Bug 511915 (CVE-2009-0217) - CVE-2009-0217 xmlsec1, mono, xml-security-c, xml-security-1.3.0-1jpp.ep1.*: XMLDsig HMAC-based signatures spoofing and authentication bypass
Summary: CVE-2009-0217 xmlsec1, mono, xml-security-c, xml-security-1.3.0-1jpp.ep1.*: X...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-0217
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://www.kb.cert.org/vuls/id/466161
Whiteboard: public=20090714,reported=20090709,sou...
: 715014 (view as bug list)
Depends On: 513078 513443 513444 515682 515683 516722 516723 516724 516725 521225 521226 549685 549686 554295 694167 833995
Blocks: 715020
TreeView+ depends on / blocked
 
Reported: 2009-07-15 16:33 UTC by Jan Lieskovsky
Modified: 2019-06-08 12:47 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-03 19:49:40 UTC


Attachments (Terms of Use)
patch from debian's 1.2.1-3+etch1 release (DSA-1849-1) (2.23 KB, patch)
2009-08-02 19:43 UTC, Vincent Danen
no flags Details | Diff
patch from debian's 1.4.0-3+lenny2 release (DSA-1849-1) (1.49 KB, patch)
2009-08-02 19:46 UTC, Vincent Danen
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1200 normal SHIPPED_LIVE Critical: java-1.6.0-sun security update 2009-08-06 20:41:36 UTC
Red Hat Bugzilla 715014 None None None 2019-06-05 15:07:35 UTC
Red Hat Product Errata RHSA-2009:1201 normal SHIPPED_LIVE Important: java-1.6.0-openjdk security and bug fix update 2009-08-06 21:14:44 UTC
Red Hat Product Errata RHSA-2009:1428 normal SHIPPED_LIVE Moderate: xmlsec1 security update 2009-09-08 15:47:51 UTC
Red Hat Product Errata RHSA-2009:1636 normal SHIPPED_LIVE Moderate: JBoss Enterprise Application Platform 4.3.0.CP07 update 2009-12-09 23:14:02 UTC
Red Hat Product Errata RHSA-2009:1637 normal SHIPPED_LIVE Moderate: JBoss Enterprise Application Platform 4.2.0.CP08 update 2009-12-09 23:32:14 UTC
Red Hat Product Errata RHSA-2009:1649 normal SHIPPED_LIVE Moderate: JBoss Enterprise Application Platform 4.3.0.CP07 update 2009-12-09 23:51:47 UTC
Red Hat Product Errata RHSA-2009:1650 normal SHIPPED_LIVE Moderate: JBoss Enterprise Application Platform 4.2.0.CP08 update 2009-12-10 00:03:48 UTC
Red Hat Product Errata RHSA-2009:1694 normal SHIPPED_LIVE Critical: java-1.6.0-ibm security update 2009-12-23 17:33:56 UTC
Red Hat Product Errata RHSA-2010:0043 normal SHIPPED_LIVE Low: Red Hat Network Satellite Server IBM Java Runtime security update 2010-01-14 16:32:02 UTC

Internal Links: 715014

Description Jan Lieskovsky 2009-07-15 16:33:48 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0217 to
the following vulnerability:

The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits. 

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0217
http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html
http://www.kb.cert.org/vuls/id/466161
http://secunia.com/advisories/35855/2/
https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
http://www.w3.org/2008/06/xmldsigcore-errata.html#e03
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html


References from US-CERT's VU#466161:
-------------------------------------
http://www.w3.org/2008/06/xmldsigcore-errata.html#e03
http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html
http://www.rsa.com/blog/blog_entry.aspx?id=1492
http://www.w3.org/TR/xmldsig-core/
http://www.w3.org/TR/xmldsig-core/#sec-HMAC
http://tools.ietf.org/html/rfc2104#section-5
http://www.oasis-open.org/specs/index.php#wss
http://www.w3.org/2000/xp/Group/
http://msdn.microsoft.com/en-us/library/ms996502.aspx
http://www.ibm.com/support/docview.wss?rs=180&uid=swg21384925
http://santuario.apache.org/download.html
http://www.mono-project.com/Vulnerabilities
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html
http://www.aleksey.com/xmlsec/downloads.html

Credit:
-------
Thomas Roessler of the W3C

Comment 3 Marc Schoenefeld 2009-07-21 09:22:56 UTC
Patch and reproducer for Apache XML Security (Java): 
http://svn.apache.org/viewvc?view=rev&revision=794013

Comment 5 Antti Andreimann 2009-07-28 15:43:04 UTC
xml-security project has released version 1.5.1 of it's C library.
I have updated the xml-security-c package in rawhide. If koji build is successful on all platforms I'll upgrade it on older branches as well.

