Description: | The design of the W3C XML Signature Syntax and Processing (XMLDsig)
recommendation, as implemented in products including (1) the Oracle
Security Developer Tools component in Oracle Application Server
10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component
in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6;
(3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5)
IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1
through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update
14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5,
and 4.0; and other products uses a parameter that defines an HMAC
truncation length (HMACOutputLength) but does not require a minimum
for this length, which allows attackers to spoof HMAC-based signatures
and bypass authentication by specifying a truncation length with a
small number of bits.
|