The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.
Metrics
Affected Vendors & Products
Advisories
Source | ID | Title |
---|---|---|
![]() |
DSA-1849-1 | New xml-security-c packages fix signature forgery |
![]() |
DSA-1995-1 | New openoffice.org packages fix several vulnerabilities |
![]() |
GHSA-8hfm-837h-hjg5 | Apache XML Security For Java vulnerable to authentication bypass by HMAC truncation |
![]() |
USN-814-1 | OpenJDK vulnerabilities |
![]() |
USN-826-1 | Mono vulnerabilities |
![]() |
USN-903-1 | OpenOffice.org vulnerabilities |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
No history.

Status: PUBLISHED
Assigner: certcc
Published:
Updated: 2024-08-07T04:24:18.400Z
Reserved: 2009-01-20T00:00:00
Link: CVE-2009-0217

No data.

Status : Deferred
Published: 2009-07-14T23:30:00.187
Modified: 2025-04-09T00:30:58.490
Link: CVE-2009-0217


No data.