8.1.4
BEA Systems Weblogic Server 8.1 SP 6
BEA Systems Weblogic Server 8.1 SP 5
BEA Systems Weblogic Server 8.1 SP 4
BEA Systems Weblogic Server 8.1 SP 3
BEA Systems Weblogic Server 8.1 SP 2
BEA Systems Weblogic Server 8.1 SP 1
BEA Systems Weblogic Server 8.1
BEA Systems Weblogic Server 1.0 .1
BEA Systems Weblogic Server 1.0 .0
BEA Systems Weblogic Server 9.2 Maintenance Pack
BEA Systems Weblogic Server 9.2
BEA Systems Weblogic Server 9.1
BEA Systems Weblogic Server 9.0
BEA Systems Weblogic Server 8.1 SP6
BEA Systems Weblogic Server 8.1
BEA Systems Weblogic Server 10.3
BEA Systems Weblogic Server 10.0 MP1
BEA Systems Weblogic Server 10.0 Maintenance Pac
BEA Systems Weblogic Server 10.0
Avaya Messaging Storage Server MM3.0
Avaya Messaging Storage Server 5.0
Avaya Messaging Storage Server 4.0
Avaya Messaging Storage Server 3.1
Avaya Messaging Application Server MM 3.1
Avaya Messaging Application Server MM 3.0
Avaya Messaging Application Server MM 2.0
Avaya Messaging Application Server MM 1.1
Avaya Messaging Application Server 5
Avaya Messaging Application Server 4
Avaya Messaging Application Server 0
Avaya Message Networking MN 3.1
Avaya Message Networking 3.1
Avaya Message Networking
Avaya Meeting Exchange - Webportal 0
Avaya Meeting Exchange - Web Conferencing Server 0
Avaya Meeting Exchange - Streaming Server 0
Avaya Meeting Exchange - Recording Server 0
Avaya Meeting Exchange - Client Registration Server 0
Avaya Intuity AUDIX LX 2.0 SP2
Avaya Intuity AUDIX LX 2.0 SP1
Avaya Intuity AUDIX LX 2.0
Apple Mac OS X Server 10.5.8
Apple Mac OS X Server 10.5.7
Apple Mac OS X Server 10.5.6
Apple Mac OS X Server 10.5.5
Apple Mac OS X Server 10.5.4
Apple Mac OS X Server 10.5.3
Apple Mac OS X Server 10.5.2
Apple Mac OS X Server 10.5.1
Apple Mac OS X Server 10.5
Apple Mac OS X 10.5.8
Apple Mac OS X 10.5.7
Apple Mac OS X 10.5.6
Apple Mac OS X 10.5.5
Apple Mac OS X 10.5.4
Apple Mac OS X 10.5.3
Apple Mac OS X 10.5.2
Apple Mac OS X 10.5.1
Apple Mac OS X 10.5
Apache Software Foundation XML Security 1.4.2
Apache Software Foundation XML Security 1.0.4
Not Vulnerable: XML Security Library XML Security Library 1.2.12
Sun JRE (Linux Production Release) 1.6.0_15
Sun JDK (Windows Production Release) 1.6.0_15
Sun JDK (Solaris Production Release) 1.6.0_15
Sun JDK (Linux Production Release) 1.6.0_15
OpenOffice OpenOffice 3.2
IBM Websphere Application Server 7.0 3
IBM Websphere Application Server 6.1 .25
IBM Websphere Application Server 6.0.2 .35


 

Privacy Statement
Copyright 2010, SecurityFocus