47526 – XML signature HMAC truncation authentication bypass

Bug 47526 - XML signature HMAC truncation authentication bypass

Summary: XML signature HMAC truncation authentication bypass

Status:	RESOLVED FIXED

Alias:	None

Product:	Security - Now in JIRA
Classification:	Unclassified
Component:	Signature (show other bugs)
Version:	Java 1.4.2
Hardware:	All All

Importance:	P1 critical
Target Milestone:	---
Assignee:	XML Security Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2009-07-14 11:35 UTC by sean.mullan
Modified:	2009-07-14 11:54 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description sean.mullan 2009-07-14 11:35:20 UTC

Apache XML Security (Java) is affected by the vulnerability published in US-Cert VU #466161. See: http://www.kb.cert.org/vuls/id/466161 for more information. This bug can allow an attacker to bypass authentication by inserting/modifying a small HMAC truncation length parameter in the XML Signature HMAC based SignatureMethod algorithms.

Comment 1 sean.mullan 2009-07-14 11:54:12 UTC

Fixed in source code repository, will be released in v 1.4.3