exploits , vulnerabilities , articles , IETF and W3C XML Digital Signature Specification HMAC Truncation Authentication Bypass Vulnerability

Title	IETF and W3C XML Digital Signature Specification HMAC Truncation Authentication Bypass Vulnerability
Published	2009-07-14-12:00AM
Updated	2009-07-15-10:26PM
Class	Design Error
CVE	CVE-2009-0217
Remote	Yes
Local	No
Credit	Thomas Roessler
Vulnerable	XML Security Library XML Security Library 1.2.11 Sun JRE 6.0 Update 7 Sun JRE 6.0 Update 6 Sun JRE 6.0 Update 5 Sun JRE 6.0 Update 4 Sun JRE 6.0 Update 3 Sun JRE 6.0 Update 2 Sun JRE 6.0 Update 14 Sun JRE 6.0 Update 13 Sun JRE 6.0 Update 12 Sun JRE 6.0 Update 11 Sun JRE 6.0 Update 10 Sun JRE 6.0 Update 1 Sun JDK 6.0 Update 7 Sun JDK 6.0 Update 6 Sun JDK 6.0 Update 5 Sun JDK 6.0 Update 4 Sun JDK 6.0 Update 3 Sun JDK 6.0 Update 2 Sun JDK 6.0 Update 14 Sun JDK 6.0 Update 13 Sun JDK 6.0 Update 11 Sun JDK 6.0 Update 10 Sun JDK 6.0 Update 1 Sun JDK 6.0 Oracle Weblogic Server 9.3 MP3 Oracle Weblogic Server 9.2 Oracle Weblogic Server 9.1 GA Oracle Weblogic Server 9.0 GA Oracle Weblogic Server 8.1 SP6 Oracle Weblogic Server 8.1 Oracle Weblogic Server 10.3 Oracle Weblogic Server 10.0 MP1 Oracle Oracle10g Application Server 10.1.3 .4.0 Oracle Oracle10g Application Server 10.1.3 .3.0 Oracle Oracle10g Application Server 10.1.3 .2.0 Oracle Oracle10g Application Server 10.1.2.3.0 Mono Mono 2.4.2 .1 Mono Mono 2.4.2 Mono Mono 2.0 Mono Mono 1.2.5 2 Mono Mono 1.2.5 1 Mono Mono 1.1.18 Mono Mono 1.1.17 Mono Mono 1.1.13 Mono Mono 1.1.4 Mono Mono 1.0.5 Mono Mono 1.0 Mono Mono 1.1.8.3 Mono Mono 1.1.17.1 Mono Mono 1.1.13.7 Mono Mono 1.1.13.6 Mono Mono 1.1.13.4 IBM Websphere Application Server 7.0 1 IBM Websphere Application Server 6.1 23 IBM Websphere Application Server 6.1 22 IBM Websphere Application Server 6.1 21 IBM Websphere Application Server 6.1 20 IBM Websphere Application Server 6.1 19 IBM Websphere Application Server 6.1 18 IBM Websphere Application Server 6.1 17 IBM Websphere Application Server 6.1 15 IBM Websphere Application Server 6.1 13 IBM Websphere Application Server 6.1 12 IBM Websphere Application Server 6.1 10 IBM Websphere Application Server 6.1 .9 IBM Websphere Application Server 6.1 .7 IBM Websphere Application Server 6.1 .6 IBM Websphere Application Server 6.1 .5 IBM Websphere Application Server 6.1 .3 IBM Websphere Application Server 6.1 .2 IBM Websphere Application Server 6.1 .14 IBM Websphere Application Server 6.1 .1 IBM Websphere Application Server 6.1 IBM Websphere Application Server 6.1 IBM Websphere Application Server 6.1 IBM Websphere Application Server 6.1 IBM Websphere Application Server 6.1 IBM Websphere Application Server 6.0.2 33 IBM Websphere Application Server 6.0.2 31 IBM Websphere Application Server 6.0.2 29 IBM Websphere Application Server 6.0.2 27 IBM Websphere Application Server 6.0.2 .9 IBM Websphere Application Server 6.0.2 .7 IBM Websphere Application Server 6.0.2 .5 IBM Websphere Application Server 6.0.2 .3 IBM Websphere Application Server 6.0.2 .25 IBM Websphere Application Server 6.0.2 .24 IBM Websphere Application Server 6.0.2 .23 IBM Websphere Application Server 6.0.2 .22 IBM Websphere Application Server 6.0.2 .13 IBM Websphere Application Server 6.0.2 .11 IBM Websphere Application Server 6.0.2 .1 IBM Websphere Application Server 6.0.2 IBM Websphere Application Server 6.0.2 IBM Websphere Application Server 6.0.2 IBM Websphere Application Server 6.0.2 IBM Websphere Application Server 6.0.2 IBM Websphere Application Server 6.0.1 IBM Websphere Application Server 6.0 IBM Websphere Application Server 7.0 IBM Websphere Application Server 6.0.2.19 IBM Websphere Application Server 6.0.2 Fix Pack 17 BEA Systems Weblogic Server 9.2.2 BEA Systems Weblogic Server 9.2.1 BEA Systems Weblogic Server 9.2 BEA Systems Weblogic Server 9.1 BEA Systems Weblogic Server 8.1.6 BEA Systems Weblogic Server 8.1.4 BEA Systems Weblogic Server 8.1 SP 6 BEA Systems Weblogic Server 8.1 SP 5 BEA Systems Weblogic Server 8.1 SP 4 BEA Systems Weblogic Server 8.1 SP 3 BEA Systems Weblogic Server 8.1 SP 2 BEA Systems Weblogic Server 8.1 SP 1 BEA Systems Weblogic Server 8.1 BEA Systems Weblogic Server 1.0 .1 BEA Systems Weblogic Server 1.0 .0 BEA Systems Weblogic Server 9.2 Maintenance Pack BEA Systems Weblogic Server 9.2 BEA Systems Weblogic Server 9.1 BEA Systems Weblogic Server 9.1 BEA Systems Weblogic Server 9.0 BEA Systems Weblogic Server 8.1 SP6 BEA Systems Weblogic Server 8.1 BEA Systems Weblogic Server 10.3 BEA Systems Weblogic Server 10.3 BEA Systems Weblogic Server 10.0 MP1 BEA Systems Weblogic Server 10.0 Maintenance Pac BEA Systems Weblogic Server 10.0 BEA Systems Weblogic Server 10.0 Apache Software Foundation XML Security 1.4.2 Apache Software Foundation XML Security 1.0.4
Not Vulnerable	XML Security Library XML Security Library 1.2.12 IBM Websphere Application Server 7.0 3 IBM Websphere Application Server 6.1 25 IBM Websphere Application Server 6.0.2 .35
Code	Attackers can exploit this vulnerability using readily available tools.
TXT

Vulnerabilities - newest 10 RSS | More

2009-12-17 GNU Automake Insecure Directory Permissions Vulnerability
2009-12-17 Mozilla Firefox CVE-2009-3979 Multiple Remote Memory Corruption Vulnerabilities
2009-12-17 Mozilla Firefox CVE-2009-3981 Remote Memory Corruption Vulnerability
2009-12-17 Drupal Sections Module HTML Injection Vulnerability
2009-12-17 Mozilla Firefox and SeaMonkey Theora Video Library Remote Integer Overflow Vulnerability
2009-12-17 Mozilla Firefox and Sea Monkey Insecure Protocol Location Bar Spoofing Vulnerability
2009-12-17 Mozilla Firefox and Sea Monkey Content Injection Spoofing Vulnerability
2009-12-17 Mozilla Firefox/SeaMonkey GeckoActiveXObject Exception Message COM Object Enumeration Vulnerability
2009-12-16 ZABBIX Denial Of Service and SQL Injection Vulnerabilities
2009-12-16 IBM WebSphere Application Server JNDI Remote Information Disclosure Vulnerability