Bug 47526 - XML signature HMAC truncation authentication bypass
Summary: XML signature HMAC truncation authentication bypass
Alias: None
Product: Security - Now in JIRA
Classification: Unclassified
Component: Signature (show other bugs)
Version: Java 1.4.2
Hardware: All All
: P1 critical
Target Milestone: ---
Assignee: XML Security Developers Mailing List
Depends on:
Reported: 2009-07-14 11:35 UTC by sean.mullan
Modified: 2009-07-14 11:54 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description sean.mullan 2009-07-14 11:35:20 UTC
Apache XML Security (Java) is affected by the vulnerability published in US-Cert VU #466161. See: http://www.kb.cert.org/vuls/id/466161 for more information. This bug can allow an attacker to bypass authentication by inserting/modifying a small HMAC truncation length parameter in the XML Signature HMAC based SignatureMethod algorithms.
Comment 1 sean.mullan 2009-07-14 11:54:12 UTC
Fixed in source code repository, will be released in v 1.4.3