CVE-2009-0217 · threatengine.sh

Home/CVE/The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including

CVE

CVE-2009-0217

The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including

The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM.

(2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6.

(3) Mono before 2.4.2.2.

(4) XML Security Library before 1.2.12.

(5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1.

(6) Sun JDK and JRE Update 14 and earlier.

(7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0.

and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.

MEDIUM · CVSS 5 EPSS 0.0222

Monitor

No active-exploitation, high-EPSS, or public-exploit signals - routine patching cadence

Sigma rules0 YARA rules0

▤

Affected Products & Versions

1

ibm websphere application serverall versions

▤

Affected Packages

1

Language-ecosystem packages (from OSV) tied to this CVE, with the version that fixes it - the dependency-level detail NVD doesn’t carry.

Maven org.apache.santuario:xmlsec MODERATE fixed in 1.4.3

▣

Scoring & Timeline

5

MEDIUM · CVSS v2 (legacy) · cret@cert.org

View on NVD

This CVE predates CVSS v3; the legacy v2 score is shown so triage still has a severity to work with.

v2 Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Published to NVD14 Jul 2009 · 11:30 PM

⚑

Vendor Advisories

12

usnUSN-903-1
rhsaRHSA-2009:1636Low
rhsaRHSA-2009:1649Low
rhsaRHSA-2009:1637Low
rhsaRHSA-2009:1650Low
Show all 12 vendor advisoriesrhsaRHSA-2009:1694Moderate
rhsaRHSA-2010:0043Important
usnUSN-826-1
usnUSN-814-1
rhsaRHSA-2009:1200Moderate
rhsaRHSA-2009:1201Moderate
rhsaRHSA-2009:1428Moderate

🔗

References & Sources

80

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161

http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7

http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7

http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html

http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html

http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html

Show all 80 references

http://marc.info/?l=bugtraq&m=125787273209737&w=2

http://osvdb.org/55895

http://osvdb.org/55907

http://secunia.com/advisories/34461

http://secunia.com/advisories/35776Vendor Advisory

http://secunia.com/advisories/35852Vendor Advisory

http://secunia.com/advisories/35853Vendor Advisory

http://secunia.com/advisories/35854Vendor Advisory

http://secunia.com/advisories/35855Vendor Advisory

http://secunia.com/advisories/35858Vendor Advisory

http://secunia.com/advisories/36162Vendor Advisory

http://secunia.com/advisories/36176Vendor Advisory

http://secunia.com/advisories/36180Vendor Advisory

http://secunia.com/advisories/36494Vendor Advisory

http://secunia.com/advisories/37300

http://secunia.com/advisories/37671

http://secunia.com/advisories/37841

http://secunia.com/advisories/38567

http://secunia.com/advisories/38568

http://secunia.com/advisories/38695

http://secunia.com/advisories/38921

http://secunia.com/advisories/41818

http://secunia.com/advisories/60799

http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1

http://sunsolve.sun.com/search/document.do?assetkey=1-66-263429-1

http://sunsolve.sun.com/search/document.do?assetkey=1-66-269208-1

http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020710.1-1

http://svn.apache.org/viewvc?revision=794013&view=revision

http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023545&loc=en_US&cs=UTF-8&lang=en&rss=ct180webspherePatchVendor Advisory

http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023723&loc=en_US&cs=UTF-8&lang=en&rss=ct180webspherePatchVendor Advisory

http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg21384925PatchVendor Advisory

http://www.aleksey.com/xmlsec/

http://www.debian.org/security/2010/dsa-1995

http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml

http://www.kb.cert.org/vuls/id/466161US Government Resource

http://www.kb.cert.org/vuls/id/MAPG-7TSKXQ

http://www.kb.cert.org/vuls/id/WDON-7TY529

http://www.mandriva.com/security/advisories?name=MDVSA-2009:209

http://www.mono-project.com/VulnerabilitiesVendor Advisory

http://www.openoffice.org/security/cves/CVE-2009-0217.html

http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html

http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html

http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html

http://www.redhat.com/support/errata/RHSA-2009-1694.html

http://www.securityfocus.com/bid/35671Patch

http://www.securitytracker.com/id?1022561

http://www.securitytracker.com/id?1022567

http://www.securitytracker.com/id?1022661

http://www.ubuntu.com/usn/USN-903-1

http://www.us-cert.gov/cas/techalerts/TA09-294A.htmlUS Government Resource

http://www.us-cert.gov/cas/techalerts/TA10-159B.htmlUS Government Resource

http://www.vupen.com/english/advisories/2009/1900PatchVendor Advisory

http://www.vupen.com/english/advisories/2009/1908PatchVendor Advisory

http://www.vupen.com/english/advisories/2009/1909PatchVendor Advisory

http://www.vupen.com/english/advisories/2009/1911PatchVendor Advisory

http://www.vupen.com/english/advisories/2009/2543

http://www.vupen.com/english/advisories/2009/3122

http://www.vupen.com/english/advisories/2010/0366

http://www.vupen.com/english/advisories/2010/0635

http://www.w3.org/2008/06/xmldsigcore-errata.html#e03Vendor Advisory

http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.htmlVendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=511915

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-041

https://issues.apache.org/bugzilla/show_bug.cgi?id=47526

https://issues.apache.org/bugzilla/show_bug.cgi?id=47527

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10186

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7158

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8717

https://rhn.redhat.com/errata/RHSA-2009-1200.html

https://rhn.redhat.com/errata/RHSA-2009-1201.html

https://rhn.redhat.com/errata/RHSA-2009-1428.html

https://rhn.redhat.com/errata/RHSA-2009-1636.html

https://rhn.redhat.com/errata/RHSA-2009-1637.html

https://rhn.redhat.com/errata/RHSA-2009-1649.html

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin