The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Apache Santuario XML Security for Java

vulnerability alert CVE-2014-8152

Apache Santuario XML Security for Java: incorrect check of Streaming XML Signature

Synthesis of the vulnerability

An attacker can create a malicious XML document, which is accepted as correctly signed by StAX of Apache Santuario XML Security for Java.
Impacted products: Apache XML Security for Java.
Severity: 3/4.
Consequences: user access/rights, data flow.
Provenance: document.
Creation date: 19/01/2015.
Identifiers: CVE-2014-8152, VIGILANCE-VUL-16001.

Description of the vulnerability

The Apache Santuario XML Security for Java product version 2 implements the support of Streaming XML Signature (StAX), which is used to check the signature of a document by reading it progressively (via a Stream Reader).

However, the XML document can be altered, without being detected by the StAX signature verification function.

An attacker can therefore create a malicious XML document, which is accepted as correctly signed by StAX of Apache Santuario XML Security for Java.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2009-0217

XML: bypassing signature

Synthesis of the vulnerability

The XMLDsig recommendation allows an attacker to bypass the signature of an XML document.
Impacted products: Apache XML Security for Java, Debian, Fedora, HP-UX, WebSphere AS Traditional, Mandriva Linux, .NET Framework, Windows 2000, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP, Java OpenJDK, Oracle GlassFish Server, Java Oracle, RHEL, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: data creation/edition, data flow.
Provenance: document.
Creation date: 15/07/2009.
Identifiers: 269208, 47526, 6868619, 981343, BID-35671, CVE-2009-0217, DSA-1849-1, FEDORA-2009-8121, FEDORA-2009-8157, FEDORA-2009-8456, FEDORA-2009-8473, HPSBUX02476, MDVSA-2009:267, MDVSA-2009:268, MDVSA-2009:269, MDVSA-2009:318, MDVSA-2009:322, MS10-041, PK80596, PK80627, RHSA-2009:1428-01, SSRT090250, VIGILANCE-VUL-8864, VU#466161.

Description of the vulnerability

The W3C XMLDsig (XML Signature Syntax and Processing) recommendation indicates how to sign XML documents.

HMAC algorithms are used to sign a document, with a key and a hash algorithm.

The XMLDsig ds:HMACOutputLength parameter indicates the number of hash bits which is used on signed data. The recipient of the XML document thus only checks these first bits of the hash.

However, the specification does not define a minimum size. An attacker can therefore send a document signed with a ds:HMACOutputLength value of one, in order to force the recipient to check only one bit.

Several XMLDsig implementation honoured the recommendation, and do not impose a minimum. These implementations are thus vulnerable.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Apache Santuario XML Security for Java: