Moderate severityNVD Advisory· Published Jul 14, 2009· Updated Apr 23, 2026
CVE-2009-0217
CVE-2009-0217
Description
The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.santuario:xmlsecMaven | >= 1.4.0, < 1.4.3 | 1.4.3 |
Affected products
93cpe:2.3:a:ibm:websphere_application_server:6.0:*:*:*:*:*:*:*+ 69 more
- cpe:2.3:a:ibm:websphere_application_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.11:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.13:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.15:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.17:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.1.9:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.12:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.14:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.15:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.16:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.17:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.18:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.19:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.20:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.21:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.22:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.23:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.24:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.25:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.28:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.29:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.30:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.31:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.32:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2.33:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.0.2:*:fp17:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.21:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.22:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.23:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:6.1.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_application_server:7.0.0.1:*:*:*:*:*:*:*
cpe:2.3:a:mono_project:mono:1.2.1:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:mono_project:mono:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:mono_project:mono:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:mono_project:mono:1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:mono_project:mono:1.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:mono_project:mono:1.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:mono_project:mono:1.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:mono_project:mono:1.9:*:*:*:*:*:*:*
- cpe:2.3:a:mono_project:mono:2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:application_server:10.1.2.3:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:oracle:application_server:10.1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:application_server:10.1.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:application_server:10.1.4.3im:*:*:*:*:*:*:*
cpe:2.3:a:oracle:bea_product_suite:10.0:mp1:*:*:*:*:*:*+ 5 more
- cpe:2.3:a:oracle:bea_product_suite:10.0:mp1:*:*:*:*:*:*
- cpe:2.3:a:oracle:bea_product_suite:10.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:bea_product_suite:8.1:sp6:*:*:*:*:*:*
- cpe:2.3:a:oracle:bea_product_suite:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:bea_product_suite:9.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:bea_product_suite:9.2:mp3:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server_component:10.0:mp1:*:*:*:*:*:*+ 5 more
- cpe:2.3:a:oracle:weblogic_server_component:10.0:mp1:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server_component:10.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server_component:8.1:sp6:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server_component:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server_component:9.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server_component:9.2:mp3:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
104- www-01.ibm.com/support/docview.wssnvdPatchVendor Advisory
- www-01.ibm.com/support/docview.wssnvdPatchVendor Advisory
- www-01.ibm.com/support/docview.wssnvdPatchVendor Advisory
- www.securityfocus.com/bid/35671nvdPatch
- www.vupen.com/english/advisories/2009/1900nvdPatchVendor Advisory
- www.vupen.com/english/advisories/2009/1908nvdPatchVendor Advisory
- www.vupen.com/english/advisories/2009/1909nvdPatchVendor Advisory
- www.vupen.com/english/advisories/2009/1911nvdPatchVendor Advisory
- secunia.com/advisories/35776nvdVendor Advisory
- secunia.com/advisories/35852nvdVendor Advisory
- secunia.com/advisories/35853nvdVendor Advisory
- secunia.com/advisories/35854nvdVendor Advisory
- secunia.com/advisories/35855nvdVendor Advisory
- secunia.com/advisories/35858nvdVendor Advisory
- secunia.com/advisories/36162nvdVendor Advisory
- secunia.com/advisories/36176nvdVendor Advisory
- secunia.com/advisories/36180nvdVendor Advisory
- secunia.com/advisories/36494nvdVendor Advisory
- www.mono-project.com/VulnerabilitiesnvdVendor Advisory
- www.w3.org/2008/06/xmldsigcore-errata.htmlnvdVendor Advisory
- www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.htmlnvdVendor Advisory
- github.com/advisories/GHSA-8hfm-837h-hjg5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2009-0217ghsaADVISORY
- www.kb.cert.org/vuls/id/466161nvdUS Government Resource
- www.us-cert.gov/cas/techalerts/TA09-294A.htmlnvdUS Government Resource
- www.us-cert.gov/cas/techalerts/TA10-159B.htmlnvdUS Government ResourceWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-041nvdWEB
- gitlab.gnome.org/Archive/xmlsec/-/commit/34b349675af9f72eb822837a8772cc1ead7115c7ghsaWEB
- issues.apache.org/bugzilla/show_bug.cginvdWEB
- issues.apache.org/bugzilla/show_bug.cginvdWEB
- lists.apple.com/archives/security-announce/2009/Sep/msg00000.htmlghsaWEB
- lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.htmlghsaWEB
- lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.htmlghsaWEB
- marc.infoghsaWEB
- rhn.redhat.com/errata/RHSA-2009-1428.htmlnvdWEB
- svn.apache.org/viewvcghsaWEB
- www.debian.org/security/2010/dsa-1995ghsaWEB
- www.gentoo.org/security/en/glsa/glsa-201408-19.xmlghsaWEB
- www.kb.cert.org/vuls/id/466161ghsaWEB
- www.kb.cert.org/vuls/id/MAPG-7TSKXQghsaWEB
- www.kb.cert.org/vuls/id/WDON-7TY529ghsaWEB
- www.mandriva.com/security/advisoriesghsaWEB
- www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.htmlnvdWEB
- www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.htmlnvdWEB
- www.redhat.com/archives/fedora-package-announce/2009-August/msg00494.htmlnvdWEB
- www.redhat.com/archives/fedora-package-announce/2009-August/msg00505.htmlnvdWEB
- www.redhat.com/support/errata/RHSA-2009-1694.htmlghsaWEB
- www.ubuntu.com/usn/USN-903-1ghsaWEB
- www.us-cert.gov/cas/techalerts/TA09-294A.htmlghsaWEB
- www.w3.org/2008/06/xmldsigcore-errata.htmlghsaWEB
- www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.htmlghsaWEB
- blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161nvd
- git.gnome.org/cgit/xmlsec/commit/nvd
- lists.apple.com/archives/security-announce/2009/Sep/msg00000.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.htmlnvd
- marc.infonvd
- osvdb.org/55895nvd
- osvdb.org/55907nvd
- secunia.com/advisories/34461nvd
- secunia.com/advisories/37300nvd
- secunia.com/advisories/37671nvd
- secunia.com/advisories/37841nvd
- secunia.com/advisories/38567nvd
- secunia.com/advisories/38568nvd
- secunia.com/advisories/38695nvd
- secunia.com/advisories/38921nvd
- secunia.com/advisories/41818nvd
- secunia.com/advisories/60799nvd
- sunsolve.sun.com/search/document.donvd
- sunsolve.sun.com/search/document.donvd
- sunsolve.sun.com/search/document.donvd
- sunsolve.sun.com/search/document.donvd
- svn.apache.org/viewvcnvd
- www.aleksey.com/xmlsec/nvd
- www.debian.org/security/2010/dsa-1995nvd
- www.gentoo.org/security/en/glsa/glsa-201408-19.xmlnvd
- www.kb.cert.org/vuls/id/MAPG-7TSKXQnvd
- www.kb.cert.org/vuls/id/WDON-7TY529nvd
- www.mandriva.com/security/advisoriesnvd
- www.openoffice.org/security/cves/CVE-2009-0217.htmlnvd
- www.oracle.com/technetwork/topics/security/cpujul2009-091332.htmlnvd
- www.oracle.com/technetwork/topics/security/cpuoct2009-096303.htmlnvd
- www.oracle.com/technetwork/topics/security/cpuoct2010-175626.htmlnvd
- www.redhat.com/support/errata/RHSA-2009-1694.htmlnvd
- www.securitytracker.com/idnvd
- www.securitytracker.com/idnvd
- www.securitytracker.com/idnvd
- www.ubuntu.com/usn/USN-903-1nvd
- www.vupen.com/english/advisories/2009/2543nvd
- www.vupen.com/english/advisories/2009/3122nvd
- www.vupen.com/english/advisories/2010/0366nvd
- www.vupen.com/english/advisories/2010/0635nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10186nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7158nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8717nvd
- rhn.redhat.com/errata/RHSA-2009-1200.htmlnvd
- rhn.redhat.com/errata/RHSA-2009-1201.htmlnvd
- rhn.redhat.com/errata/RHSA-2009-1636.htmlnvd
- rhn.redhat.com/errata/RHSA-2009-1637.htmlnvd
- rhn.redhat.com/errata/RHSA-2009-1649.htmlnvd
- rhn.redhat.com/errata/RHSA-2009-1650.htmlnvd
- usn.ubuntu.com/826-1/nvd
News mentions
0No linked articles in our index yet.