Bug 47526 - XML signature HMAC truncation authentication bypass
XML signature HMAC truncation authentication bypass
Product: Security - Now in JIRA
Classification: Unclassified
Component: Signature
Java 1.4.2
All All
: P1 critical
: ---
Assigned To: XML Security Developers Mailing List
Depends on:
  Show dependency tree
Reported: 2009-07-14 11:35 UTC by sean.mullan
Modified: 2009-07-14 11:54 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description sean.mullan 2009-07-14 11:35:20 UTC
Apache XML Security (Java) is affected by the vulnerability published in US-Cert VU #466161. See: http://www.kb.cert.org/vuls/id/466161 for more information. This bug can allow an attacker to bypass authentication by inserting/modifying a small HMAC truncation length parameter in the XML Signature HMAC based SignatureMethod algorithms.
Comment 1 sean.mullan 2009-07-14 11:54:12 UTC
Fixed in source code repository, will be released in v 1.4.3