Vulnerability Details : CVE-2009-0217
The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.
Products affected by CVE-2009-0217
- cpe:2.3:a:ibm:websphere_application_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.15:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.19:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.17:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.22:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.23:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2:*:fp17:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.24:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.25:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.15:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.11:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.9:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.32:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.17:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.30:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.31:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.22:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.28:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.29:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.21:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.13:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.12:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.21:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:7.0.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.14:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.16:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.33:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.23:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.18:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.20:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:application_server:10.1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:application_server:10.1.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:application_server:10.1.4.3im:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:bea_product_suite:10.0:mp1:*:*:*:*:*:*
- cpe:2.3:a:oracle:bea_product_suite:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:bea_product_suite:9.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:bea_product_suite:9.2:mp3:*:*:*:*:*:*
- cpe:2.3:a:oracle:bea_product_suite:8.1:sp6:*:*:*:*:*:*
- cpe:2.3:a:oracle:bea_product_suite:10.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server_component:8.1:sp6:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server_component:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server_component:9.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server_component:9.2:mp3:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server_component:10.0:mp1:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server_component:10.3:*:*:*:*:*:*:*
- cpe:2.3:a:mono_project:mono:1.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:mono_project:mono:1.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:mono_project:mono:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:mono_project:mono:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:mono_project:mono:1.9:*:*:*:*:*:*:*
- cpe:2.3:a:mono_project:mono:1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:mono_project:mono:1.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:mono_project:mono:2.0:*:*:*:*:*:*:*
Threat overview for CVE-2009-0217
Top countries where our scanners detected CVE-2009-0217
Top open port discovered on systems with this issue
9080
IPs affected by CVE-2009-0217 1,613
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2009-0217!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2009-0217
97.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2009-0217
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST |
References for CVE-2009-0217
-
http://www.securitytracker.com/id?1022661
GoDaddy Domain Name Search
-
http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html
[security-announce] SUSE Security Announcement: OpenOffice.org (SUSE-SA:
-
http://www.securityfocus.com/bid/35671
Patch
-
http://www.vupen.com/english/advisories/2009/1908
Site en constructionPatch;Vendor Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=511915
511915 – (CVE-2009-0217) CVE-2009-0217 xmlsec1, mono, xml-security-c, xml-security-1.3.0-1jpp.ep1.*: XMLDsig HMAC-based signatures spoofing and authentication bypass
-
https://issues.apache.org/bugzilla/show_bug.cgi?id=47527
47527 – XML signature HMAC truncation authentication bypass
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7158
404 Not Found
-
http://www.vupen.com/english/advisories/2010/0635
Webmail | OVH- OVH
-
http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7
Sign in · GitLab
-
http://www.securitytracker.com/id?1022567
Access Denied
-
http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html
Page not found | Oracle
-
http://marc.info/?l=bugtraq&m=125787273209737&w=2
'[security bulletin] HPSBUX02476 SSRT090250 rev.1 - HP-UX Running Java, Remote Increase in Privilege,' - MARC
-
http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161
Not Found
-
