Bug 511915 - (CVE-2009-0217) CVE-2009-0217 xmlsec1, mono, xml-security-c, xml-security-1.3.0-1jpp.ep1.*: XMLDsig HMAC-based signatures spoofing and authentication bypass
CVE-2009-0217 xmlsec1, mono, xml-security-c, xml-security-1.3.0-1jpp.ep1.*: X...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://www.kb.cert.org/vuls/id/466161
public=20090714,reported=20090709,sou...
: Security
: 715014 (view as bug list)
Depends On: 694167 513078 513443 513444 515682 515683 516722 516723 516724 516725 521225 521226 549685 549686 554295 833995
Blocks: 715020
  Show dependency treegraph
 
Reported: 2009-07-15 12:33 EDT by Jan Lieskovsky
Modified: 2013-04-03 15:49 EDT (History)
15 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-04-03 15:49:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
patch from debian's 1.2.1-3+etch1 release (DSA-1849-1) (2.23 KB, patch)
2009-08-02 15:43 EDT, Vincent Danen
no flags Details | Diff
patch from debian's 1.4.0-3+lenny2 release (DSA-1849-1) (1.49 KB, patch)
2009-08-02 15:46 EDT, Vincent Danen
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2009-07-15 12:33:48 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0217 to
the following vulnerability:

The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits. 

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0217
http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html
http://www.kb.cert.org/vuls/id/466161
http://secunia.com/advisories/35855/2/
https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
http://www.w3.org/2008/06/xmldsigcore-errata.html#e03
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html


References from US-CERT's VU#466161:
-------------------------------------
http://www.w3.org/2008/06/xmldsigcore-errata.html#e03
http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html
http://www.rsa.com/blog/blog_entry.aspx?id=1492
http://www.w3.org/TR/xmldsig-core/
http://www.w3.org/TR/xmldsig-core/#sec-HMAC
http://tools.ietf.org/html/rfc2104#section-5
http://www.oasis-open.org/specs/index.php#wss
http://www.w3.org/2000/xp/Group/
http://msdn.microsoft.com/en-us/library/ms996502.aspx
http://www.ibm.com/support/docview.wss?rs=180&uid=swg21384925
http://santuario.apache.org/download.html
http://www.mono-project.com/Vulnerabilities
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html
http://www.aleksey.com/xmlsec/downloads.html

Credit:
-------
Thomas Roessler of the W3C
Comment 3 Marc Schoenefeld 2009-07-21 05:22:56 EDT
Patch and reproducer for Apache XML Security (Java): 
http://svn.apache.org/viewvc?view=rev&revision=794013
Comment 5 Antti Andreimann 2009-07-28 11:43:04 EDT
xml-security project has released version 1.5.1 of it's C library.
I have updated the xml-security-c package in rawhide. If koji build is successful on all platforms I'll upgrade it on older branches as well.
Comment 6 Fedora Update System 2009-07-29 18:57:52 EDT
xml-security-c-1.5.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2009-07-31 13:59:15 EDT
xml-security-c-1.5.1-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2009-07-31 14:04:41 EDT
xml-security-c-1.5.1-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Vincent Danen 2009-08-02 15:43:40 EDT
Created attachment 355945 [details]
patch from debian's 1.2.1-3+etch1 release (DSA-1849-1)
Comment 10 Vincent Danen 2009-08-02 15:46:33 EDT
Created attachment 355946 [details]
patch from debian's 1.4.0-3+lenny2 release (DSA-1849-1)
Comment 12 errata-xmlrpc 2009-08-06 16:41:56 EDT
This issue has been addressed in following products:

  Extras for RHEL 4
  Extras for Red Hat Enterprise Linux 5

Via RHSA-2009:1200 https://rhn.redhat.com/errata/RHSA-2009-1200.html
Comment 13 errata-xmlrpc 2009-08-06 17:14:47 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1201 https://rhn.redhat.com/errata/RHSA-2009-1201.html
Comment 14 Fedora Update System 2009-08-07 00:58:58 EDT
java-1.6.0-openjdk-1.6.0.0-27.b16.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2009-08-07 01:01:41 EDT
java-1.6.0-openjdk-1.6.0.0-20.b16.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Jan Lieskovsky 2009-08-11 08:39:10 EDT
Hello Paul,

  i can see rawhide Mono update:
    http://koji.fedoraproject.org/koji/buildinfo?buildID=114947

  fixing CVE-2009-0217, but no relevant F10, F11, EPEL Mono updates
addressing this issue. Could you schedule them - either apply the
fix or upgrade to latest Mono upstream version also for F10, F11
and EPEL-5?

Thanks, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 20 Fedora Update System 2009-08-11 09:22:35 EDT
xmlsec1-1.2.12-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/xmlsec1-1.2.12-1.fc11
Comment 21 Fedora Update System 2009-08-11 09:23:52 EDT
xmlsec1-1.2.12-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/xmlsec1-1.2.12-1.fc10
Comment 22 Fedora Update System 2009-08-11 18:31:36 EDT
xmlsec1-1.2.12-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 Fedora Update System 2009-08-11 18:33:01 EDT
xmlsec1-1.2.12-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 25 errata-xmlrpc 2009-09-08 11:48:04 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1428 https://rhn.redhat.com/errata/RHSA-2009-1428.html
Comment 26 errata-xmlrpc 2009-12-09 18:14:06 EST
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4

Via RHSA-2009:1636 https://rhn.redhat.com/errata/RHSA-2009-1636.html
Comment 27 errata-xmlrpc 2009-12-09 18:32:19 EST
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 4

Via RHSA-2009:1637 https://rhn.redhat.com/errata/RHSA-2009-1637.html
Comment 28 errata-xmlrpc 2009-12-09 18:51:51 EST
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 5

Via RHSA-2009:1649 https://rhn.redhat.com/errata/RHSA-2009-1649.html
Comment 29 errata-xmlrpc 2009-12-09 19:03:51 EST
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 5

Via RHSA-2009:1650 https://rhn.redhat.com/errata/RHSA-2009-1650.html
Comment 31 errata-xmlrpc 2009-12-23 12:34:06 EST
This issue has been addressed in following products:

  Extras for RHEL 4
  Extras for Red Hat Enterprise Linux 5

Via RHSA-2009:1694 https://rhn.redhat.com/errata/RHSA-2009-1694.html
Comment 33 errata-xmlrpc 2010-01-14 11:32:26 EST
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.3

Via RHSA-2010:0043 https://rhn.redhat.com/errata/RHSA-2010-0043.html
Comment 39 Josh Bressers 2011-04-06 12:28:48 EDT
Created xml-security-c tracking bugs for this issue

Affects: fedora-rawhide [bug 513078]
Comment 40 Josh Bressers 2011-04-06 12:28:53 EDT
Created mono tracking bugs for this issue

Affects: epel-5 [bug 694167]
Comment 42 Ramon de C Valle 2011-11-23 10:27:13 EST
*** Bug 715014 has been marked as a duplicate of this bug. ***
Comment 43 Ramon de C Valle 2011-11-23 10:29:51 EST
*** Bug 715020 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.