7.5 - GLSA-201206-13

Executive Summary

Summary
Title	Mono: Multiple vulnerabilities

Informations
Name	GLSA-201206-13	First vendor Publication	2012-06-21
Vendor	Gentoo	Last vendor Modification	2012-06-21
Severity (Vendor)	High	Revision	N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score	7.5	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

Multiple vulnerabilities were found in Mono, the worst of which allowing for the remote execution of arbitrary code.

Background

Mono is an open source implementation of Microsoft's .NET Framework.

Description

Multiple vulnerabilities have been discovered in Mono and Mono debugger. Please review the CVE identifiers referenced below for details.

Impact

A remote attacker could execute arbitrary code, bypass general constraints, obtain the source code for .aspx applications, obtain other sensitive information, cause a Denial of Service, modify internal data structures, or corrupt the internal state of the security manager.

A local attacker could entice a user into running Mono debugger in a directory containing a specially crafted library file to execute arbitrary code with the privileges of the user running Mono debugger.

A context-dependant attacker could bypass the authentication mechanism provided by the XML Signature specification.

Workaround

There is no known workaround at this time.

Resolution

All Mono debugger users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=dev-util/mono-debugger-2.8.1-r1"

All Mono users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/mono-2.10.2-r1"

References

[ 1 ] CVE-2009-0217 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0217
[ 2 ] CVE-2010-3332 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3332
[ 3 ] CVE-2010-3369 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3369
[ 4 ] CVE-2010-4159 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4159
[ 5 ] CVE-2010-4225 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4225
[ 6 ] CVE-2010-4254 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4254
[ 7 ] CVE-2011-0989 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0989
[ 8 ] CVE-2011-0990 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0990
[ 9 ] CVE-2011-0991 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0991
[ 10 ] CVE-2011-0992 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0992

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201206-13.xml

Original Source

Url : http://security.gentoo.org/glsa/glsa-201206-13.xml

CWE : Common Weakness Enumeration

%	Id	Name
29 %	CWE-399	Resource Management Errors
14 %	CWE-362	Race Condition
14 %	CWE-264	Permissions, Privileges, and Access Controls
14 %	CWE-209	Information Exposure Through an Error Message
14 %	CWE-200	Information Exposure
14 %	CWE-20	Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10186

Oval ID:	oval:org.mitre.oval:def:10186
Title:	The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.
Description:	The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2009-0217	Version:	5
Platform(s):	Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5	Product(s):
Definition Synopsis:
OS Section: RHEL4, CentOS4, Oracle Linux 4 RHEL4, CentOS4 or Oracle Linux 4 The operating system installed on the system is Red Hat Enterprise Linux 4 AND CentOS Linux 4.x AND Oracle Linux 4.x AND Configuration section xmlsec1-openssl is earlier than 0:1.2.6-3.1 AND xmlsec1 is earlier than 0:1.2.6-3.1 AND xmlsec1-devel is earlier than 0:1.2.6-3.1 AND xmlsec1-openssl-devel is earlier than 0:1.2.6-3.1 OR OS Section: RHEL5, CentOS5, Oracle Linux 5 RHEL5, CentOS5 or Oracle Linux 5 The operating system installed on the system is Red Hat Enterprise Linux 5 AND CentOS Linux 5.x AND Oracle Linux 5.x AND Configuration section xmlsec1-nss-devel is earlier than 0:1.2.9-8.1.1 AND xmlsec1-gnutls is earlier than 0:1.2.9-8.1.1 AND xmlsec1-openssl is earlier than 0:1.2.9-8.1.1 AND xmlsec1-gnutls-devel is earlier than 0:1.2.9-8.1.1 AND xmlsec1-devel is earlier than 0:1.2.9-8.1.1 AND java-1.6.0-openjdk-devel is earlier than 1:1.6.0.0-1.2.b09.el5 AND java-1.6.0-openjdk is earlier than 1:1.6.0.0-1.2.b09.el5 AND java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.0-1.2.b09.el5 AND java-1.6.0-openjdk-src is earlier than 1:1.6.0.0-1.2.b09.el5 AND xmlsec1 is earlier than 0:1.2.9-8.1.1 AND xmlsec1-nss is earlier than 0:1.2.9-8.1.1 AND java-1.6.0-openjdk-demo is earlier than 1:1.6.0.0-1.2.b09.el5 AND xmlsec1-openssl-devel is earlier than 0:1.2.9-8.1.1

Definition Id: oval:org.mitre.oval:def:12365

Oval ID:	oval:org.mitre.oval:def:12365
Title:	ASP.NET Padding Oracle Vulnerability
Description:	Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka "ASP.NET Padding Oracle Vulnerability."
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2010-3332	Version:	11
Platform(s):	Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows 7	Product(s):	Microsoft .NET Framework
Definition Synopsis:
.NET Framework 1.1 SP1 KB2416447 OS section Microsoft Windows XP (32-bit) is installed AND Microsoft Windows XP x64 is installed AND Microsoft Windows Server 2003 (x64) is installed AND Microsoft Windows Server 2003 (ia64) Gold is installed AND Microsoft Windows Vista (32-bit) is installed AND Microsoft Windows Vista x64 Edition is installed AND Microsoft Windows Server 2008 (32-bit) is installed AND Microsoft Windows Server 2008 (64-bit) is installed AND Microsoft Windows Server 2008 (ia-64) is installed AND Microsoft .NET Framework 1.1 Service Pack 1 is Installed AND the version of Mscorlib.dll is less than 1.1.4322.2470 OR .NET Framework 2.0 SP2 and .NET Framework 3.5 SP1. Must include 2.0 SP2 if 3.5 SP1 is installed KB2418241 XP x86/x64, Server 2003 x86/x64/ia64 Microsoft Windows XP (32-bit) is installed AND Microsoft Windows XP x64 is installed AND Microsoft Windows Server 2003 (32-bit) is installed AND Microsoft Windows Server 2003 (x64) is installed AND Microsoft Windows Server 2003 (ia64) Gold is installed AND Microsoft .NET Framework 2.0 Service Pack 2 is installed AND GDR or LDR Service branch the version of System.Web.dll is less than 2.0.50727.3618 OR LDR the version of System.Web.dll is greater than or equal to 2.0.50727.5000 AND the version of System.Web.dll is less than 2.0.50727.5053 OR .NET Framework 2.0 SP1 or .NET Framework 3.5 KB2416468 XP x86/x64, Server 2003 x86/x64/ia64 Microsoft Windows XP (32-bit) is installed AND Microsoft Windows XP x64 is installed AND Microsoft Windows Server 2003 (32-bit) is installed AND Microsoft Windows Server 2003 (x64) is installed AND Microsoft Windows Server 2003 (ia64) Gold is installed AND .NET Framework 2.0/3.5 Microsoft .NET Framework 2.0 Service Pack 1 is installed AND Microsoft .NET Framework 3.5 Original Release is installed AND the version of System.Web.dll is less than 2.0.50727.1887 OR .NET Framework 3.5 KB2418240 OS section Microsoft Windows XP (32-bit) is installed AND Microsoft Windows XP x64 is installed AND Microsoft Windows Server 2003 (32-bit) is installed AND Microsoft Windows Server 2003 (x64) is installed AND Microsoft Windows Server 2003 (ia64) Gold is installed AND Microsoft Windows Vista (32-bit) is installed AND Microsoft Windows Vista x64 Edition is installed AND Microsoft Windows Server 2008 (32-bit) is installed AND Microsoft Windows Server 2008 (64-bit) is installed AND Microsoft Windows Server 2008 (ia-64) is installed AND Microsoft .NET Framework 3.5 Original Release is installed AND the version of System.Web.Extensions.dll is less than 3.5.21022.239 OR .NET Framework 3.5 SP1 KB2416473 OS section Microsoft Windows XP (32-bit) is installed AND Microsoft Windows XP x64 is installed AND Microsoft Windows Server 2003 (32-bit) is installed AND Microsoft Windows Server 2003 (x64) is installed AND Microsoft Windows Server 2003 (ia64) Gold is installed AND Microsoft Windows Vista (32-bit) is installed AND Microsoft Windows Vista x64 Edition is installed AND Microsoft Windows Server 2008 (32-bit) is installed AND Microsoft Windows Server 2008 (64-bit) is installed AND Microsoft Windows Server 2008 (ia-64) is installed AND Microsoft .NET Framework 3.5 SP1 is installed AND GDR or LDR Service branch the version of System.Web.Extensions.dll is less than 3.5.30729.3644 OR LDR the version of System.Web.Extensions.dll is greater than or equal to 3.5.30729.5000 AND the version of System.Web.Extensions.dll is less than 3.5.30729.5053 OR .NET Framework 4.0 (Full) KB2416472 OS section Microsoft Windows XP (32-bit) is installed AND Microsoft Windows XP x64 is installed AND Microsoft Windows Server 2003 (32-bit) is installed AND Microsoft Windows Server 2003 (x64) is installed AND Microsoft Windows Server 2003 (ia64) Gold is installed AND Microsoft Windows Vista (32-bit) is installed AND Microsoft Windows Vista x64 Edition is installed AND Microsoft Windows Server 2008 (32-bit) is installed AND Microsoft Windows Server 2008 (64-bit) is installed AND Microsoft Windows Server 2008 (ia-64) is installed AND Microsoft Windows 7 (32-bit) is installed AND Microsoft Windows 7 x64 Edition is installed AND Microsoft Windows Server 2008 R2 x64 Edition is installed AND Microsoft Windows Server 2008 R2 Itanium-Based Edition is installed AND Microsoft .NET Framework 4.0 Full is installed AND GDR or LDR Service branch the version of System.Web.dll is less than 4.0.30319.206 OR LDR the version of System.Web.dll is greater than or equal to 4.0.30319.300 AND the version of System.Web.dll is less than 4.0.30319.363 OR .NET Framework 2.0 SP1 and .NET Framework 3.5 KB2416469 Vista x86/x64, Server 2008 x86/x64/ia64 Microsoft Windows Vista (32-bit) is installed AND Microsoft Windows Vista x64 Edition is installed AND Microsoft Windows Server 2008 (32-bit) is installed AND Microsoft Windows Server 2008 (64-bit) is installed AND Microsoft Windows Server 2008 (ia-64) is installed AND Microsoft .NET Framework 2.0 Service Pack 1 is installed AND the version of System.Web.dll is less than 2.0.50727.1887 OR .NET Framework 2.0 SP2 and .NET Framework 3.5 SP1 KB2416474 Vista x86/x64, Server 2008 x86/x64/ia64 Microsoft Windows Vista (32-bit) is installed AND Microsoft Windows Vista x64 Edition is installed AND Microsoft Windows Server 2008 (32-bit) is installed AND Microsoft Windows Server 2008 (64-bit) is installed AND Microsoft Windows Server 2008 (ia-64) is installed AND Microsoft .NET Framework 2.0 Service Pack 2 is installed AND GDR or LDR Service branch the version of System.Web.dll is less than 2.0.50727.3618 OR LDR the version of System.Web.dll is greater than or equal to 2.0.50727.5000 AND the version of System.Web.dll is less than 2.0.50727.5053 OR .NET Framework 2.0 SP2, .NET Framework 3.5 and .NET Framework 3.5 SP1 KB2416470 Vista x86/x64, Server 2008 x86/x64/ia64 Microsoft Windows Vista (32-bit) is installed AND Microsoft Windows Vista x64 Edition is installed AND Microsoft Windows Server 2008 (32-bit) is installed AND Microsoft Windows Server 2008 (64-bit) is installed AND Microsoft Windows Server 2008 (ia-64) is installed AND Microsoft .NET Framework 2.0 Service Pack 2 is installed AND GDR or LDR Service branch the version of System.Web.dll is less than 2.0.50727.4209 OR LDR the version of System.Web.dll is greater than or equal to 2.0.50727.5000 AND the version of System.Web.dll is less than 2.0.50727.5053 OR .NET Framework 3.5.1 KB2416471 7 x86/x64, Server 2008 R2 x64/ia64 Microsoft Windows 7 (32-bit) is installed AND Microsoft Windows 7 x64 Edition is installed AND Microsoft Windows Server 2008 R2 x64 Edition is installed AND Microsoft Windows Server 2008 R2 Itanium-Based Edition is installed AND Microsoft .NET Framework 3.5 SP1 is installed AND GDR or LDR Service branch the version of System.web.dll is less than 2.0.50727.4955 OR LDR the version of System.Web.dll is greater than or equal to 2.0.50727.5000 AND the version of System.Web.dll is less than 2.0.50727.5053

Definition Id: oval:org.mitre.oval:def:13798

Oval ID:	oval:org.mitre.oval:def:13798
Title:	DSA-1849-1 xml-security-c -- design flaw
Description:	It was discovered that the W3C XML Signature recommendation contains a protocol-level vulnerability related to HMAC output truncation. This update implements the proposed workaround in the C++ version of the Apache implementation of this standard, xml-security-c, by preventing truncation to output strings shorter than 80 bits or half of the original HMAC output, whichever is greater. For the old stable distribution, this problem has been fixed in version 1.2.1-3+etch1. For the stable distribution, this problem has been fixed in version 1.4.0-3+lenny2. For the unstable distribution, this problem has been fixed in version 1.4.0-4. We recommend that you upgrade your xml-security-c packages.
Family:	unix	Class:	patch
Reference(s):	DSA-1849-1 CVE-2009-0217	Version:	5
Platform(s):	Debian GNU/Linux 5.0 Debian GNU/Linux 4.0	Product(s):	xml-security-c
Definition Synopsis:
Release section Debian GNU/Linux 5.0 is installed AND Supported architectures section Installed architecture is s390 AND Installed architecture is amd64 AND Installed architecture is sparc AND Installed architecture is arm AND Installed architecture is i386 AND Installed architecture is armel AND Installed architecture is mips AND Installed architecture is ia64 AND Installed architecture is alpha AND Installed architecture is powerpc AND Installed architecture is mipsel AND Installed architecture is hppa AND Packages section libxml-security-c-dev DPKG is earlier than 1.4.0-3+lenny2 AND libxml-security-c14 DPKG is earlier than 1.4.0-3+lenny2 OR Release section Debian GNU/Linux 4.0 is installed. AND Architecture section Architecture independent section Installed architecture is all AND libxml-security-c-doc DPKG is earlier than 1.2.1-3+etch1 AND libxml-security-c12 DPKG is earlier than 1.2.1-3+etch1 AND libxml-security-c-dev DPKG is earlier than 1.2.1-3+etch1

Definition Id: oval:org.mitre.oval:def:17863

Oval ID:	oval:org.mitre.oval:def:17863
Title:	USN-1517-1 -- mono vulnerabilities
Description:	Mono could be made to expose sensitive information over the network.
Family:	unix	Class:	patch
Reference(s):	USN-1517-1 CVE-2012-3382 CVE-2010-4159	Version:	7
Platform(s):	Ubuntu 12.04 Ubuntu 11.10 Ubuntu 11.04 Ubuntu 10.04	Product(s):	mono
Definition Synopsis:
Release section Ubuntu 12.04 is installed Packages match section libmono-system-web2.0-cil DPKG is earlier than 2.10.8.1-1ubuntu2.2 AND libmono-system-web4.0-cil DPKG is earlier than 2.10.8.1-1ubuntu2.2 AND Release section Ubuntu 11.10 is installed Packages match section libmono-system-web2.0-cil DPKG is earlier than 2.10.5-1ubuntu0.1 AND libmono-system-web4.0-cil DPKG is earlier than 2.10.5-1ubuntu0.1 AND Release section Ubuntu 11.04 is installed Packages match section libmono-system-web1.0-cil DPKG is earlier than 2.6.7-5ubuntu3.1 AND libmono-system-web2.0-cil DPKG is earlier than 2.6.7-5ubuntu3.1 AND Release section Ubuntu 10.04 is installed Packages match section libmono-system-web1.0-cil DPKG is earlier than 2.4.4~svn151842-1ubuntu4.1 AND libmono-system-web2.0-cil DPKG is earlier than 2.4.4~svn151842-1ubuntu4.1

