[Sun] Schwachstelle im JRE bei der Auswertung von XML Signaturen – Sun Alert 263429

[Sun] Schwachstelle im JRE bei der Auswertung von XML Signaturen - Sun Alert 263429

Von

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgendes Sun Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.

CVE-2009-0217 – Schwachstelle in der XMLDsig Spezifikation

Die W3C Empfehlung zur Syntax und Verarbeitung von XLM Signaturen
(XMLDsig) enthaelt einen Paramter der angibt, ab welcher Laenge eine
HMAC Pruefsumme abgeschnitten werden darf (HMACOutputLength),
definiert aber keinen Mindestwert fuer diesen Parameter.

Angreifer, die einen HMAC Wert faelschen wollen, koennen daher einen
beliebig kleinen Wert angeben, um sich so dass Faelschen erheblich zu
erleichtern. Infolge dessen ist z.B. das Umgehen von
Zugriffskontrollmechanismen und somit das Ausspaehen vertraulicher
Daten moeglich.

Die Spezifikation wird von verschiedenen Implementierungen umgesetzt,
die dadurch fuer die Schwachstelle anfaellig sind, u.a. Apache
(xml-security-c), Oracle Application Server, BEA Weblogic, IBM
WebSphere und Mono.

Die Korrektur besteht darin, die Mindestlaenge auf 80 Bits oder die
Haelfte der HMAC Laenge zu festzulegen wobei der groessere Wert der
beiden zu waehlen ist.

Betroffen sind die folgenden Software Pakete und Plattformen:

Sun JDK und JRE 6 vor Update 15
Sun JDK und JRE 5.0 sowie 1.4.2 und 1.3.1 sind nicht betroffen.

JDK 6 Update 15 fuer Solaris ist in den folgenden Patches verfuegbar:
* Java SE 6: update 15 (Patch 125136-16)
* Java SE 6: update 15 (Patch 125137-16 (64bit))
* Java SE 6_x86: update 15 (Patch 125138-16)
* Java SE 6_x86: update 15 (Patch 125139-16 (64bit))

Sun Solaris (SPARC und x86)
Windows
Linux

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-263429-1

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
Klaus Moeller, DFN-CERT

– —
Dipl. Inform. Klaus Moeller (Incident Response Team)
Phone: +49 40 808077-555, Fax: +49 40 808077-556

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrase 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

Solution Type Sun Alert
Solution 263429 : A Security Vulnerability With Verifying HMAC-based
XML Digital Signatures in the XML Digital Signature Implementation
Included With the Java Runtime Environment (JRE) may Allow
Authentication to be Bypassed
Related Categories

* Home>Content>Sun Alert Criteria Categories>Security
* Home>Content>Sun Alert Release Phase>Resolved

Bug ID
6824440

Product
Java Platform, Standard Edition (Java SE)

Date of Resolved Release
04-Aug-2009

SA Document Body
A security vulnerability with verifying HMAC-based XML digital signatures in th
e XML Digital Signature implementation included with the Java Runtime Environme
nt (JRE) may allow authentication to be bypassed:

1. Impact
A vulnerability with verifying HMAC-based XML digital signatures in the
XML Digital Signature implementation included with the Java Runtime
Environment (JRE) may allow authentication to be bypassed. This could
allow a user to forge an XML digital signature that would be accepted
as valid. Applications that validate HMAC-based XML digital signatures
may be vulnerable to this type of attack.
Note: This vulnerability cannot be exploited by an untrusted applet or
Java Web Start application.
This issue is also described in the following document:
CERT VU#466161 at: http://www.kb.cert.org/vuls/id/466161
CVE-2009-0217 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0217
Sun acknowledges, with thanks, Thomas Roessler from the W3C for
bringing this issue to our attention.
2. Contributing Factors
This issue can occur in the following Java SE and Java SE for Business
releases for Windows, Solaris, and Linux:
* JDK and JRE 6 Update 14 and earlier

Note: JDK and JRE 5.0, and SDK and JRE 1.4.2 and 1.3.1 are not affected
by this issue.
To determine the version of Java installed on a system, the following
command can be used:
% *java -version*
java version “1.5.0_17”

3. Symptoms
There are no reliable symptoms that would indicate the described issues
have been exploited.
4. Workaround
There is no workaround for this issue. Please see the Resolution
section below.
5. Resolution
This issue is addressed in the following Java SE and Java SE for
Business releases for Windows, Solaris, and Linux:
* JDK and JRE 6 Update 15 or later

Java SE releases are available at:

JDK and JRE 6 Update 15:
* http://java.sun.com/javase/downloads/index.jsp

JRE 6 Update 15:
* http://java.com/
* Through the Java Update tool for Microsoft Windows users

JDK 6 Update 15 for Solaris is available in the following patches:
* Java SE 6: update 15 (as delivered in patch 125136-16)
* Java SE 6: update 15 (as delivered in patch 125137-16 (64bit))
* Java SE 6_x86: update 15 (as delivered in patch 125138-16)
* Java SE 6_x86: update 15 (as delivered in patch 125139-16 (64bit))

Java SE for Business releases are available at:
* http://www.sun.com/software/javaseforbusiness/getit_download.jsp

Note: When installing a new version of the product from a source other
than a Solaris patch, it is recommended that the old affected versions
be removed from your system. To remove old affected versions on the
Windows platform, please see:
* http://www.java.com/en/download/help/5000010800.xml

For more information on Security Sun Alerts, see Technical Instruction
ID 213557.
This Sun Alert notification is being provided to you on an “AS IS”
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This
Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
Attachments
This solution has no attachment

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFKeZuHk0kIxZMiiQ8RAjHrAJ9oafhr1M7ruBbn1OvKTxYT1V1shwCcDpVR
CqQl5wVz9Q16sCjivqPukI8=
=o2Si
—–END PGP SIGNATURE—–

© COMPUTEC MEDIA GmbH
Nach oben