Juniper Networks
Solutions
Products & Services
Company
Partners
Support
Education

Signature Detail

Security Intelligence Center
Signatures
Print

Short Name

 HTTP:STC:IE:XML-HMAC-BYPASS

Severity

 Medium

Recommended

 No

Recommended Action

 Drop

Category

 HTTP

Keywords

 XML Signature HMAC Truncation Bypass Vulnerability

Release Date

 2010/06/08

Update Number

 1701

Supported Platforms

 idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+

HTTP: XML Signature HMAC Truncation Bypass Vulnerability


This signature detects attempts to exploit a known vulnerability in Microsoft Internet Explorer. An attacker can create a malicious Web site with Web pages containing dangerous XML content, which if accessed by a victim, allows the attacker bypass authentication of certain content.

Extended Description

The IETF and W3C XML Digital Signature Specification is prone to an authentication-bypass vulnerability. Attackers may exploit this issue to forge signatures to arbitrary XML data. This may lead to further attacks. Note that the specification doesn't require implementations to accept all truncation length values. As a result, not all implementations of the XML Digital Signature Specification will be affected by this issue.

Affected Products

  • Apache Software Foundation XML Security 1.0.4
  • Apache Software Foundation XML Security 1.4.2
  • Apple Mac OS X 10.5
  • Apple Mac OS X 10.5.1
  • Apple Mac OS X 10.5.2
  • Apple Mac OS X 10.5.3
  • Apple Mac OS X 10.5.4
  • Apple Mac OS X 10.5.5
  • Apple Mac OS X 10.5.6
  • Apple Mac OS X 10.5.7
  • Apple Mac OS X 10.5.8
  • Apple Mac OS X Server 10.5
  • Apple Mac OS X Server 10.5.1
  • Apple Mac OS X Server 10.5.2
  • Apple Mac OS X Server 10.5.3
  • Apple Mac OS X Server 10.5.4
  • Apple Mac OS X Server 10.5.5
  • Apple Mac OS X Server 10.5.6
  • Apple Mac OS X Server 10.5.7
  • Apple Mac OS X Server 10.5.8
  • Avaya Intuity AUDIX LX 2.0
  • Avaya Intuity AUDIX LX 2.0 SP1
  • Avaya Intuity AUDIX LX 2.0 SP2
  • Avaya Meeting Exchange - Client Registration Server
  • Avaya Meeting Exchange - Recording Server
  • Avaya Meeting Exchange - Streaming Server
  • Avaya Meeting Exchange - Web Conferencing Server
  • Avaya Meeting Exchange - Webportal
  • Avaya Message Networking 3.1
  • Avaya Message Networking MN 3.1
  • Avaya Message Networking
  • Avaya Messaging Application Server 4
  • Avaya Messaging Application Server 5
  • Avaya Messaging Application Server MM 1.1
  • Avaya Messaging Application Server MM 2.0
  • Avaya Messaging Application Server MM 3.0
  • Avaya Messaging Application Server MM 3.1
  • Avaya Messaging Application Server
  • Avaya Messaging Storage Server 3.1
  • Avaya Messaging Storage Server 4.0
  • Avaya Messaging Storage Server 5.0
  • Avaya Messaging Storage Server MM3.0
  • BEA Systems Weblogic Server 10.0
  • BEA Systems Weblogic Server 1.0.0.0
  • BEA Systems Weblogic Server 1.0.0.1
  • BEA Systems Weblogic Server 10.0 Maintenance Pack 2
  • BEA Systems Weblogic Server 10.0 MP1
  • BEA Systems Weblogic Server 10.3
  • BEA Systems Weblogic Server 8.1
  • BEA Systems Weblogic Server 8.1.0
  • BEA Systems Weblogic Server 8.1.0 SP 1
  • BEA Systems Weblogic Server 8.1.0 SP 2
  • BEA Systems Weblogic Server 8.1.0 SP 3
  • BEA Systems Weblogic Server 8.1.0 SP 4
  • BEA Systems Weblogic Server 8.1.0 SP 5
  • BEA Systems Weblogic Server 8.1.0 SP 6
  • BEA Systems Weblogic Server 8.1.4
  • BEA Systems Weblogic Server 8.1.6
  • BEA Systems Weblogic Server 8.1 SP6
  • BEA Systems Weblogic Server 9.0
  • BEA Systems Weblogic Server 9.1
  • BEA Systems Weblogic Server 9.1.0
  • BEA Systems Weblogic Server 9.2
  • BEA Systems Weblogic Server 9.2.0
  • BEA Systems Weblogic Server 9.2.1
  • BEA Systems Weblogic Server 9.2.2
  • BEA Systems Weblogic Server 9.2 Maintenance Pack 3
  • Debian Linux 4.0
  • Debian Linux 4.0 Alpha
  • Debian Linux 4.0 Amd64
  • Debian Linux 4.0 Arm
  • Debian Linux 4.0 Armel
  • Debian Linux 4.0 Hppa
  • Debian Linux 4.0 Ia-32
  • Debian Linux 4.0 Ia-64
  • Debian Linux 4.0 M68k
  • Debian Linux 4.0 Mips
  • Debian Linux 4.0 Mipsel
  • Debian Linux 4.0 Powerpc
  • Debian Linux 4.0 S/390
  • Debian Linux 4.0 Sparc
  • Debian Linux 5.0
  • Debian Linux 5.0 Alpha
  • Debian Linux 5.0 Amd64
  • Debian Linux 5.0 Arm
  • Debian Linux 5.0 Armel
  • Debian Linux 5.0 Hppa
  • Debian Linux 5.0 Ia-32
  • Debian Linux 5.0 Ia-64
  • Debian Linux 5.0 M68k
  • Debian Linux 5.0 Mips
  • Debian Linux 5.0 Mipsel
  • Debian Linux 5.0 Powerpc
  • Debian Linux 5.0 S/390
  • Debian Linux 5.0 Sparc
  • Gentoo Linux
  • HP HP-UX 11.11.0
  • HP HP-UX 11.23.0
  • HP HP-UX 11.31
  • IBM Java SE 6.0 SR5
  • IBM Websphere Application Server 6.0.0
  • IBM Websphere Application Server 6.0.1
  • IBM Websphere Application Server 6.0.2
  • IBM Websphere Application Server 6.0.2.1
  • IBM Websphere Application Server 6.0.2.11
  • IBM Websphere Application Server 6.0.2.13
  • IBM Websphere Application Server 6.0.2.15
  • IBM Websphere Application Server 6.0.2.17
  • IBM Websphere Application Server 6.0.2.19
  • IBM Websphere Application Server 6.0.2.21
  • IBM Websphere Application Server 6.0.2.22
  • IBM Websphere Application Server 6.0.2.23
  • IBM Websphere Application Server 6.0.2.24
  • IBM Websphere Application Server 6.0.2.25
  • IBM Websphere Application Server 6.0.2.27
  • IBM Websphere Application Server 6.0.2.29
  • IBM Websphere Application Server 6.0.2.3
  • IBM Websphere Application Server 6.0.2.31
  • IBM Websphere Application Server 6.0.2.33
  • IBM Websphere Application Server 6.0.2.5
  • IBM Websphere Application Server 6.0.2.7
  • IBM Websphere Application Server 6.0.2.9
  • IBM Websphere Application Server 6.0.2 Fix Pack 17
  • IBM Websphere Application Server 6.1.0
  • IBM Websphere Application Server 6.1.0.1
  • IBM Websphere Application Server 6.1.0.10
  • IBM Websphere Application Server 6.1.0.11
  • IBM Websphere Application Server 6.1.0.12
  • IBM Websphere Application Server 6.1.0.13
  • IBM Websphere Application Server 6.1.0.14
  • IBM Websphere Application Server 6.1.0.15
  • IBM Websphere Application Server 6.1.0.17
  • IBM Websphere Application Server 6.1.0.18
  • IBM Websphere Application Server 6.1.0.19
  • IBM Websphere Application Server 6.1.0.2
  • IBM Websphere Application Server 6.1.0.20
  • IBM Websphere Application Server 6.1.0.21
  • IBM Websphere Application Server 6.1.0.22
  • IBM Websphere Application Server 6.1.0.23
  • IBM Websphere Application Server 6.1.0.3
  • IBM Websphere Application Server 6.1.0.4
  • IBM Websphere Application Server 6.1.0.5
  • IBM Websphere Application Server 6.1.0.6
  • IBM Websphere Application Server 6.1.0.7
  • IBM Websphere Application Server 6.1.0.8
  • IBM Websphere Application Server 6.1.0.9
  • IBM Websphere Application Server 7.0
  • IBM Websphere Application Server 7.0.0.1
  • Mandriva Enterprise Server 5
  • Mandriva Enterprise Server 5 X86 64
  • Mandriva Linux Mandrake 2008.0
  • Mandriva Linux Mandrake 2008.0 X86 64
  • Mandriva Linux Mandrake 2008.1
  • Mandriva Linux Mandrake 2008.1 X86 64
  • Mandriva Linux Mandrake 2009.0
  • Mandriva Linux Mandrake 2009.0 X86 64
  • Mandriva Linux Mandrake 2009.1
  • Mandriva Linux Mandrake 2009.1 X86 64
  • Microsoft .NET Framework 1.1 SP1
  • Microsoft .NET Framework 1.1 SP2
  • Microsoft .NET Framework 1.1 SP3
  • Microsoft .NET Framework 2.0 SP2
  • Microsoft .NET Framework 3.5
  • Microsoft .NET Framework 3.5 SP1
  • Mono 1.0.0
  • Mono 1.0.5
  • Mono 1.1.13
  • Mono 1.1.13.4
  • Mono 1.1.13.6
  • Mono 1.1.13.7
  • Mono 1.1.17
  • Mono 1.1.17.1
  • Mono 1.1.18
  • Mono 1.1.4
  • Mono 1.1.8.3
  • Mono 1.2.5 1
  • Mono 1.2.5 2
  • Mono 2.0.0
  • Mono 2.4.2
  • Mono 2.4.2.1
  • OpenOffice 2.0.0 Beta
  • OpenOffice 2.0.1
  • OpenOffice 2.0.2
  • OpenOffice 2.0.3
  • OpenOffice 2.0.3-1
  • OpenOffice 2.0.4
  • OpenOffice 2.1
  • OpenOffice 2.2
  • OpenOffice 2.2.0
  • OpenOffice 2.2.1
  • OpenOffice 2.3.0
  • OpenOffice 2.3.1
  • OpenOffice 2.4
  • OpenOffice 2.4.1
  • OpenOffice 2.4.2
  • OpenOffice 2.4.3
  • OpenOffice 3.1.0
  • OpenOffice 3.1.1
  • Oracle JRockit R27.1.0
  • Oracle JRockit R27.6.0
  • Oracle JRockit R27.6.2
  • Oracle JRockit R27.6.3
  • Oracle Oracle10g Application Server 10.1.2.3.0
  • Oracle Oracle10g Application Server 10.1.3 .2.0
  • Oracle Oracle10g Application Server 10.1.3 .3.0
  • Oracle Oracle10g Application Server 10.1.3 .4.0
  • Oracle Weblogic Server 10.0 MP1
  • Oracle Weblogic Server 10.3
  • Oracle Weblogic Server 8.1
  • Oracle Weblogic Server 8.1 SP6
  • Oracle Weblogic Server 9.0 GA
  • Oracle Weblogic Server 9.1 GA
  • Oracle Weblogic Server 9.2
  • Oracle Weblogic Server 9.3 MP3
  • Pardus Linux 2008
  • Pardus Linux 2009
  • Red Hat Desktop Extras 4
  • Red Hat Enterprise Linux 5 Server
  • Red Hat Enterprise Linux Desktop Version 4
  • Red Hat Enterprise Linux AS 4
  • Red Hat Enterprise Linux AS Extras 4
  • Red Hat Enterprise Linux Desktop 5 Client
  • Red Hat Enterprise Linux Desktop Supplementary 5 Client
  • Red Hat Enterprise Linux Desktop Workstation 5 Client
  • Red Hat Enterprise Linux ES 4
  • Red Hat Enterprise Linux ES Extras 4
  • Red Hat Enterprise Linux EUS 5.3.Z Server
  • Red Hat Enterprise Linux Extras 4
  • Red Hat Enterprise Linux Extras 4.8.Z
  • Red Hat Enterprise Linux Supplementary 5 Server
  • Red Hat Enterprise Linux Supplementary EUS 5.3.Z
  • Red Hat Enterprise Linux WS 4
  • Red Hat Enterprise Linux WS Extras 4
  • Red Hat Fedora 10
  • Red Hat Fedora 11
  • Red Hat JBoss Enterprise Application Platform 4.2.0
  • Red Hat JBoss Enterprise Application Platform 4.2.0 EL4
  • Red Hat JBoss Enterprise Application Platform 4.2.0 EL5
  • Red Hat JBoss Enterprise Application Platform 4.3.0
  • Red Hat JBoss Enterprise Application Platform 4.3.0 EL4
  • Red Hat JBoss Enterprise Application Platform 4.3.0 EL5
  • Red Hat Network Satellite (for RHEL 4 AS) 5.3
