Description
The MessageDigest.isEqual function in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to spoof HMAC-based digital signatures, and possibly bypass authentication, via unspecified vectors related to "timing attack vulnerabilities," aka Bug Id 6863503.
Analysis
No analysis available yet.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||
|---|---|---|---|---|---|---|---|---|---|
| n/a | n/a | affected |
|
Configuration 1 [-]
| AND |
|
Configuration 2 [-]
| AND |
|
| Package | CPE | Advisory | Released Date |
|---|---|---|---|
| Extras for RHEL 3 | |||
| java-1.4.2-ibm-0:1.4.2.13.3-1jpp.1.el3 | cpe:/a:redhat:rhel_extras:3 | RHSA-2009:1643 | 2009-12-08T00:00:00Z |
| Extras for RHEL 4 | |||
| java-1.6.0-sun-1:1.6.0.17-1jpp.1.el4 | cpe:/a:redhat:rhel_extras:4 | RHSA-2009:1560 | 2009-11-09T00:00:00Z |
| java-1.5.0-sun-0:1.5.0.22-1jpp.1.el4 | cpe:/a:redhat:rhel_extras:4 | RHSA-2009:1571 | 2009-11-10T00:00:00Z |
| java-1.4.2-ibm-0:1.4.2.13.3-1jpp.1.el4 | cpe:/a:redhat:rhel_extras:4 | RHSA-2009:1643 | 2009-12-08T00:00:00Z |
| java-1.5.0-ibm-1:1.5.0.11-1jpp.1.el4 | cpe:/a:redhat:rhel_extras:4 | RHSA-2009:1647 | 2009-12-08T00:00:00Z |
| java-1.6.0-ibm-1:1.6.0.7-1jpp.3.el4 | cpe:/a:redhat:rhel_extras:4 | RHSA-2009:1694 | 2009-12-23T00:00:00Z |
| Red Hat Enterprise Linux 5 | |||
| java-1.6.0-openjdk-1:1.6.0.0-1.7.b09.el5 | cpe:/o:redhat:enterprise_linux:5 | RHSA-2009:1584 | 2009-11-16T00:00:00Z |
| Red Hat Network Satellite Server v 5.3 | |||
| java-1.6.0-ibm-1:1.6.0.7-1jpp.2.el5 | cpe:/a:redhat:network_satellite:5.3::el4 | RHSA-2010:0043 | 2010-01-14T00:00:00Z |
| RHEL 4 for SAP | |||
| java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el4_8 | cpe:/a:redhat:rhel_extras_sap:4 | RHSA-2010:0408 | 2010-05-12T00:00:00Z |
| RHEL 5 for SAP | |||
| java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el5 | cpe:/a:redhat:rhel_extras_sap:5 | RHSA-2010:0408 | 2010-05-12T00:00:00Z |
| Supplementary for Red Hat Enterprise Linux 5 | |||
| java-1.6.0-sun-1:1.6.0.17-1jpp.2.el5 | cpe:/a:redhat:rhel_extras:5 | RHSA-2009:1560 | 2009-11-09T00:00:00Z |
| java-1.5.0-sun-0:1.5.0.22-1jpp.1.el5 | cpe:/a:redhat:rhel_extras:5 | RHSA-2009:1571 | 2009-11-10T00:00:00Z |
| java-1.4.2-ibm-0:1.4.2.13.3-1jpp.1.el5 | cpe:/a:redhat:rhel_extras:5 | RHSA-2009:1643 | 2009-12-08T00:00:00Z |
| java-1.5.0-ibm-1:1.5.0.11-1jpp.1.el5 | cpe:/a:redhat:rhel_extras:5 | RHSA-2009:1647 | 2009-12-08T00:00:00Z |
| java-1.6.0-ibm-1:1.6.0.7-1jpp.2.el5 | cpe:/a:redhat:rhel_extras:5 | RHSA-2009:1694 | 2009-12-23T00:00:00Z |
No data available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
 EUVD |
EUVD-2009-3846 | The MessageDigest.isEqual function in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to spoof HMAC-based digital signatures, and possibly bypass authentication, via unspecified vectors related to "timing attack vulnerabilities," aka Bug Id 6863503. |
 Ubuntu USN |
USN-859-1 | OpenJDK vulnerabilities |
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2024-08-07T06:45:50.930Z
Reserved: 2009-11-05T00:00:00.000Z
Link: CVE-2009-3875
Vulnrichment
No data.
NVD
Status : Deferred
Published: 2009-11-05T16:30:00.517
Modified: 2025-04-09T00:30:58.490
Link: CVE-2009-3875
Redhat
OpenCVE Enrichment
No data.
Weaknesses