Definition Id: oval:org.mitre.oval:def:22980

Oval ID:	oval:org.mitre.oval:def:22980
Title:	ELSA-2009:1428: xmlsec1 security update (Moderate)
Description:	The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.
Family:	unix	Class:	patch
Reference(s):	ELSA-2009:1428-01 CVE-2009-0217	Version:	6
Platform(s):	Oracle Linux 5	Product(s):	xmlsec1
Definition Synopsis:
Oracle Linux 5.x rpm test xmlsec1-nss-devel is earlier than 0:1.2.9-8.1.1 AND xmlsec1-openssl is earlier than 0:1.2.9-8.1.1 AND xmlsec1-nss is earlier than 0:1.2.9-8.1.1 AND xmlsec1-gnutls is earlier than 0:1.2.9-8.1.1 AND xmlsec1 is earlier than 0:1.2.9-8.1.1 AND xmlsec1-gnutls-devel is earlier than 0:1.2.9-8.1.1 AND xmlsec1-openssl-devel is earlier than 0:1.2.9-8.1.1 AND xmlsec1-devel is earlier than 0:1.2.9-8.1.1

Definition Id: oval:org.mitre.oval:def:29320

Oval ID:	oval:org.mitre.oval:def:29320
Title:	RHSA-2009:1428 -- xmlsec1 security update (Moderate)
Description:	Updated xmlsec1 packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The XML Security Library is a C library based on libxml2 and OpenSSL. It implements the XML Signature Syntax and Processing and XML Encryption Syntax and Processing standards. HMAC is used for message authentication using cryptographic hash functions. The HMAC algorithm allows the hash output to be truncated (as documented in RFC 2104).
Family:	unix	Class:	patch
Reference(s):	RHSA-2009:1428 CESA-2009:1428-CentOS 5 CVE-2009-0217	Version:	3
Platform(s):	Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 CentOS Linux 5	Product(s):	xmlsec1
Definition Synopsis:
Red Hat Enterprise Linux 5 and CentOS Linux 5 release section Operation system section The operating system installed on the system is Red Hat Enterprise Linux 5 AND The operating system installed on the system is CentOS Linux 5.x Packages match section xmlsec1-devel is earlier than 0:1.2.9-8.1.1 AND xmlsec1-gnutls-devel is earlier than 0:1.2.9-8.1.1 AND xmlsec1-nss-devel is earlier than 0:1.2.9-8.1.1 AND xmlsec1-openssl-devel is earlier than 0:1.2.9-8.1.1 AND xmlsec1 is earlier than 0:1.2.9-8.1.1 AND xmlsec1-gnutls is earlier than 0:1.2.9-8.1.1 AND xmlsec1-nss is earlier than 0:1.2.9-8.1.1 AND xmlsec1-openssl is earlier than 0:1.2.9-8.1.1 AND Red Hat Enterprise Linux 4 release section The operating system installed on the system is Red Hat Enterprise Linux 4 Packages match section xmlsec1 is earlier than 0:1.2.6-3.1 AND xmlsec1-devel is earlier than 0:1.2.6-3.1 AND xmlsec1-openssl is earlier than 0:1.2.6-3.1 AND xmlsec1-openssl-devel is earlier than 0:1.2.6-3.1

Definition Id: oval:org.mitre.oval:def:7158

Oval ID:	oval:org.mitre.oval:def:7158
Title:	XML Signature HMAC Truncation Authentication Bypass Vulnerability
Description:	The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2009-0217	Version:	11
Platform(s):	Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2	Product(s):	Microsoft .NET Framework
Definition Synopsis:
.NET Framework 1.1 SP1 For OS Check Microsoft Windows 2000 is installed AND Microsoft Windows XP (32-bit) is installed AND Microsoft Windows XP x64 is installed AND Microsoft Windows Server 2003 (x64) is installed AND Microsoft Windows Server 2003 (ia64) Gold is installed AND Microsoft Windows Vista (32-bit) is installed AND Microsoft Windows Vista x64 Edition is installed AND Microsoft Windows Server 2008 (32-bit) is installed AND Microsoft Windows Server 2008 (64-bit) is installed AND Microsoft Windows Server 2008 (ia-64) is installed AND Microsoft .NET Framework 1.1 Service Pack 1 is Installed AND the version of Mscorlib.dll is less than 1.1.4322.2463 OR .NET Framework 1.1 Service Pack 1 Microsoft Windows Server 2003 (32-bit) is installed AND Microsoft .NET Framework 1.1 Service Pack 1 is Installed AND the version of System.Security.dll is less than 1.1.4322.2460 OR .NET Framework 3.5 For OS Check Microsoft Windows Vista (32-bit) is installed AND Microsoft Windows Vista x64 Edition is installed AND Microsoft Windows Server 2008 (32-bit) is installed AND Microsoft Windows Server 2008 (64-bit) is installed AND Microsoft Windows Server 2008 (ia-64) is installed AND Microsoft .NET Framework 3.5 Original Release is installed AND System.web.dll version is less than 2.0.50727.1878 OR .NET Framework 2.0 SP2 or 3.5 SP1 For OS Check Microsoft Windows 2000 is installed AND Microsoft Windows XP (32-bit) is installed AND Microsoft Windows XP x64 is installed AND Microsoft Windows Server 2003 (32-bit) is installed AND Microsoft Windows Server 2003 (x64) is installed AND Microsoft Windows Server 2003 (ia64) Gold is installed AND Microsoft Windows Vista (32-bit) is installed AND Microsoft Windows Vista x64 Edition is installed AND Microsoft Windows Server 2008 (32-bit) is installed AND Microsoft Windows Server 2008 (64-bit) is installed AND Microsoft Windows Server 2008 (ia-64) is installed AND Check for Microsoft .NET Framework 2.0 Service Pack 2 or 3.5 SP1 Microsoft .NET Framework 2.0 Service Pack 2 is installed AND Microsoft .NET Framework 3.5 SP1 is installed AND Check for GDR and LDR versions the version of System.Security.dll is less than 2.0.50727.3613 OR Check for LDR version Check if System.Security.dll version is greater than or equal to 2.0.50727.4000 AND Check if System.Security.dll version is less than 2.0.50727.4434 OR .NET Framework 3.5 For OS Check Microsoft Windows XP (32-bit) is installed AND Microsoft Windows XP x64 is installed AND Microsoft Windows Server 2003 (32-bit) is installed AND Microsoft Windows Server 2003 (x64) is installed AND Microsoft Windows Server 2003 (ia64) Gold is installed AND Microsoft .NET Framework 3.5 Original Release is installed AND the version of System.Security.dll is less than 2.0.50727.1879 OR .NET Framework 3.5 SP1 on Vista x86/x64, Windows Server 2008 x86/x64/ia64 For OS Check Microsoft Windows Vista (32-bit) is installed AND Microsoft Windows Vista x64 Edition is installed AND Microsoft Windows Server 2008 (32-bit) is installed AND Microsoft Windows Server 2008 (64-bit) is installed AND Microsoft Windows Server 2008 (ia-64) is installed AND Microsoft .NET Framework 3.5 SP1 is installed AND Check for GDR and LDR versions the version of system.security.dll is less than 2.0.50727.4204 OR Check for LDR versions Check if System.Security.dll version is greater than or equal to 2.0.50727.4300 AND Check if System.Security.dll version is less than 2.0.50727.4434 OR Microsoft .NET Framework 3.5.1 on Windows 7 x86/x64, Server 2008 R2 x64/ia64 For OS Check Microsoft Windows 7 (32-bit) is installed AND Microsoft Windows 7 x64 Edition is installed AND Microsoft Windows Server 2008 R2 x64 Edition is installed AND Microsoft Windows Server 2008 R2 Itanium-Based Edition is installed AND Microsoft .NET Framework 3.5 SP1 is installed AND Check for GDR and LDR versions the version of system.security.dll is less than 2.0.50727.4951 OR Check for LDR versions Check if System.Security.dll version is greater than or equal to 2.0.50727.5000 AND Check if system.security.dll version is less than 2.0.50727.5007