http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023723&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere
Patch;Vendor Advisory
-
http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg21384925
Possible security exposure with XML digital signature with IBM WebSphere Application Server (PK80596 and PK80627)Patch;Vendor Advisory
-
https://rhn.redhat.com/errata/RHSA-2009-1650.html
-
https://rhn.redhat.com/errata/RHSA-2009-1637.html
-
http://www.kb.cert.org/vuls/id/466161
VU#466161 - XML signature HMAC truncation authentication bypassUS Government Resource
-
http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html
-
http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1
-
https://rhn.redhat.com/errata/RHSA-2009-1649.html
RHSA-2009:1649 - Security Advisory - Red Hat Customer Portal
-
http://www.vupen.com/english/advisories/2009/2543
Webmail: access your OVH emails on ovhcloud.com | OVHcloud
-
http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
Oracle Critical Patch Update - October 2010
-
http://www.mandriva.com/security/advisories?name=MDVSA-2009:209
Page not found - Mandriva.com
-
http://www.vupen.com/english/advisories/2010/0366
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH
-
http://www.vupen.com/english/advisories/2009/1909
Site en constructionPatch;Vendor Advisory
-
http://www.us-cert.gov/cas/techalerts/TA10-159B.html
Microsoft Updates for Multiple Vulnerabilities | CISAUS Government Resource
-
http://svn.apache.org/viewvc?revision=794013&view=revision
[Apache-SVN] Revision 794013
-
https://usn.ubuntu.com/826-1/
404: Page not found | Ubuntu
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10186
404 Not Found
-
http://www.mono-project.com/Vulnerabilities
Vulnerabilities | MonoVendor Advisory
-
http://www.kb.cert.org/vuls/id/MAPG-7TSKXQ
VU#466161 - XML signature HMAC truncation authentication bypass
-
http://www.securitytracker.com/id?1022561
GoDaddy Domain Name Search
-
http://www.vupen.com/english/advisories/2009/3122
Site en construction
-
http://www.kb.cert.org/vuls/id/WDON-7TY529
VU#466161 - XML signature HMAC truncation authentication bypass
-
http://www.us-cert.gov/cas/techalerts/TA09-294A.html
Oracle Updates for Multiple Vulnerabilities | CISAUS Government Resource
-
http://www.aleksey.com/xmlsec/
XML Security Library
-
http://www.redhat.com/support/errata/RHSA-2009-1694.html
Support
-
http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html
Page not found | Oracle
-
http://www.openoffice.org/security/cves/CVE-2009-0217.html
CVE-2009-0217
-
http://www.vupen.com/english/advisories/2009/1911
Site en constructionPatch;Vendor Advisory
-
https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
47526 – XML signature HMAC truncation authentication bypass
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8717
404 Not Found
-
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html
[SECURITY] Fedora 10 Update: java-1.6.0-openjdk-1.6.0.0-20.b16.fc10
-
http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html
HMAC truncation in XML Signature: When Alice didn't look. | 2009 | Blog | W3CVendor Advisory
-
http://www.ubuntu.com/usn/USN-903-1
USN-903-1: OpenOffice.org vulnerabilities | Ubuntu security notices
-
http://www.vupen.com/english/advisories/2009/1900
Webmail: access your OVH emails on ovhcloud.com | OVHcloudPatch;Vendor Advisory
-
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269208-1
-
https://rhn.redhat.com/errata/RHSA-2009-1201.html
RHSA-2009:1201 - Security Advisory - Red Hat Customer Portal
-
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00505.html
[SECURITY] Fedora 11 Update: xmlsec1-1.2.12-1.fc11
-
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-041
Microsoft Security Bulletin MS10-041 - Important | Microsoft Learn
-
http://www.w3.org/2008/06/xmldsigcore-errata.html#e03
Errata for XML Signature 2nd EditionVendor Advisory
-
http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023545&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere
PK80596: Possible security exposure with XML digital signaturePatch;Vendor Advisory
-
http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7
Sign in · GitLab
-
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html
[SECURITY] Fedora 11 Update: java-1.6.0-openjdk-1.6.0.0-27.b16.fc11
-
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00494.html
[SECURITY] Fedora 10 Update: xmlsec1-1.2.12-1.fc10
-
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html
[security-announce] SUSE Security Announcement: IBM Java 6 (SUSE-SA:2009:053) - openSUSE Security Announce - openSUSE Mailing Lists
-
http://www.debian.org/security/2010/dsa-1995
Debian -- Security Information -- DSA-1995-1 openoffice.org
-
https://rhn.redhat.com/errata/RHSA-2009-1200.html
RHSA-2009:1200 - Security Advisory - Red Hat Customer Portal
-
https://rhn.redhat.com/errata/RHSA-2009-1636.html
-
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020710.1-1
-
http://sunsolve.sun.com/search/document.do?assetkey=1-66-263429-1
-
https://rhn.redhat.com/errata/RHSA-2009-1428.html
RHSA-2009:1428 - Security Advisory - Red Hat Customer Portal
-
http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml
OpenOffice, LibreOffice: Multiple vulnerabilities (GLSA 201408-19) — Gentoo security
Jump to