Bug 47526

Summary: XML signature HMAC truncation authentication bypass
Product: Security - Now in JIRA Reporter: sean.mullan
Component: SignatureAssignee: XML Security Developers Mailing List <security-dev>
Status: RESOLVED FIXED    
Severity: critical    
Priority: P1    
Version: Java 1.4.2   
Target Milestone: ---   
Hardware: All   
OS: All   

Description sean.mullan 2009-07-14 11:35:20 UTC 
Apache XML Security (Java) is affected by the vulnerability published in US-Cert VU #466161. See: http://www.kb.cert.org/vuls/id/466161 for more information. This bug can allow an attacker to bypass authentication by inserting/modifying a small HMAC truncation length parameter in the XML Signature HMAC based SignatureMethod algorithms.
Comment 1 sean.mullan 2009-07-14 11:54:12 UTC 
Fixed in source code repository, will be released in v 1.4.3