Definition Id: oval:org.mitre.oval:def:7932

Oval ID:	oval:org.mitre.oval:def:7932
Title:	DSA-1849 xml-security-c -- design flaw
Description:	It was discovered that the W3C XML Signature recommendation contains a protocol-level vulnerability related to HMAC output truncation. This update implements the proposed workaround in the C++ version of the Apache implementation of this standard, xml-security-c, by preventing truncation to output strings shorter than 80 bits or half of the original HMAC output, whichever is greater.
Family:	unix	Class:	patch
Reference(s):	DSA-1849 CVE-2009-0217	Version:	3
Platform(s):	Debian GNU/Linux 5.0 Debian GNU/Linux 4.0	Product(s):	xml-security-c
Definition Synopsis:
Release section Debian GNU/Linux 5.0 is installed AND Supported architectures section Installed architecture is s390 AND Installed architecture is amd64 AND Installed architecture is sparc AND Installed architecture is arm AND Installed architecture is i386 AND Installed architecture is armel AND Installed architecture is mips AND Installed architecture is ia64 AND Installed architecture is alpha AND Installed architecture is powerpc AND Installed architecture is mipsel AND Installed architecture is hppa AND Packages section libxml-security-c-dev is earlier than 1.4.0-3+lenny2 AND libxml-security-c14 is earlier than 1.4.0-3+lenny2 OR Release section Debian GNU/Linux 4.0 is installed. AND Architecture section Architecture independent section Installed architecture is all AND libxml-security-c-doc is earlier than 1.2.1-3+etch1 AND libxml-security-c12 is earlier than 1.2.1-3+etch1 AND libxml-security-c-dev is earlier than 1.2.1-3+etch1

