CVE-2009-0217 - 漏洞详情

CVE-2009-0217 (CNNVD-200907-205)

MEDIUM

中文标题:

IBM WebSphere Application Server安全漏洞

英文标题:

The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented i...

CVSS分数: 5.0

发布时间: 2009-07-14 23:00:00

漏洞类型: 其他

状态: PUBLISHED

数据质量分数: 0.30

数据版本: v3

漏洞描述

中文描述:

IBM WebSphere Application Server（WAS）是美国IBM公司的一款应用服务器产品。该产品是JavaEE和Web服务应用程序的平台，也是IBMWebSphere软件平台的基础。多款产品中存在安全漏洞。攻击者可利用该漏洞伪造基于HMAC的签名并绕过身份验证。以下产品及版本受到影响：Oracle Security Developer Tools（BEA Product Suite 10.3版本，10.0 MP1版本，9.2 MP3版本，9.1版本，9.0版本，8.1 SP6版本）；WebLogic Server（BEA Product Suite 10.3版本，10.0 MP1版本，9.2 MP3版本，9.1版本，9.0版本，8.1 SP6版本）；Mono 2.4.2.2之前版本；XML Security Library 1.2.12之前版本；IBM WebSphere Application Server 6.0至6.0.2.33版本，6.1至6.1.0.23版本，7.0至7.0.0.1版本；Sun JDK和JRE Update 14版本；Microsoft .NET Framework 3.0至3.0 SP2，3.5和4.0版本。

英文描述:

The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.

CWE类型:

（暂无数据）

受影响产品

厂商	产品	版本	版本范围	平台	CPE
ibm	websphere_application_server	6.0	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0:::::::*`
ibm	websphere_application_server	6.0.0.1	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.0.1:::::::*`
ibm	websphere_application_server	6.0.0.2	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.0.2:::::::*`
ibm	websphere_application_server	6.0.0.3	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.0.3:::::::*`
ibm	websphere_application_server	6.0.1	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.1:::::::*`
ibm	websphere_application_server	6.0.1.1	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.1.1:::::::*`
ibm	websphere_application_server	6.0.1.2	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.1.2:::::::*`
ibm	websphere_application_server	6.0.1.3	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.1.3:::::::*`
ibm	websphere_application_server	6.0.1.5	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.1.5:::::::*`
ibm	websphere_application_server	6.0.1.7	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.1.7:::::::*`
ibm	websphere_application_server	6.0.1.9	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.1.9:::::::*`
ibm	websphere_application_server	6.0.1.11	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.1.11:::::::*`
ibm	websphere_application_server	6.0.1.13	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.1.13:::::::*`
ibm	websphere_application_server	6.0.1.15	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.1.15:::::::*`
ibm	websphere_application_server	6.0.1.17	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.1.17:::::::*`
ibm	websphere_application_server	6.0.2	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.2:::::::*`
ibm	websphere_application_server	6.0.2.1	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.2.1:::::::*`
ibm	websphere_application_server	6.0.2.2	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.2.2:::::::*`
ibm	websphere_application_server	6.0.2.3	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.2.3:::::::*`
ibm	websphere_application_server	6.0.2.10	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.2.10:::::::*`
ibm	websphere_application_server	6.0.2.11	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.2.11:::::::*`
ibm	websphere_application_server	6.0.2.12	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.2.12:::::::*`
ibm	websphere_application_server	6.0.2.13	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.2.13:::::::*`
ibm	websphere_application_server	6.0.2.14	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.2.14:::::::*`
ibm	websphere_application_server	6.0.2.15	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.2.15:::::::*`
ibm	websphere_application_server	6.0.2.16	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.2.16:::::::*`
ibm	websphere_application_server	6.0.2.17	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.2.17:::::::*`
ibm	websphere_application_server	6.0.2.18	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.2.18:::::::*`
ibm	websphere_application_server	6.0.2.19	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.2.19:::::::*`
ibm	websphere_application_server	6.0.2.20	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.2.20:::::::*`
ibm	websphere_application_server	6.0.2.21	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.2.21:::::::*`
ibm	websphere_application_server	6.0.2.22	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.2.22:::::::*`
ibm	websphere_application_server	6.0.2.23	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.2.23:::::::*`
ibm	websphere_application_server	6.0.2.24	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.2.24:::::::*`
ibm	websphere_application_server	6.0.2.25	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.2.25:::::::*`
ibm	websphere_application_server	6.0.2.28	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.2.28:::::::*`
ibm	websphere_application_server	6.0.2.29	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.2.29:::::::*`
ibm	websphere_application_server	6.0.2.30	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.2.30:::::::*`
ibm	websphere_application_server	6.0.2.31	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.2.31:::::::*`
ibm	websphere_application_server	6.0.2.32	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.2.32:::::::*`
ibm	websphere_application_server	6.0.2.33	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.0.2.33:::::::*`
ibm	websphere_application_server	6.1	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.1:::::::*`
ibm	websphere_application_server	6.1.0	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.1.0:::::::*`
ibm	websphere_application_server	6.1.0.0	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.1.0.0:::::::*`
ibm	websphere_application_server	6.1.0.1	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.1.0.1:::::::*`
ibm	websphere_application_server	6.1.0.2	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.1.0.2:::::::*`
ibm	websphere_application_server	6.1.0.3	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.1.0.3:::::::*`
ibm	websphere_application_server	6.1.0.4	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.1.0.4:::::::*`
ibm	websphere_application_server	6.1.0.5	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.1.0.5:::::::*`
ibm	websphere_application_server	6.1.0.6	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.1.0.6:::::::*`
ibm	websphere_application_server	6.1.0.7	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.1.0.7:::::::*`
ibm	websphere_application_server	6.1.0.8	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.1.0.8:::::::*`
ibm	websphere_application_server	6.1.0.9	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.1.0.9:::::::*`
ibm	websphere_application_server	6.1.0.10	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.1.0.10:::::::*`
ibm	websphere_application_server	6.1.0.11	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.1.0.11:::::::*`
ibm	websphere_application_server	6.1.0.12	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.1.0.12:::::::*`
ibm	websphere_application_server	6.1.0.13	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.1.0.13:::::::*`
ibm	websphere_application_server	6.1.0.14	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.1.0.14:::::::*`
ibm	websphere_application_server	6.1.0.15	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.1.0.15:::::::*`
ibm	websphere_application_server	6.1.0.16	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.1.0.16:::::::*`
ibm	websphere_application_server	6.1.0.17	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.1.0.17:::::::*`
ibm	websphere_application_server	6.1.0.18	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.1.0.18:::::::*`
ibm	websphere_application_server	6.1.0.19	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.1.0.19:::::::*`
ibm	websphere_application_server	6.1.0.20	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.1.0.20:::::::*`
ibm	websphere_application_server	6.1.0.21	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.1.0.21:::::::*`
ibm	websphere_application_server	6.1.0.22	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.1.0.22:::::::*`
ibm	websphere_application_server	6.1.0.23	-	-	`cpe:2.3:a:ibm:websphere_application_server:6.1.0.23:::::::*`
ibm	websphere_application_server	7.0	-	-	`cpe:2.3:a:ibm:websphere_application_server:7.0:::::::*`
ibm	websphere_application_server	7.0.0.1	-	-	`cpe:2.3:a:ibm:websphere_application_server:7.0.0.1:::::::*`
mono_project	mono	1.2.1	-	-	`cpe:2.3:a:mono_project:mono:1.2.1:::::::*`
mono_project	mono	1.2.2	-	-	`cpe:2.3:a:mono_project:mono:1.2.2:::::::*`
mono_project	mono	1.2.3	-	-	`cpe:2.3:a:mono_project:mono:1.2.3:::::::*`
mono_project	mono	1.2.4	-	-	`cpe:2.3:a:mono_project:mono:1.2.4:::::::*`
mono_project	mono	1.2.5	-	-	`cpe:2.3:a:mono_project:mono:1.2.5:::::::*`
mono_project	mono	1.2.6	-	-	`cpe:2.3:a:mono_project:mono:1.2.6:::::::*`
mono_project	mono	1.9	-	-	`cpe:2.3:a:mono_project:mono:1.9:::::::*`
mono_project	mono	2.0	-	-	`cpe:2.3:a:mono_project:mono:2.0:::::::*`
oracle	application_server	10.1.2.3	-	-	`cpe:2.3:a:oracle:application_server:10.1.2.3:::::::*`
oracle	application_server	10.1.3.4	-	-	`cpe:2.3:a:oracle:application_server:10.1.3.4:::::::*`
oracle	application_server	10.1.4.3im	-	-	`cpe:2.3:a:oracle:application_server:10.1.4.3im:::::::*`
oracle	bea_product_suite	8.1	-	-	`cpe:2.3:a:oracle:bea_product_suite:8.1:sp6::::::`
oracle	bea_product_suite	9.0	-	-	`cpe:2.3:a:oracle:bea_product_suite:9.0:::::::*`
oracle	bea_product_suite	9.1	-	-	`cpe:2.3:a:oracle:bea_product_suite:9.1:::::::*`
oracle	bea_product_suite	9.2	-	-	`cpe:2.3:a:oracle:bea_product_suite:9.2:mp3::::::`
oracle	bea_product_suite	10.0	-	-	`cpe:2.3:a:oracle:bea_product_suite:10.0:mp1::::::`
oracle	bea_product_suite	10.3	-	-	`cpe:2.3:a:oracle:bea_product_suite:10.3:::::::*`
oracle	weblogic_server_component	8.1	-	-	`cpe:2.3:a:oracle:weblogic_server_component:8.1:sp6::::::`
oracle	weblogic_server_component	9.0	-	-	`cpe:2.3:a:oracle:weblogic_server_component:9.0:::::::*`
oracle	weblogic_server_component	9.1	-	-	`cpe:2.3:a:oracle:weblogic_server_component:9.1:::::::*`
oracle	weblogic_server_component	9.2	-	-	`cpe:2.3:a:oracle:weblogic_server_component:9.2:mp3::::::`
oracle	weblogic_server_component	10.0	-	-	`cpe:2.3:a:oracle:weblogic_server_component:10.0:mp1::::::`
oracle	weblogic_server_component	10.3	-	-	`cpe:2.3:a:oracle:weblogic_server_component:10.3:::::::*`