  • Red Hat Network Satellite (for RHEL 5 Server) 5.3
  • RSA Security BSAFE Cert-J
  • RSA Security BSAFE SSL-J
  • RSA Security Federated Identity Manager
  • Sun Glassfish Enterprise Server 2.1
  • Sun JDK (Linux Production Release) 1.6.0
  • Sun JDK (Linux Production Release) 1.6.0 01
  • Sun JDK (Linux Production Release) 1.6.0 02
  • Sun JDK (Linux Production Release) 1.6.0 03
  • Sun JDK (Linux Production Release) 1.6.0 04
  • Sun JDK (Linux Production Release) 1.6.0 05
  • Sun JDK (Linux Production Release) 1.6.0 06
  • Sun JDK (Linux Production Release) 1.6.0 07
  • Sun JDK (Linux Production Release) 1.6.0 10
  • Sun JDK (Linux Production Release) 1.6.0 11
  • Sun JDK (Linux Production Release) 1.6.0 13
  • Sun JDK (Linux Production Release) 1.6.0 14
  • Sun JDK (Solaris Production Release) 1.6.0 01
  • Sun JDK (Solaris Production Release) 1.6.0 02
  • Sun JDK (Solaris Production Release) 1.6.0 03
  • Sun JDK (Windows Production Release) 1.6.0 01
  • Sun JDK (Windows Production Release) 1.6.0 01-B06
  • Sun JDK (Windows Production Release) 1.6.0 02
  • Sun JDK (Windows Production Release) 1.6.0 03
  • Sun JRE (Linux Production Release) 1.6.0 01
  • Sun JRE (Linux Production Release) 1.6.0 02
  • Sun JRE (Linux Production Release) 1.6.0 03
  • Sun JRE (Linux Production Release) 1.6.0 04
  • Sun JRE (Linux Production Release) 1.6.0 05
  • Sun JRE (Linux Production Release) 1.6.0 06
  • Sun JRE (Linux Production Release) 1.6.0 07
  • Sun JRE (Linux Production Release) 1.6.0 10
  • Sun JRE (Linux Production Release) 1.6.0 11
  • Sun JRE (Linux Production Release) 1.6.0 12
  • Sun JRE (Linux Production Release) 1.6.0 13
  • Sun JRE (Linux Production Release) 1.6.0 14
  • Sun OpenJDK 6 Build B12
  • Sun OpenSSO Enterprise 8.0
  • Sun OpenSSO Enterprise
  • SuSE Novell Linux Desktop 9.0.0
  • SuSE OpenOffice for Windows
  • SuSE openSUSE 11.0
  • SuSE openSUSE 11.1
  • SuSE openSUSE 11.2
  • SuSE SUSE Linux Enterprise 11
  • SuSE SUSE Linux Enterprise Desktop 10 SP2
  • SuSE SUSE Linux Enterprise Desktop 10 SP3
  • SuSE SUSE Linux Enterprise Desktop 11
  • SuSE SUSE Linux Enterprise SDK 10 SP2
  • SuSE SUSE Linux Enterprise SDK 10 SP3
  • SuSE SUSE Linux Enterprise Server 11
  • Ubuntu Ubuntu Linux 8.04 LTS Amd64
  • Ubuntu Ubuntu Linux 8.04 LTS I386
  • Ubuntu Ubuntu Linux 8.04 LTS Lpia
  • Ubuntu Ubuntu Linux 8.04 LTS Powerpc
  • Ubuntu Ubuntu Linux 8.04 LTS Sparc
  • Ubuntu Ubuntu Linux 8.10 Amd64
  • Ubuntu Ubuntu Linux 8.10 I386
  • Ubuntu Ubuntu Linux 8.10 Lpia
  • Ubuntu Ubuntu Linux 8.10 Powerpc
  • Ubuntu Ubuntu Linux 8.10 Sparc
  • Ubuntu Ubuntu Linux 9.04 Amd64
  • Ubuntu Ubuntu Linux 9.04 I386
  • Ubuntu Ubuntu Linux 9.04 Lpia
  • Ubuntu Ubuntu Linux 9.04 Powerpc
  • Ubuntu Ubuntu Linux 9.04 Sparc
  • Ubuntu Ubuntu Linux 9.10 Amd64
  • Ubuntu Ubuntu Linux 9.10 I386
  • Ubuntu Ubuntu Linux 9.10 Lpia
  • Ubuntu Ubuntu Linux 9.10 Powerpc
  • Ubuntu Ubuntu Linux 9.10 Sparc
  • XML Security Library 1.2.11

References

  • BugTraq: 35671
  • CVE: CVE-2009-0217
  • URL: http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html

Site Map
RSS Feeds
Careers
Accessibility
Feedback
Privacy Policy
Legal Notices
Copyright © 1999-2010 Juniper Networks, Inc. All rights reserved.
Help
|
My Account
|
Log Out