Description
The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.
Remediation
References
http://www.kb.cert.org/vuls/id/466161
http://www.w3.org/2008/06/xmldsigcore-errata.html#e03
http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html
http://www.aleksey.com/xmlsec/
http://www.mono-project.com/Vulnerabilities
http://www.vupen.com/english/advisories/2009/1911
https://issues.apache.org/bugzilla/show_bug.cgi?id=47527
http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg21384925
http://www.securitytracker.com/id?1022561
http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023545&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere
http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023723&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere
http://www.vupen.com/english/advisories/2009/1908
http://osvdb.org/55895
http://secunia.com/advisories/35776
http://www.vupen.com/english/advisories/2009/1900
http://osvdb.org/55907
http://www.securitytracker.com/id?1022567
http://secunia.com/advisories/35855
http://secunia.com/advisories/35853
http://secunia.com/advisories/35854
http://secunia.com/advisories/35858
http://www.kb.cert.org/vuls/id/MAPG-7TSKXQ
http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161
http://www.kb.cert.org/vuls/id/WDON-7TY529
http://sunsolve.sun.com/search/document.do?assetkey=1-66-263429-1
http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1
http://www.securityfocus.com/bid/35671
https://rhn.redhat.com/errata/RHSA-2009-1201.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
http://secunia.com/advisories/36180
https://rhn.redhat.com/errata/RHSA-2009-1200.html
http://www.vupen.com/english/advisories/2009/1909
http://www.securitytracker.com/id?1022661
http://secunia.com/advisories/36162
http://secunia.com/advisories/35852
http://secunia.com/advisories/36176
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00494.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00505.html
http://www.mandriva.com/security/advisories?name=MDVSA-2009:209
http://secunia.com/advisories/36494
http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html
http://www.vupen.com/english/advisories/2009/2543
http://www.us-cert.gov/cas/techalerts/TA09-294A.html
http://www.vupen.com/english/advisories/2009/3122
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269208-1
http://marc.info/?l=bugtraq&m=125787273209737&w=2
http://secunia.com/advisories/37300
http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7
https://rhn.redhat.com/errata/RHSA-2009-1428.html
http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7
http://svn.apache.org/viewvc?revision=794013&view=revision
https://rhn.redhat.com/errata/RHSA-2009-1649.html
https://rhn.redhat.com/errata/RHSA-2009-1637.html
https://bugzilla.redhat.com/show_bug.cgi?id=511915
https://rhn.redhat.com/errata/RHSA-2009-1636.html
http://secunia.com/advisories/37671
https://rhn.redhat.com/errata/RHSA-2009-1650.html
http://secunia.com/advisories/37841
http://www.redhat.com/support/errata/RHSA-2009-1694.html
http://secunia.com/advisories/38567
http://secunia.com/advisories/38568
http://www.vupen.com/english/advisories/2010/0366
http://www.debian.org/security/2010/dsa-1995
http://www.openoffice.org/security/cves/CVE-2009-0217.html
http://secunia.com/advisories/38695
http://www.ubuntu.com/usn/USN-903-1
http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html
http://secunia.com/advisories/38921
http://www.vupen.com/english/advisories/2010/0635
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020710.1-1
http://www.us-cert.gov/cas/techalerts/TA10-159B.html
http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html
http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html
http://secunia.com/advisories/34461
http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml
http://secunia.com/advisories/60799
http://secunia.com/advisories/41818
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8717
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7158
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10186
https://usn.ubuntu.com/826-1/
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-041
Related Vulnerabilities
CVE-2022-34783 Vulnerability in maven package org.jenkins-ci.plugins:plot
CVE-2014-0075 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core
CVE-2012-2379 Vulnerability in maven package org.apache.cxf:cxf-bundle-minimal
CVE-2021-21620 Vulnerability in maven package org.jenkins-ci.plugins:claim
CVE-2016-6815 Vulnerability in maven package org.apache.ranger:ranger-kafka-plugin