CVE-2009-0217

Name of the Vulnerable Software and Affected Versions XML Security Library versions prior to 1.2.12 Mono versions prior to 2.4.2.2 IBM WebSphere Application Server versions prior to 6.0.2.33, 6.1.0.23, and 7.0.0.1 Oracle Application Server versions 10.1.2.3, 10.1.3.4, and 10.1.4.3IM Oracle WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6 Microsoft .NET Framework versions 3.0 through 3.0 SP2, 3.5, and 4.0 Sun JDK and JRE Update 14 and earlier

Description The vulnerability is related to the W3C XML Signature Syntax and Processing recommendation, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits. This can lead to data tampering and disruption of protected information. The vulnerability can be exploited remotely.

Recommendations For XML Security Library versions prior to 1.2.12, update to version 1.2.12 or later. For Mono versions prior to 2.4.2.2, update to version 2.4.2.2 or later. For IBM WebSphere Application Server versions prior to 6.0.2.33, 6.1.0.23, and 7.0.0.1, update to the latest version. For Oracle Application Server versions 10.1.2.3, 10.1.3.4, and 10.1.4.3IM, update to the latest version. For Oracle WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6, update to the latest version. For Microsoft .NET Framework versions 3.0 through 3.0 SP2, 3.5, and 4.0, update to the latest version. For Sun JDK and JRE Update 14 and earlier, update to the latest version. As a temporary workaround, consider restricting access to HMAC-based signature methods until a patch is available.