Comment 6 Fedora Update System 2009-07-29 22:57:52 UTC
xml-security-c-1.5.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2009-07-31 17:59:15 UTC
xml-security-c-1.5.1-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2009-07-31 18:04:41 UTC
xml-security-c-1.5.1-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Vincent Danen 2009-08-02 19:43:40 UTC
Created attachment 355945 [details]
patch from debian's 1.2.1-3+etch1 release (DSA-1849-1)

Comment 10 Vincent Danen 2009-08-02 19:46:33 UTC
Created attachment 355946 [details]
patch from debian's 1.4.0-3+lenny2 release (DSA-1849-1)

Comment 12 errata-xmlrpc 2009-08-06 20:41:56 UTC
This issue has been addressed in following products:

  Extras for RHEL 4
  Extras for Red Hat Enterprise Linux 5

Via RHSA-2009:1200 https://rhn.redhat.com/errata/RHSA-2009-1200.html

Comment 13 errata-xmlrpc 2009-08-06 21:14:47 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1201 https://rhn.redhat.com/errata/RHSA-2009-1201.html

Comment 14 Fedora Update System 2009-08-07 04:58:58 UTC
java-1.6.0-openjdk-1.6.0.0-27.b16.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2009-08-07 05:01:41 UTC
java-1.6.0-openjdk-1.6.0.0-20.b16.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Jan Lieskovsky 2009-08-11 12:39:10 UTC
Hello Paul,

  i can see rawhide Mono update:
    http://koji.fedoraproject.org/koji/buildinfo?buildID=114947

  fixing CVE-2009-0217, but no relevant F10, F11, EPEL Mono updates
addressing this issue. Could you schedule them - either apply the
fix or upgrade to latest Mono upstream version also for F10, F11
and EPEL-5?

Thanks, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Comment 20 Fedora Update System 2009-08-11 13:22:35 UTC
xmlsec1-1.2.12-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/xmlsec1-1.2.12-1.fc11

Comment 21 Fedora Update System 2009-08-11 13:23:52 UTC
xmlsec1-1.2.12-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/xmlsec1-1.2.12-1.fc10

Comment 22 Fedora Update System 2009-08-11 22:31:36 UTC
xmlsec1-1.2.12-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2009-08-11 22:33:01 UTC
xmlsec1-1.2.12-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 25 errata-xmlrpc 2009-09-08 15:48:04 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1428 https://rhn.redhat.com/errata/RHSA-2009-1428.html

Comment 26 errata-xmlrpc 2009-12-09 23:14:06 UTC
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4

Via RHSA-2009:1636 https://rhn.redhat.com/errata/RHSA-2009-1636.html

Comment 27 errata-xmlrpc 2009-12-09 23:32:19 UTC
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 4

Via RHSA-2009:1637 https://rhn.redhat.com/errata/RHSA-2009-1637.html

Comment 28 errata-xmlrpc 2009-12-09 23:51:51 UTC
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 5

Via RHSA-2009:1649 https://rhn.redhat.com/errata/RHSA-2009-1649.html

Comment 29 errata-xmlrpc 2009-12-10 00:03:51 UTC
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 5

Via RHSA-2009:1650 https://rhn.redhat.com/errata/RHSA-2009-1650.html

Comment 31 errata-xmlrpc 2009-12-23 17:34:06 UTC
This issue has been addressed in following products:

  Extras for RHEL 4
  Extras for Red Hat Enterprise Linux 5

Via RHSA-2009:1694 https://rhn.redhat.com/errata/RHSA-2009-1694.html

Comment 33 errata-xmlrpc 2010-01-14 16:32:26 UTC
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.3

Via RHSA-2010:0043 https://rhn.redhat.com/errata/RHSA-2010-0043.html

Comment 39 Josh Bressers 2011-04-06 16:28:48 UTC
Created xml-security-c tracking bugs for this issue

Affects: fedora-rawhide [bug 513078]

Comment 40 Josh Bressers 2011-04-06 16:28:53 UTC
Created mono tracking bugs for this issue

Affects: epel-5 [bug 694167]

Comment 42 Ramon de C Valle 2011-11-23 15:27:13 UTC
*** Bug 715014 has been marked as a duplicate of this bug. ***

Comment 43 Ramon de C Valle 2011-11-23 15:29:51 UTC
*** Bug 715020 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.