NVD

CVE-2009-0217 Detail

Modified

This CVE record has been updated after NVD enrichment efforts were completed. Enrichment data supplied by the NVD may require amendment due to these changes.

Current Description

The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.

View Analysis Description

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

CVSS 2.0 Severity and Vector Strings:

National Institute of Standards and Technology

NIST: NVD

Base Score: 5.0 MEDIUM

Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161
http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161
http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7
http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7
http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7
http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7
http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html
http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html
http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html
http://marc.info/?l=bugtraq&m=125787273209737&w=2
http://marc.info/?l=bugtraq&m=125787273209737&w=2
http://marc.info/?l=bugtraq&m=125787273209737&w=2
http://marc.info/?l=bugtraq&m=125787273209737&w=2
http://osvdb.org/55895
http://osvdb.org/55895
http://osvdb.org/55907
http://osvdb.org/55907
http://secunia.com/advisories/34461
http://secunia.com/advisories/34461
http://secunia.com/advisories/35776	Vendor Advisory
http://secunia.com/advisories/35776	Vendor Advisory
http://secunia.com/advisories/35852	Vendor Advisory
http://secunia.com/advisories/35852	Vendor Advisory
http://secunia.com/advisories/35853	Vendor Advisory
http://secunia.com/advisories/35853	Vendor Advisory
http://secunia.com/advisories/35854	Vendor Advisory
http://secunia.com/advisories/35854	Vendor Advisory
http://secunia.com/advisories/35855	Vendor Advisory
http://secunia.com/advisories/35855	Vendor Advisory
http://secunia.com/advisories/35858	Vendor Advisory
http://secunia.com/advisories/35858	Vendor Advisory
http://secunia.com/advisories/36162	Vendor Advisory
http://secunia.com/advisories/36162	Vendor Advisory
http://secunia.com/advisories/36176	Vendor Advisory
http://secunia.com/advisories/36176	Vendor Advisory
http://secunia.com/advisories/36180	Vendor Advisory
http://secunia.com/advisories/36180	Vendor Advisory
http://secunia.com/advisories/36494	Vendor Advisory
http://secunia.com/advisories/36494	Vendor Advisory
http://secunia.com/advisories/37300
http://secunia.com/advisories/37300
http://secunia.com/advisories/37671
http://secunia.com/advisories/37671
http://secunia.com/advisories/37841
http://secunia.com/advisories/37841
http://secunia.com/advisories/38567
http://secunia.com/advisories/38567
http://secunia.com/advisories/38568
http://secunia.com/advisories/38568
http://secunia.com/advisories/38695
http://secunia.com/advisories/38695
http://secunia.com/advisories/38921
http://secunia.com/advisories/38921
http://secunia.com/advisories/41818
http://secunia.com/advisories/41818
http://secunia.com/advisories/60799
http://secunia.com/advisories/60799
http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1
http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-263429-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-263429-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269208-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269208-1
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020710.1-1
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020710.1-1
http://svn.apache.org/viewvc?revision=794013&view=revision
http://svn.apache.org/viewvc?revision=794013&view=revision
http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023545&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere	Patch Vendor Advisory
http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023545&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere	Patch Vendor Advisory
http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023723&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere	Patch Vendor Advisory
http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023723&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere	Patch Vendor Advisory
http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg21384925	Patch Vendor Advisory
http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg21384925	Patch Vendor Advisory
http://www.aleksey.com/xmlsec/
http://www.aleksey.com/xmlsec/
http://www.debian.org/security/2010/dsa-1995
http://www.debian.org/security/2010/dsa-1995
http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml
http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml
http://www.kb.cert.org/vuls/id/466161	US Government Resource
