Description
The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.
Remediation
References
http://www.kb.cert.org/vuls/id/466161
http://www.w3.org/2008/06/xmldsigcore-errata.html#e03
http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html
http://www.aleksey.com/xmlsec/
http://www.mono-project.com/Vulnerabilities
http://www.vupen.com/english/advisories/2009/1911
https://issues.apache.org/bugzilla/show_bug.cgi?id=47527
http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg21384925
http://www.securitytracker.com/id?1022561
http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023545&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere
http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023723&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere
http://www.vupen.com/english/advisories/2009/1908
http://osvdb.org/55895
http://secunia.com/advisories/35776
http://www.vupen.com/english/advisories/2009/1900
http://osvdb.org/55907
http://www.securitytracker.com/id?1022567
http://secunia.com/advisories/35855
http://secunia.com/advisories/35853
http://secunia.com/advisories/35854
http://secunia.com/advisories/35858
http://www.kb.cert.org/vuls/id/MAPG-7TSKXQ
http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161
http://www.kb.cert.org/vuls/id/WDON-7TY529
http://sunsolve.sun.com/search/document.do?assetkey=1-66-263429-1
http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1
http://www.securityfocus.com/bid/35671
https://rhn.redhat.com/errata/RHSA-2009-1201.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
http://secunia.com/advisories/36180
https://rhn.redhat.com/errata/RHSA-2009-1200.html
http://www.vupen.com/english/advisories/2009/1909
http://www.securitytracker.com/id?1022661
http://secunia.com/advisories/36162
http://secunia.com/advisories/35852
http://secunia.com/advisories/36176
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00494.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00505.html
http://www.mandriva.com/security/advisories?name=MDVSA-2009:209
http://secunia.com/advisories/36494
http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html
http://www.vupen.com/english/advisories/2009/2543
http://www.us-cert.gov/cas/techalerts/TA09-294A.html
http://www.vupen.com/english/advisories/2009/3122
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269208-1
http://marc.info/?l=bugtraq&m=125787273209737&w=2
http://secunia.com/advisories/37300
http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7
https://rhn.redhat.com/errata/RHSA-2009-1428.html
http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7
http://svn.apache.org/viewvc?revision=794013&view=revision
https://rhn.redhat.com/errata/RHSA-2009-1649.html
https://rhn.redhat.com/errata/RHSA-2009-1637.html
https://bugzilla.redhat.com/show_bug.cgi?id=511915
https://rhn.redhat.com/errata/RHSA-2009-1636.html
http://secunia.com/advisories/37671
https://rhn.redhat.com/errata/RHSA-2009-1650.html
http://secunia.com/advisories/37841
http://www.redhat.com/support/errata/RHSA-2009-1694.html
http://secunia.com/advisories/38567
http://secunia.com/advisories/38568
http://www.vupen.com/english/advisories/2010/0366
http://www.debian.org/security/2010/dsa-1995
http://www.openoffice.org/security/cves/CVE-2009-0217.html
http://secunia.com/advisories/38695
http://www.ubuntu.com/usn/USN-903-1
http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html
http://secunia.com/advisories/38921
http://www.vupen.com/english/advisories/2010/0635
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020710.1-1
http://www.us-cert.gov/cas/techalerts/TA10-159B.html
http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html
http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html
http://secunia.com/advisories/34461
http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml
http://secunia.com/advisories/60799
http://secunia.com/advisories/41818
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8717
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7158
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10186
https://usn.ubuntu.com/826-1/
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-041
Related Vulnerabilities
CVE-2014-3630 Vulnerability in maven package com.typesafe.play:play_2.11
CVE-2023-34053 Vulnerability in maven package org.springframework:spring-web
CVE-2020-2273 Vulnerability in maven package org.jenkins-ci.plugins:elastestv
CVE-2019-10411 Vulnerability in maven package com.inedo.buildmaster:inedo-buildmaster
CVE-2023-33265 Vulnerability in maven package com.hazelcast:hazelcast-enterprise