Bug 511915 (CVE-2009-0217)

Summary: CVE-2009-0217 xmlsec1, mono, xml-security-c, xml-security-1.3.0-1jpp.ep1.*: XMLDsig HMAC-based signatures spoofing and authentication bypass
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alexl, antti.andreimann, aph, cperry, dbhole, fnasser, kreilly, mjc, mschoene, mvadkert, osoukup, paul, rcvalle, rruss, vdanen, veillard
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.kb.cert.org/vuls/id/466161
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-03 19:49:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 513078, 513443, 513444, 515682, 515683, 516722, 516723, 516724, 516725, 521225, 521226, 549685, 549686, 554295, 694167, 833995    
Bug Blocks: 715020    
Attachments:
Description Flags
patch from debian's 1.2.1-3+etch1 release (DSA-1849-1)
none
patch from debian's 1.4.0-3+lenny2 release (DSA-1849-1) none

Description Jan Lieskovsky 2009-07-15 16:33:48 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0217 to
the following vulnerability:

The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits. 

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0217
http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html
http://www.kb.cert.org/vuls/id/466161
http://secunia.com/advisories/35855/2/
https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
http://www.w3.org/2008/06/xmldsigcore-errata.html#e03
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html


References from US-CERT's VU#466161:
-------------------------------------
http://www.w3.org/2008/06/xmldsigcore-errata.html#e03
http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html
http://www.rsa.com/blog/blog_entry.aspx?id=1492
http://www.w3.org/TR/xmldsig-core/
http://www.w3.org/TR/xmldsig-core/#sec-HMAC
http://tools.ietf.org/html/rfc2104#section-5
http://www.oasis-open.org/specs/index.php#wss
http://www.w3.org/2000/xp/Group/
http://msdn.microsoft.com/en-us/library/ms996502.aspx
http://www.ibm.com/support/docview.wss?rs=180&uid=swg21384925
http://santuario.apache.org/download.html
http://www.mono-project.com/Vulnerabilities
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html
http://www.aleksey.com/xmlsec/downloads.html

Credit:
-------
Thomas Roessler of the W3C
Comment 3 Marc Schoenefeld 2009-07-21 09:22:56 UTC 
Patch and reproducer for Apache XML Security (Java): 
http://svn.apache.org/viewvc?view=rev&revision=794013
Comment 5 Antti Andreimann 2009-07-28 15:43:04 UTC 
xml-security project has released version 1.5.1 of it's C library.
I have updated the xml-security-c package in rawhide. If koji build is successful on all platforms I'll upgrade it on older branches as well.
Comment 6 Fedora Update System 2009-07-29 22:57:52 UTC 
xml-security-c-1.5.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2009-07-31 17:59:15 UTC 
xml-security-c-1.5.1-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2009-07-31 18:04:41 UTC 
xml-security-c-1.5.1-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Vincent Danen 2009-08-02 19:43:40 UTC 
Created attachment 355945 [details]
patch from debian's 1.2.1-3+etch1 release (DSA-1849-1)
Comment 10 Vincent Danen 2009-08-02 19:46:33 UTC 
Created attachment 355946 [details]
patch from debian's 1.4.0-3+lenny2 release (DSA-1849-1)
Comment 12 errata-xmlrpc 2009-08-06 20:41:56 UTC 
This issue has been addressed in following products:

  Extras for RHEL 4
  Extras for Red Hat Enterprise Linux 5

Via RHSA-2009:1200 https://rhn.redhat.com/errata/RHSA-2009-1200.html
Comment 13 errata-xmlrpc 2009-08-06 21:14:47 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1201 https://rhn.redhat.com/errata/RHSA-2009-1201.html
Comment 14 Fedora Update System 2009-08-07 04:58:58 UTC 
java-1.6.0-openjdk-1.6.0.0-27.b16.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2009-08-07 05:01:41 UTC 
java-1.6.0-openjdk-1.6.0.0-20.b16.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Jan Lieskovsky 2009-08-11 10:02:06 UTC 
Upstream xmlsec1 commit by Aleksey Sanin:

    http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7

And relevant patch:

    http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7
Comment 18 Jan Lieskovsky 2009-08-11 12:39:10 UTC 
Hello Paul,

  i can see rawhide Mono update:
    http://koji.fedoraproject.org/koji/buildinfo?buildID=114947

  fixing CVE-2009-0217, but no relevant F10, F11, EPEL Mono updates
addressing this issue. Could you schedule them - either apply the
fix or upgrade to latest Mono upstream version also for F10, F11
and EPEL-5?

Thanks, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 20 Fedora Update System 2009-08-11 13:22:35 UTC 
xmlsec1-1.2.12-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/xmlsec1-1.2.12-1.fc11
Comment 21 Fedora Update System 2009-08-11 13:23:52 UTC 
xmlsec1-1.2.12-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/xmlsec1-1.2.12-1.fc10
Comment 22 Fedora Update System 2009-08-11 22:31:36 UTC 
xmlsec1-1.2.12-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 Fedora Update System 2009-08-11 22:33:01 UTC 
xmlsec1-1.2.12-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 25 errata-xmlrpc 2009-09-08 15:48:04 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1428 https://rhn.redhat.com/errata/RHSA-2009-1428.html
Comment 26 errata-xmlrpc 2009-12-09 23:14:06 UTC 
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4

Via RHSA-2009:1636 https://rhn.redhat.com/errata/RHSA-2009-1636.html
Comment 27 errata-xmlrpc 2009-12-09 23:32:19 UTC 
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 4

Via RHSA-2009:1637 https://rhn.redhat.com/errata/RHSA-2009-1637.html
Comment 28 errata-xmlrpc 2009-12-09 23:51:51 UTC 
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 5

Via RHSA-2009:1649 https://rhn.redhat.com/errata/RHSA-2009-1649.html
Comment 29 errata-xmlrpc 2009-12-10 00:03:51 UTC 
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 5

Via RHSA-2009:1650 https://rhn.redhat.com/errata/RHSA-2009-1650.html
Comment 31 errata-xmlrpc 2009-12-23 17:34:06 UTC 
This issue has been addressed in following products:

  Extras for RHEL 4
  Extras for Red Hat Enterprise Linux 5

Via RHSA-2009:1694 https://rhn.redhat.com/errata/RHSA-2009-1694.html
Comment 33 errata-xmlrpc 2010-01-14 16:32:26 UTC 
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.3

Via RHSA-2010:0043 https://rhn.redhat.com/errata/RHSA-2010-0043.html
Comment 39 Josh Bressers 2011-04-06 16:28:48 UTC 
Created xml-security-c tracking bugs for this issue

Affects: fedora-rawhide [bug 513078]
Comment 40 Josh Bressers 2011-04-06 16:28:53 UTC 
Created mono tracking bugs for this issue

Affects: epel-5 [bug 694167]
Comment 42 Ramon de C Valle 2011-11-23 15:27:13 UTC 
*** Bug 715014 has been marked as a duplicate of this bug. ***
Comment 43 Ramon de C Valle 2011-11-23 15:29:51 UTC 
*** Bug 715020 has been marked as a duplicate of this bug. ***