Definition Id: oval:org.mitre.oval:def:8717

Oval ID:	oval:org.mitre.oval:def:8717
Title:	HP-UX Running Java, Remote Increase in Privilege, Denial of Service and Other Vulnerabilities
Description:	The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2009-0217	Version:	11
Platform(s):	HP-UX 11	Product(s):
Definition Synopsis:
IF HP Release B.11.11 AND HP Release B.11.23 AND HP-UX B.11.31 AND filesets tests Jdk14.JDK14-IPF32 version is less than 1.4.2.23.00 AND Jre14.JRE14-IPF32-HS version is less than 1.4.2.23.00 AND Jre14.JRE14-IPF64 version is less than 1.4.2.23.00 AND Jdk14.JDK14-IPF64 version is less than 1.4.2.23.00 AND Jdk14.JDK14-PA11 version is less than 1.4.2.23.00 AND Jre14.JRE14-COM version is less than 1.4.2.23.00 AND Jdk14.JDK14-PA20 version is less than 1.4.2.23.00 AND Jre14.JRE14-PA11 version is less than 1.4.2.23.00 AND Jdk14.JDK14-PA20W version is less than 1.4.2.23.00 AND Jre14.JRE14-PA11-HS version is less than 1.4.2.23.00 AND Jre14.JRE14-PA20 version is less than 1.4.2.23.00 AND Jre14.JRE14-PA20-HS version is less than 1.4.2.23.00 AND Jre14.JRE14-PA20W version is less than 1.4.2.23.00 AND Jre14.JRE14-IPF64-HS version is less than 1.4.2.23.00 AND Jre14.JRE14-PA20W-HS version is less than 1.4.2.23.00 AND Jre14.JRE14-IPF32 version is less than 1.4.2.23.00 AND Jdk14.JDK14-COM version is less than 1.4.2.23.00 AND Jre15.JRE15-IPF64-HS version is less than 1.5.0.17.00 AND Jdk15.JDK15-IPF32 version is less than 1.5.0.17.00 AND Jdk15.JDK15-PA20 version is less than 1.5.0.17.00 AND Jdk15.JDK15-IPF64 version is less than 1.5.0.17.00 AND Jre15.JRE15-COM version is less than 1.5.0.17.00 AND Jre15.JRE15-PA20 version is less than 1.5.0.17.00 AND Jre15.JRE15-PA20-HS version is less than 1.5.0.17.00 AND Jre15.JRE15-PA20W version is less than 1.5.0.17.00 AND Jre15.JRE15-PA20W-HS version is less than 1.5.0.17.00 AND Jre15.JRE15-IPF32 version is less than 1.5.0.17.00 AND Jre15.JRE15-IPF32-HS version is less than 1.5.0.17.00 AND Jdk15.JDK15-PA20W version is less than 1.5.0.17.00 AND Jre15.JRE15-IPF64 version is less than 1.5.0.17.00 AND Jdk15.JDK15-COM version is less than 1.5.0.17.00 AND Jdk60.JDK60-PA20 version is less than 1.6.0.05.00 AND Jre60.JRE60-PA20W-HS version is less than 1.6.0.05.00 AND Jdk60.JDK60-PA20W version is less than 1.6.0.05.00 AND Jdk60.JDK60-COM version is less than 1.6.0.05.00 AND Jre60.JRE60-COM version is less than 1.6.0.05.00 AND Jre60.JRE60-IPF32 version is less than 1.6.0.05.00 AND Jre60.JRE60-IPF32-HS version is less than 1.6.0.05.00 AND Jre60.JRE60-IPF64 version is less than 1.6.0.05.00 AND Jre60.JRE60-IPF64-HS version is less than 1.6.0.05.00 AND Jre60.JRE60-PA20 version is less than 1.6.0.05.00 AND Jdk60.JDK60-IPF32 version is less than 1.6.0.05.00 AND Jre60.JRE60-PA20-HS version is less than 1.6.0.05.00 AND Jdk60.JDK60-IPF64 version is less than 1.6.0.05.00 AND Jre60.JRE60-PA20W version is less than 1.6.0.05.00

