exploits , vulnerabilities , articles , IETF and W3C XML Digital Signature Specification HMAC Truncation Authentication Bypass Vulnerability

Title	IETF and W3C XML Digital Signature Specification HMAC Truncation Authentication Bypass Vulnerability
Published	2009-07-14-12:00AM
Updated	2009-07-15-10:26PM
Class	Design Error
CVE	CVE-2009-0217
Remote	Yes
Local	No
Credit	Thomas Roessler
Vulnerable	XML Security Library XML Security Library 1.2.11 Sun JRE 6.0 Update 7 Sun JRE 6.0 Update 6 Sun JRE 6.0 Update 5 Sun JRE 6.0 Update 4 Sun JRE 6.0 Update 3 Sun JRE 6.0 Update 2 Sun JRE 6.0 Update 14 Sun JRE 6.0 Update 13 Sun JRE 6.0 Update 12 Sun JRE 6.0 Update 11 Sun JRE 6.0 Update 10 Sun JRE 6.0 Update 1 Sun JDK 6.0 Update 7 Sun JDK 6.0 Update 6 Sun JDK 6.0 Update 5 Sun JDK 6.0 Update 4 Sun JDK 6.0 Update 3 Sun JDK 6.0 Update 2 Sun JDK 6.0 Update 14 Sun JDK 6.0 Update 13 Sun JDK 6.0 Update 11 Sun JDK 6.0 Update 10 Sun JDK 6.0 Update 1 Sun JDK 6.0 Oracle Weblogic Server 9.3 MP3 Oracle Weblogic Server 9.2 Oracle Weblogic Server 9.1 GA Oracle Weblogic Server 9.0 GA Oracle Weblogic Server 8.1 SP6 Oracle Weblogic Server 8.1 Oracle Weblogic Server 10.3 Oracle Weblogic Server 10.0 MP1 Oracle Oracle10g Application Server 10.1.3 .4.0 Oracle Oracle10g Application Server 10.1.3 .3.0 Oracle Oracle10g Application Server 10.1.3 .2.0 Oracle Oracle10g Application Server 10.1.2.3.0 Mono Mono 2.4.2 .1 Mono Mono 2.4.2 Mono Mono 2.0 Mono Mono 1.2.5 2 Mono Mono 1.2.5 1 Mono Mono 1.1.18 Mono Mono 1.1.17 Mono Mono 1.1.13 Mono Mono 1.1.4 Mono Mono 1.0.5 Mono Mono 1.0 Mono Mono 1.1.8.3 Mono Mono 1.1.17.1 Mono Mono 1.1.13.7 Mono Mono 1.1.13.6 Mono Mono 1.1.13.4 IBM Websphere Application Server 7.0 1 IBM Websphere Application Server 6.1 23 IBM Websphere Application Server 6.1 22 IBM Websphere Application Server 6.1 21 IBM Websphere Application Server 6.1 20 IBM Websphere Application Server 6.1 19 IBM Websphere Application Server 6.1 18 IBM Websphere Application Server 6.1 17 IBM Websphere Application Server 6.1 15 IBM Websphere Application Server 6.1 13 IBM Websphere Application Server 6.1 12 IBM Websphere Application Server 6.1 10 IBM Websphere Application Server 6.1 .9 IBM Websphere Application Server 6.1 .7 IBM Websphere Application Server 6.1 .6 IBM Websphere Application Server 6.1 .5 IBM Websphere Application Server 6.1 .3 IBM Websphere Application Server 6.1 .2 IBM Websphere Application Server 6.1 .14 IBM Websphere Application Server 6.1 .1 IBM Websphere Application Server 6.1 IBM Websphere Application Server 6.1 IBM Websphere Application Server 6.1 IBM Websphere Application Server 6.1 IBM Websphere Application Server 6.1 IBM Websphere Application Server 6.0.2 33 IBM Websphere Application Server 6.0.2 31 IBM Websphere Application Server 6.0.2 29 IBM Websphere Application Server 6.0.2 27 IBM Websphere Application Server 6.0.2 .9 IBM Websphere Application Server 6.0.2 .7 IBM Websphere Application Server 6.0.2 .5 IBM Websphere Application Server 6.0.2 .3 IBM Websphere Application Server 6.0.2 .25 IBM Websphere Application Server 6.0.2 .24 IBM Websphere Application Server 6.0.2 .23 IBM Websphere Application Server 6.0.2 .22 IBM Websphere Application Server 6.0.2 .13 IBM Websphere Application Server 6.0.2 .11 IBM Websphere Application Server 6.0.2 .1 IBM Websphere Application Server 6.0.2 IBM Websphere Application Server 6.0.2 IBM Websphere Application Server 6.0.2 IBM Websphere Application Server 6.0.2 IBM Websphere Application Server 6.0.2 IBM Websphere Application Server 6.0.1 IBM Websphere Application Server 6.0 IBM Websphere Application Server 7.0 IBM Websphere Application Server 6.0.2.19 IBM Websphere Application Server 6.0.2 Fix Pack 17 BEA Systems Weblogic Server 9.2.2 BEA Systems Weblogic Server 9.2.1 BEA Systems Weblogic Server 9.2 BEA Systems Weblogic Server 9.1 BEA Systems Weblogic Server 8.1.6 BEA Systems Weblogic Server 8.1.4 BEA Systems Weblogic Server 8.1 SP 6 BEA Systems Weblogic Server 8.1 SP 5 BEA Systems Weblogic Server 8.1 SP 4 BEA Systems Weblogic Server 8.1 SP 3 BEA Systems Weblogic Server 8.1 SP 2 BEA Systems Weblogic Server 8.1 SP 1 BEA Systems Weblogic Server 8.1 BEA Systems Weblogic Server 1.0 .1 BEA Systems Weblogic Server 1.0 .0 BEA Systems Weblogic Server 9.2 Maintenance Pack BEA Systems Weblogic Server 9.2 BEA Systems Weblogic Server 9.1 BEA Systems Weblogic Server 9.1 BEA Systems Weblogic Server 9.0 BEA Systems Weblogic Server 8.1 SP6 BEA Systems Weblogic Server 8.1 BEA Systems Weblogic Server 10.3 BEA Systems Weblogic Server 10.3 BEA Systems Weblogic Server 10.0 MP1 BEA Systems Weblogic Server 10.0 Maintenance Pac BEA Systems Weblogic Server 10.0 BEA Systems Weblogic Server 10.0 Apache Software Foundation XML Security 1.4.2 Apache Software Foundation XML Security 1.0.4
Not Vulnerable	XML Security Library XML Security Library 1.2.12 IBM Websphere Application Server 7.0 3 IBM Websphere Application Server 6.1 25 IBM Websphere Application Server 6.0.2 .35
Code	Attackers can exploit this vulnerability using readily available tools.
TXT

Vulnerabilities - newest 10 RSS | More

2009-12-11 RT Session Fixation Vulnerability
2009-12-11 Multiple HP LaserJet Printers Unauthorized Access and Denial of Service Vulnerability
2009-12-11 Sun Ray Server Authentication Manager Remote Code Execution Vulnerability
2009-12-10 GNU Coreutils Insecure Temporary File Creation Vulnerability
2009-12-10 WebKit SVG Animation Elements User After Free Remote Code Execution Vulnerability
2009-12-10 Moodle Multiple Vulnerabilities
2009-12-10 Linux Kernel KVM Large SMP Instruction Local Denial of Service Vulnerability
2009-12-09 Adobe Flash Player and AIR Data Injection Remote Code Execution Vulnerability
2009-12-09 Adobe Flash Player ActiveX Control Information Disclosure Vulnerability
2009-12-09 Adobe Flash Player and AIR Multiple Unspecified Remote Code Execution Vulnerabilities