The MessageDigest.isEqual function in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to spoof HMAC-based digital signatures, and possibly bypass authentication, via unspecified vectors related to "timing attack vulnerabilities," aka Bug Id 6863503.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

References
Link Providers
http://java.sun.com/javase/6/webnotes/6u17.html cve-icon cve-icon
http://lists.apple.com/archives/security-announce/2009/Dec/msg00000.html cve-icon cve-icon
http://lists.apple.com/archives/security-announce/2009/Dec/msg00001.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00010.html cve-icon cve-icon
http://marc.info/?l=bugtraq&m=126566824131534&w=2 cve-icon cve-icon
http://marc.info/?l=bugtraq&m=131593453929393&w=2 cve-icon cve-icon
http://marc.info/?l=bugtraq&m=134254866602253&w=2 cve-icon cve-icon
http://secunia.com/advisories/37231 cve-icon cve-icon
http://secunia.com/advisories/37239 cve-icon cve-icon
http://secunia.com/advisories/37386 cve-icon cve-icon
http://secunia.com/advisories/37581 cve-icon cve-icon
http://secunia.com/advisories/37841 cve-icon cve-icon
http://security.gentoo.org/glsa/glsa-200911-02.xml cve-icon cve-icon
http://sunsolve.sun.com/search/document.do?assetkey=1-66-270475-1 cve-icon cve-icon
http://support.apple.com/kb/HT3969 cve-icon cve-icon
http://support.apple.com/kb/HT3970 cve-icon cve-icon
http://www.mandriva.com/security/advisories?name=MDVSA-2010:084 cve-icon cve-icon
http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html cve-icon cve-icon
http://www.redhat.com/support/errata/RHSA-2009-1694.html cve-icon cve-icon
http://www.securityfocus.com/bid/36881 cve-icon cve-icon
http://www.vupen.com/english/advisories/2009/3131 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2009-3875 cve-icon
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11847 cve-icon cve-icon
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12112 cve-icon cve-icon
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7549 cve-icon cve-icon
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7913 cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2009-3875 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2024-08-07T06:45:50.930Z

Reserved: 2009-11-05T00:00:00

Link: CVE-2009-3875

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2009-11-05T16:30:00.517

Modified: 2025-04-09T00:30:58.490

Link: CVE-2009-3875

cve-icon Redhat

Severity : Moderate

Publid Date: 2009-11-03T00:00:00Z

Links: CVE-2009-3875 - Bugzilla

cve-icon OpenCVE Enrichment

No data.