CPE : Common Platform Enumeration

Type	Description	Count
Application	Debian Mono-Debugger cpe:2.3:a:debian:mono-debugger:2.8:::::::* cpe:2.3:a:debian:mono-debugger:2.6.7:::::::* cpe:2.3:a:debian:mono-debugger:2.6.4:::::::* cpe:2.3:a:debian:mono-debugger:2.6.3:::::::* cpe:2.3:a:debian:mono-debugger:2.6.1:::::::* cpe:2.3:a:debian:mono-debugger:2.6:::::::* cpe:2.3:a:debian:mono-debugger:2.4.3:::::::*	7
Application	Ibm Websphere Application Server cpe:2.3:a:ibm:websphere_application_server:7.0.0.1:::::::* cpe:2.3:a:ibm:websphere_application_server:7.0:::::::* cpe:2.3:a:ibm:websphere_application_server:6.1.0.9:::::::* cpe:2.3:a:ibm:websphere_application_server:6.1.0.8:::::::* cpe:2.3:a:ibm:websphere_application_server:6.1.0.7:::::::* cpe:2.3:a:ibm:websphere_application_server:6.1.0.6:::::::* cpe:2.3:a:ibm:websphere_application_server:6.1.0.5:::::::* cpe:2.3:a:ibm:websphere_application_server:6.1.0.4:::::::* cpe:2.3:a:ibm:websphere_application_server:6.1.0.3:::::::* cpe:2.3:a:ibm:websphere_application_server:6.1.0.23:::::::* cpe:2.3:a:ibm:websphere_application_server:6.1.0.22:::::::* cpe:2.3:a:ibm:websphere_application_server:6.1.0.21:::::::* cpe:2.3:a:ibm:websphere_application_server:6.1.0.20:::::::* cpe:2.3:a:ibm:websphere_application_server:6.1.0.2:::::::* cpe:2.3:a:ibm:websphere_application_server:6.1.0.19:::::::* cpe:2.3:a:ibm:websphere_application_server:6.1.0.18:::::::* cpe:2.3:a:ibm:websphere_application_server:6.1.0.17:::::::* cpe:2.3:a:ibm:websphere_application_server:6.1.0.16:::::::* cpe:2.3:a:ibm:websphere_application_server:6.1.0.15:::::::* cpe:2.3:a:ibm:websphere_application_server:6.1.0.14:::::::* cpe:2.3:a:ibm:websphere_application_server:6.1.0.13:::::::* cpe:2.3:a:ibm:websphere_application_server:6.1.0.12:::::::* cpe:2.3:a:ibm:websphere_application_server:6.1.0.11:::::::* cpe:2.3:a:ibm:websphere_application_server:6.1.0.10:::::::* cpe:2.3:a:ibm:websphere_application_server:6.1.0.1:::::::* cpe:2.3:a:ibm:websphere_application_server:6.1.0.0:::::::* cpe:2.3:a:ibm:websphere_application_server:6.1.0:::::::* cpe:2.3:a:ibm:websphere_application_server:6.1:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.2.33:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.2.32:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.2.31:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.2.30:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.2.3:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.2.29:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.2.28:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.2.25:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.2.24:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.2.23:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.2.22:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.2.21:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.2.20:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.2.2:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.2.19:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.2.18:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.2.17:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.2.16:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.2.15:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.2.14:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.2.13:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.2.12:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.2.11:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.2.10:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.2.1:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.2:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.2::fp17::::: cpe:2.3:a:ibm:websphere_application_server:6.0.1.9:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.1.7:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.1.5:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.1.3:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.1.2:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.1.17:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.1.15:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.1.13:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.1.11:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.1.1:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.1:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.0.3:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.0.2:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0.0.1:::::::* cpe:2.3:a:ibm:websphere_application_server:6.0:::::::*	70
Application	Microsoft .Net Framework cpe:2.3:a:microsoft:.net_framework:4.0:-:::::: cpe:2.3:a:microsoft:.net_framework:3.5.1:::::::* cpe:2.3:a:microsoft:.net_framework:3.5:sp1:::::: cpe:2.3:a:microsoft:.net_framework:3.5:-:::::: cpe:2.3:a:microsoft:.net_framework:2.0:sp1:::::: cpe:2.3:a:microsoft:.net_framework:2.0:sp2:::::: cpe:2.3:a:microsoft:.net_framework:1.1:sp1::::::	7
Application	Mono cpe:2.3:a:mono:mono:2.8.1:::::::* cpe:2.3:a:mono:mono:2.8:::::::* cpe:2.3:a:mono:mono:2.6.4:::::::* cpe:2.3:a:mono:mono:2.6.3:::::::* cpe:2.3:a:mono:mono:2.6:::::::* cpe:2.3:a:mono:mono:2.4.3:::::::* cpe:2.3:a:mono:mono:2.4.2.3:::::::* cpe:2.3:a:mono:mono:2.4.2.2:::::::* cpe:2.3:a:mono:mono:2.4.2.1:::::::* cpe:2.3:a:mono:mono:2.4.2:::::::* cpe:2.3:a:mono:mono:2.4:::::::* cpe:2.3:a:mono:mono:2.2:::::::* cpe:2.3:a:mono:mono:2.0.1:::::::* cpe:2.3:a:mono:mono:2.0:::::::* cpe:2.3:a:mono:mono:1.9.1:::::::* cpe:2.3:a:mono:mono:1.9:::::::* cpe:2.3:a:mono:mono:1.2.6:::::::* cpe:2.3:a:mono:mono:1.2.5.2:::::::* cpe:2.3:a:mono:mono:1.2.5.1:::::::* cpe:2.3:a:mono:mono:1.2.5:::::::* cpe:2.3:a:mono:mono:1.2.4:::::::* cpe:2.3:a:mono:mono:1.2.3.1:::::::* cpe:2.3:a:mono:mono:1.2.3:::::::* cpe:2.3:a:mono:mono:1.2.2.1:::::::* cpe:2.3:a:mono:mono:1.2.2:::::::* cpe:2.3:a:mono:mono:1.2.1:::::::* cpe:2.3:a:mono:mono:1.2:::::::* cpe:2.3:a:mono:mono:1.1.9.2:::::::* cpe:2.3:a:mono:mono:1.1.9.1:::::::* cpe:2.3:a:mono:mono:1.1.9:::::::* cpe:2.3:a:mono:mono:1.1.8.3:::::::* cpe:2.3:a:mono:mono:1.1.8.1:::::::* cpe:2.3:a:mono:mono:1.1.8:::::::* cpe:2.3:a:mono:mono:1.1.7:::::::* cpe:2.3:a:mono:mono:1.1.6:::::::* cpe:2.3:a:mono:mono:1.1.5:::::::* cpe:2.3:a:mono:mono:1.1.4:::::::* cpe:2.3:a:mono:mono:1.1.3:::::::* cpe:2.3:a:mono:mono:1.1.2:::::::* cpe:2.3:a:mono:mono:1.1.18:::::::* cpe:2.3:a:mono:mono:1.1.17.2:::::::* cpe:2.3:a:mono:mono:1.1.17.1:::::::* cpe:2.3:a:mono:mono:1.1.17:::::::* cpe:2.3:a:mono:mono:1.1.16.1:::::::* cpe:2.3:a:mono:mono:1.1.16:::::::* cpe:2.3:a:mono:mono:1.1.15:::::::* cpe:2.3:a:mono:mono:1.1.14:::::::* cpe:2.3:a:mono:mono:1.1.13.8.1:::::::* cpe:2.3:a:mono:mono:1.1.13.8:::::::* cpe:2.3:a:mono:mono:1.1.13.7:::::::* cpe:2.3:a:mono:mono:1.1.13.6:::::::* cpe:2.3:a:mono:mono:1.1.13.5:::::::* cpe:2.3:a:mono:mono:1.1.13.4:::::::* cpe:2.3:a:mono:mono:1.1.13.2:::::::* cpe:2.3:a:mono:mono:1.1.13:::::::* cpe:2.3:a:mono:mono:1.1.12.1:::::::* cpe:2.3:a:mono:mono:1.1.12:::::::* cpe:2.3:a:mono:mono:1.1.11:::::::* cpe:2.3:a:mono:mono:1.1.10.1:::::::* cpe:2.3:a:mono:mono:1.1.10:::::::* cpe:2.3:a:mono:mono:1.1.1:::::::* cpe:2.3:a:mono:mono:1.0.6:::::::* cpe:2.3:a:mono:mono:1.0.5:::::::* cpe:2.3:a:mono:mono:1.0.4:::::::* cpe:2.3:a:mono:mono:1.0.2:::::::* cpe:2.3:a:mono:mono:1.0.1:::::::* cpe:2.3:a:mono:mono:1.0:::::::* cpe:2.3:a:mono:mono::::::::	68
Application	Mono Project Mono cpe:2.3:a:mono_project:mono:2.0:::::::* cpe:2.3:a:mono_project:mono:1.9:::::::* cpe:2.3:a:mono_project:mono:1.2.6:::::::* cpe:2.3:a:mono_project:mono:1.2.5:::::::* cpe:2.3:a:mono_project:mono:1.2.4:::::::* cpe:2.3:a:mono_project:mono:1.2.3:::::::* cpe:2.3:a:mono_project:mono:1.2.2:::::::* cpe:2.3:a:mono_project:mono:1.2.1:::::::*	8
Application	Novell Moonlight cpe:2.3:a:novell:moonlight:3.99:::::::* cpe:2.3:a:novell:moonlight:3.0:::::::* cpe:2.3:a:novell:moonlight:2.99.9:::::::* cpe:2.3:a:novell:moonlight:2.99.7:::::::* cpe:2.3:a:novell:moonlight:2.99.2:::::::* cpe:2.3:a:novell:moonlight:2.99.1:::::::* cpe:2.3:a:novell:moonlight:2.99.0:::::::* cpe:2.3:a:novell:moonlight:2.4:::::::* cpe:2.3:a:novell:moonlight:2.31:::::::* cpe:2.3:a:novell:moonlight:2.3.0:::::::* cpe:2.3:a:novell:moonlight:2.0:::::::*	11
Application	Oracle Application Server cpe:2.3:a:oracle:application_server:10.1.4.3im:::::::* cpe:2.3:a:oracle:application_server:10.1.3.4:::::::* cpe:2.3:a:oracle:application_server:10.1.2.3:::::::*	3
Application	Oracle Bea Product Suite cpe:2.3:a:oracle:bea_product_suite:10.3:::::::* cpe:2.3:a:oracle:bea_product_suite:10.0:mp1:::::: cpe:2.3:a:oracle:bea_product_suite:9.2:mp3:::::: cpe:2.3:a:oracle:bea_product_suite:9.1:::::::* cpe:2.3:a:oracle:bea_product_suite:9.0:::::::* cpe:2.3:a:oracle:bea_product_suite:8.1:sp6::::::	6
Application	Oracle Weblogic Server Component cpe:2.3:a:oracle:weblogic_server_component:10.3:::::::* cpe:2.3:a:oracle:weblogic_server_component:10.0:mp1:::::: cpe:2.3:a:oracle:weblogic_server_component:9.2:mp3:::::: cpe:2.3:a:oracle:weblogic_server_component:9.1:::::::* cpe:2.3:a:oracle:weblogic_server_component:9.0:::::::* cpe:2.3:a:oracle:weblogic_server_component:8.1:sp6::::::	6