解决方案

中文解决方案:

（暂无数据）

英文解决方案:

（暂无数据）

临时解决方案:

（暂无数据）

参考链接

RHSA-2009:1428 vendor-advisory
cve.org

访问

ADV-2009-3122 vdb-entry
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

60799 third-party-advisory
cve.org

访问

GLSA-201408-19 vendor-advisory
cve.org

访问

PK80596 vendor-advisory
cve.org

访问

RHSA-2009:1200 vendor-advisory
cve.org

访问

35776 third-party-advisory
cve.org

访问

36162 third-party-advisory
cve.org

访问

36494 third-party-advisory
cve.org

访问

ADV-2009-2543 vdb-entry
cve.org

访问

35858 third-party-advisory
cve.org

访问

38695 third-party-advisory
cve.org

访问

269208 vendor-advisory
cve.org

访问

DSA-1995 vendor-advisory
cve.org

访问

HPSBUX02476 vendor-advisory
cve.org

访问

35853 third-party-advisory
cve.org

访问

RHSA-2009:1637 vendor-advisory
cve.org

访问

RHSA-2009:1694 vendor-advisory
cve.org

访问

35852 third-party-advisory
cve.org

访问

35854 third-party-advisory
cve.org

访问

34461 third-party-advisory
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

1020710 vendor-advisory
cve.org

访问

USN-903-1 vendor-advisory
cve.org

访问

35671 vdb-entry
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

ADV-2010-0366 vdb-entry
cve.org

访问

55907 vdb-entry
cve.org

访问

MDVSA-2009:209 vendor-advisory
cve.org

访问

SUSE-SA:2010:017 vendor-advisory
cve.org

访问

38567 third-party-advisory
cve.org

访问

FEDORA-2009-8329 vendor-advisory
cve.org

访问

263429 vendor-advisory
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

ADV-2009-1900 vdb-entry
cve.org

访问

1022561 vdb-entry
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

37671 third-party-advisory
cve.org

访问

VU#466161 third-party-advisory
cve.org

访问

1022567 vdb-entry
cve.org

访问

RHSA-2009:1636 vendor-advisory
cve.org

访问

PK80627 vendor-advisory
cve.org

访问

RHSA-2009:1649 vendor-advisory
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

TA09-294A third-party-advisory
cve.org

访问

ADV-2009-1909 vdb-entry
cve.org

访问

ADV-2010-0635 vdb-entry
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

38568 third-party-advisory
cve.org

访问

36180 third-party-advisory
cve.org

访问

FEDORA-2009-8456 vendor-advisory
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

USN-826-1 vendor-advisory
cve.org

访问

37841 third-party-advisory
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

35855 third-party-advisory
cve.org

访问

FEDORA-2009-8473 vendor-advisory
cve.org

访问

36176 third-party-advisory
cve.org

访问

oval:org.mitre.oval:def:7158 vdb-entry
cve.org

访问

无标题 x_refsource_MISC
cve.org

访问

ADV-2009-1908 vdb-entry
cve.org

访问

FEDORA-2009-8337 vendor-advisory
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

41818 third-party-advisory
cve.org

访问

1022661 vdb-entry
cve.org

访问

37300 third-party-advisory
cve.org

访问

ADV-2009-1911 vdb-entry
cve.org

访问

APPLE-SA-2009-09-03-1 vendor-advisory
cve.org

访问

SUSE-SA:2009:053 vendor-advisory
cve.org

访问

oval:org.mitre.oval:def:8717 vdb-entry
cve.org

访问

RHSA-2009:1201 vendor-advisory
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

TA10-159B third-party-advisory
cve.org

访问

oval:org.mitre.oval:def:10186 vdb-entry
cve.org

访问

55895 vdb-entry
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

MS10-041 vendor-advisory
cve.org

访问

38921 third-party-advisory
cve.org

访问

RHSA-2009:1650 vendor-advisory
cve.org

访问

无标题 x_refsource_CONFIRM
cve.org

访问

CVSS评分详情

5.0

MEDIUM

CVSS向量: AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS版本: 2.0

机密性

NONE

完整性

PARTIAL

可用性

NONE

时间信息

发布时间:

2009-07-14 23:00:00

修改时间:

2024-08-07 04:24:18

创建时间:

2025-11-11 15:32:59

更新时间:

2025-11-11 15:49:36

利用信息

暂无可利用代码信息

数据源详情

数据源	记录ID	版本	提取时间
CVE	`cve_CVE-2009-0217`	2025-11-11 15:18:08	2025-11-11 07:32:59
NVD	`nvd_CVE-2009-0217`	2025-11-11 14:53:00	2025-11-11 07:41:46
CNNVD	`cnnvd_CNNVD-200907-205`	2025-11-11 15:09:06	2025-11-11 07:49:36

版本与语言

当前版本: v3

主要语言: EN

支持语言:

EN ZH

安全公告

暂无安全公告信息

变更历史

v3 CNNVD

2025-11-11 15:49:36

vulnerability_type: 未提取 → 其他; cnnvd_id: 未提取 → CNNVD-200907-205; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']

查看详细变更

vulnerability_type: 未提取 -> 其他
cnnvd_id: 未提取 -> CNNVD-200907-205
data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']

v2 NVD

2025-11-11 15:41:46

cvss_score: 未提取 → 5.0; cvss_vector: NOT_EXTRACTED → AV:N/AC:L/Au:N/C:N/I:P/A:N; cvss_version: NOT_EXTRACTED → 2.0; affected_products_count: 0 → 92; references_count: 87 → 86; data_sources: ['cve'] → ['cve', 'nvd']

查看详细变更

cvss_score: 未提取 -> 5.0
cvss_vector: NOT_EXTRACTED -> AV:N/AC:L/Au:N/C:N/I:P/A:N
cvss_version: NOT_EXTRACTED -> 2.0
affected_products_count: 0 -> 92
references_count: 87 -> 86
data_sources: ['cve'] -> ['cve', 'nvd']

CVE-2009-0217 (CNNVD-200907-205)

中文标题:

IBM WebSphere Application Server安全漏洞

英文标题:

The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented i...

漏洞描述

中文描述:

英文描述:

CWE类型:

标签:

受影响产品

解决方案

中文解决方案:

英文解决方案:

临时解决方案:

参考链接

CVSS评分详情

时间信息

利用信息

数据源详情

版本与语言

安全公告

变更历史