http://www.kb.cert.org/vuls/id/466161	US Government Resource
http://www.kb.cert.org/vuls/id/MAPG-7TSKXQ
http://www.kb.cert.org/vuls/id/MAPG-7TSKXQ
http://www.kb.cert.org/vuls/id/WDON-7TY529
http://www.kb.cert.org/vuls/id/WDON-7TY529
http://www.mandriva.com/security/advisories?name=MDVSA-2009:209
http://www.mandriva.com/security/advisories?name=MDVSA-2009:209
http://www.mono-project.com/Vulnerabilities	Vendor Advisory
http://www.mono-project.com/Vulnerabilities	Vendor Advisory
http://www.openoffice.org/security/cves/CVE-2009-0217.html
http://www.openoffice.org/security/cves/CVE-2009-0217.html
http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html
http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html
http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html
http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html
http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
http://www.redhat.com/support/errata/RHSA-2009-1694.html
http://www.redhat.com/support/errata/RHSA-2009-1694.html
http://www.securityfocus.com/bid/35671	Patch
http://www.securityfocus.com/bid/35671	Patch
http://www.securitytracker.com/id?1022561
http://www.securitytracker.com/id?1022561
http://www.securitytracker.com/id?1022567
http://www.securitytracker.com/id?1022567
http://www.securitytracker.com/id?1022661
http://www.securitytracker.com/id?1022661
http://www.ubuntu.com/usn/USN-903-1
http://www.ubuntu.com/usn/USN-903-1
http://www.us-cert.gov/cas/techalerts/TA09-294A.html	US Government Resource
http://www.us-cert.gov/cas/techalerts/TA09-294A.html	US Government Resource
http://www.us-cert.gov/cas/techalerts/TA10-159B.html	US Government Resource
http://www.us-cert.gov/cas/techalerts/TA10-159B.html	US Government Resource
http://www.vupen.com/english/advisories/2009/1900	Patch Vendor Advisory
http://www.vupen.com/english/advisories/2009/1900	Patch Vendor Advisory
http://www.vupen.com/english/advisories/2009/1908	Patch Vendor Advisory
http://www.vupen.com/english/advisories/2009/1908	Patch Vendor Advisory
http://www.vupen.com/english/advisories/2009/1909	Patch Vendor Advisory
http://www.vupen.com/english/advisories/2009/1909	Patch Vendor Advisory
http://www.vupen.com/english/advisories/2009/1911	Patch Vendor Advisory
http://www.vupen.com/english/advisories/2009/1911	Patch Vendor Advisory
http://www.vupen.com/english/advisories/2009/2543
http://www.vupen.com/english/advisories/2009/2543
http://www.vupen.com/english/advisories/2009/3122
http://www.vupen.com/english/advisories/2009/3122
http://www.vupen.com/english/advisories/2010/0366
http://www.vupen.com/english/advisories/2010/0366
http://www.vupen.com/english/advisories/2010/0635
http://www.vupen.com/english/advisories/2010/0635
http://www.w3.org/2008/06/xmldsigcore-errata.html#e03	Vendor Advisory
http://www.w3.org/2008/06/xmldsigcore-errata.html#e03	Vendor Advisory
http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html	Vendor Advisory
http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=511915
https://bugzilla.redhat.com/show_bug.cgi?id=511915
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-041
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-041
https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
https://issues.apache.org/bugzilla/show_bug.cgi?id=47527
https://issues.apache.org/bugzilla/show_bug.cgi?id=47527
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10186
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10186
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7158
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7158
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8717
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8717
https://rhn.redhat.com/errata/RHSA-2009-1200.html
https://rhn.redhat.com/errata/RHSA-2009-1200.html
https://rhn.redhat.com/errata/RHSA-2009-1201.html
https://rhn.redhat.com/errata/RHSA-2009-1201.html
https://rhn.redhat.com/errata/RHSA-2009-1428.html
https://rhn.redhat.com/errata/RHSA-2009-1428.html
https://rhn.redhat.com/errata/RHSA-2009-1636.html
https://rhn.redhat.com/errata/RHSA-2009-1636.html
https://rhn.redhat.com/errata/RHSA-2009-1637.html
https://rhn.redhat.com/errata/RHSA-2009-1637.html
https://rhn.redhat.com/errata/RHSA-2009-1649.html
https://rhn.redhat.com/errata/RHSA-2009-1649.html
https://rhn.redhat.com/errata/RHSA-2009-1650.html
https://rhn.redhat.com/errata/RHSA-2009-1650.html
https://usn.ubuntu.com/826-1/
https://usn.ubuntu.com/826-1/
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00494.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00494.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00505.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00505.html

Weakness Enumeration

CWE-ID	CWE Name	Source
NVD-CWE-Other	Other	NIST

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

7 change records found show changes

CVE Modified by CVE 11/20/2024 7:59:22 PM

Action	Type	New Value
Added	Reference	http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161
Added	Reference	http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7
Added	Reference	http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7
Added	Reference	http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html
Added	Reference	http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html
Added	Reference	http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html
Added	Reference	http://marc.info/?l=bugtraq&m=125787273209737&w=2
Added	Reference	http://marc.info/?l=bugtraq&m=125787273209737&w=2
Added	Reference	http://osvdb.org/55895
Added	Reference	http://osvdb.org/55907
Added	Reference	http://secunia.com/advisories/34461
Added	Reference	http://secunia.com/advisories/35776
Added	Reference	http://secunia.com/advisories/35852
Added	Reference	http://secunia.com/advisories/35853
Added	Reference	http://secunia.com/advisories/35854
Added	Reference	http://secunia.com/advisories/35855
Added	Reference	http://secunia.com/advisories/35858
Added	Reference	http://secunia.com/advisories/36162
Added	Reference	http://secunia.com/advisories/36176
Added	Reference	http://secunia.com/advisories/36180
Added	Reference	http://secunia.com/advisories/36494
Added	Reference	http://secunia.com/advisories/37300
Added	Reference	http://secunia.com/advisories/37671
Added	Reference	http://secunia.com/advisories/37841
Added	Reference	http://secunia.com/advisories/38567
Added	Reference	http://secunia.com/advisories/38568
Added	Reference	http://secunia.com/advisories/38695
Added	Reference	http://secunia.com/advisories/38921
Added	Reference	http://secunia.com/advisories/41818
Added	Reference	http://secunia.com/advisories/60799
Added	Reference	http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1
Added	Reference	http://sunsolve.sun.com/search/document.do?assetkey=1-66-263429-1
Added	Reference	http://sunsolve.sun.com/search/document.do?assetkey=1-66-269208-1
Added	Reference	http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020710.1-1
Added	Reference	http://svn.apache.org/viewvc?revision=794013&view=revision
Added	Reference	http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023545&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere
Added	Reference	http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023723&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere
Added	Reference	http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg21384925
Added	Reference	http://www.aleksey.com/xmlsec/
Added	Reference	http://www.debian.org/security/2010/dsa-1995
Added	Reference	http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml
Added	Reference	http://www.kb.cert.org/vuls/id/466161
Added	Reference	http://www.kb.cert.org/vuls/id/MAPG-7TSKXQ
Added	Reference	http://www.kb.cert.org/vuls/id/WDON-7TY529
Added	Reference	http://www.mandriva.com/security/advisories?name=MDVSA-2009:209
Added	Reference	http://www.mono-project.com/Vulnerabilities
Added	Reference	http://www.openoffice.org/security/cves/CVE-2009-0217.html
Added	Reference	http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html
Added	Reference	http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html
Added	Reference	http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
Added	Reference	http://www.redhat.com/support/errata/RHSA-2009-1694.html
Added	Reference	http://www.securityfocus.com/bid/35671
Added	Reference	http://www.securitytracker.com/id?1022561
Added	Reference	http://www.securitytracker.com/id?1022567
Added	Reference	http://www.securitytracker.com/id?1022661
Added	Reference	http://www.ubuntu.com/usn/USN-903-1
Added	Reference	http://www.us-cert.gov/cas/techalerts/TA09-294A.html
Added	Reference	http://www.us-cert.gov/cas/techalerts/TA10-159B.html
Added	Reference	http://www.vupen.com/english/advisories/2009/1900
Added	Reference	http://www.vupen.com/english/advisories/2009/1908
Added	Reference	http://www.vupen.com/english/advisories/2009/1909
Added	Reference	http://www.vupen.com/english/advisories/2009/1911
Added	Reference	http://www.vupen.com/english/advisories/2009/2543
Added	Reference	http://www.vupen.com/english/advisories/2009/3122
Added	Reference	http://www.vupen.com/english/advisories/2010/0366
Added	Reference	http://www.vupen.com/english/advisories/2010/0635
Added	Reference	http://www.w3.org/2008/06/xmldsigcore-errata.html#e03
Added	Reference	http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html
Added	Reference	https://bugzilla.redhat.com/show_bug.cgi?id=511915
Added	Reference	https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-041
Added	Reference	https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
Added	Reference	https://issues.apache.org/bugzilla/show_bug.cgi?id=47527
Added	Reference	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10186
Added	Reference	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7158
Added	Reference	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8717
Added	Reference	https://rhn.redhat.com/errata/RHSA-2009-1200.html
Added	Reference	https://rhn.redhat.com/errata/RHSA-2009-1201.html
Added	Reference	https://rhn.redhat.com/errata/RHSA-2009-1428.html
Added	Reference	https://rhn.redhat.com/errata/RHSA-2009-1636.html
Added	Reference	https://rhn.redhat.com/errata/RHSA-2009-1637.html
Added	Reference	https://rhn.redhat.com/errata/RHSA-2009-1649.html
Added	Reference	https://rhn.redhat.com/errata/RHSA-2009-1650.html
Added	Reference	https://usn.ubuntu.com/826-1/
Added	Reference	https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html
Added	Reference	https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html
Added	Reference	https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00494.html
Added	Reference	https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00505.html

CVE Modified by CERT/CC 9/28/2017 9:33:40 PM

Action	Type	Old Value	New Value
Added	Reference		https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10186 [No Types Assigned]
Added	Reference		https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7158 [No Types Assigned]
Added	Reference		https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8717 [No Types Assigned]
Removed	Reference	http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10186 [No Types Assigned]
Removed	Reference	http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:7158 [No Types Assigned]
Removed	Reference	http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:8717 [No Types Assigned]

Quick Info

CVE Dictionary Entry:
CVE-2009-0217
NVD Published Date:
07/14/2009
NVD Last Modified:
11/20/2024
Source:
CERT/CC

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

CVE-2009-0217 Detail

Current Description

Analysis Description

Metrics

References to Advisories, Solutions, and Tools

Weakness Enumeration

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Change History

CVE Modified by CVE 11/20/2024 7:59:22 PM

CVE Modified by CERT/CC 5/13/2024 10:03:46 PM

CVE Modified by CERT/CC 10/12/2018 5:49:44 PM

CVE Modified by CERT/CC 10/03/2018 5:57:52 PM

CVE Modified by CERT/CC 9/28/2017 9:33:40 PM

CVE Modified by CERT/CC 11/13/2014 9:59:23 PM

Initial CVE Analysis 7/15/2009 9:22:00 AM

Quick Info