Bug 20793

Summary: CVE-2009-0217 XML signature HMAC truncation authentication bypass
Product: Sisyphus Reporter: Vladimir Lettiev <crux>
Component: java-1.6.0-sunAssignee: viy <viy>
Status: CLOSED FIXED QA Contact: qa-sisyphus
Severity: normal    
Priority: P3 Keywords: security
Version: unstable   
Hardware: all   
OS: Linux   
URL: http://www.kb.cert.org/vuls/id/466161

Description Vladimir Lettiev 2009-07-16 08:37:09 MSD 
+++ Данная ошибка создана размножением ошибки 20785 +++

XML Signature Syntax and Processing (XMLDsig) is a W3C recommendation for providing integrity, message authentication, and/or signer authentication services for data. XMLDsig is commonly used by web services such as SOAP. The XMLDsig recommendation includes support for HMAC truncation, as specified in RFC2014. When HMAC truncation is under the control of an attacker, however, this can result in an effective authentication bypass. For example, by specifying an HMACOutputLength of 1, only one bit of the signature is verified. This can allow an attacker to forge an XML signature that will be accepted as valid.

http://www.kb.cert.org/vuls/id/MAPG-7TSKXQ : "This issue will be addressed with Sun's upcoming Java SE security updates which are targeted to be released in late July 2009."
Comment 1 viy 2009-07-22 16:24:08 MSD 
Affected Products

Sun JDK version 6 Update 14 and prior
Sun JRE version 6 Update 14 and prior
Comment 2 viy 2009-10-05 19:10:19 MSD 
fixed in b16, java-1.6.0-sun-1.6.0.16-alt1.src.rpm