OpenVAS Exploits

Date	Description
2012-08-10	Name : Gentoo Security Advisory GLSA 201206-13 (mono mono-debugger) File : nvt/glsa_201206_13.nasl
2011-08-09	Name : CentOS Update for xmlsec1 CESA-2009:1428 centos5 i386 File : nvt/gb_CESA-2009_1428_xmlsec1_centos5_i386.nasl
2011-08-09	Name : CentOS Update for xmlsec1 CESA-2009:1428 centos4 i386 File : nvt/gb_CESA-2009_1428_xmlsec1_centos4_i386.nasl
2011-08-09	Name : CentOS Update for java CESA-2009:1201 centos5 i386 File : nvt/gb_CESA-2009_1201_java_centos5_i386.nasl
2011-04-01	Name : Fedora Update for mono-addins FEDORA-2011-3393 File : nvt/gb_fedora_2011_3393_mono-addins_fc14.nasl
2011-04-01	Name : Fedora Update for mono FEDORA-2011-3393 File : nvt/gb_fedora_2011_3393_mono_fc14.nasl
2010-12-02	Name : Mandriva Update for mono MDVSA-2010:240 (mono) File : nvt/gb_mandriva_MDVSA_2010_240.nasl
2010-09-29	Name : Microsoft ASP.NET Information Disclosure Vulnerability (2418042) File : nvt/secpod_ms10-070_remote.nasl
2010-06-09	Name : Microsoft .NET Framework XML HMAC Truncation Vulnerability (981343) File : nvt/secpod_ms10-041.nasl
2010-05-28	Name : Java for Mac OS X 10.5 Update 5 File : nvt/macosx_java_for_10_5_upd_5.nasl
2010-03-22	Name : SuSE Update for OpenOffice_org SUSE-SA:2010:017 File : nvt/gb_suse_2010_017.nasl
2010-03-16	Name : FreeBSD Ports: openoffice.org File : nvt/freebsd_openoffice.org.nasl
2010-03-02	Name : Ubuntu Update for openoffice.org vulnerabilities USN-903-1 File : nvt/gb_ubuntu_USN_903_1.nasl
2009-12-30	Name : RedHat Security Advisory RHSA-2009:1694 File : nvt/RHSA_2009_1694.nasl
2009-12-10	Name : Mandriva Security Advisory MDVSA-2009:318 (xmlsec1) File : nvt/mdksa_2009_318.nasl
2009-12-10	Name : Mandriva Security Advisory MDVSA-2009:322 (mono) File : nvt/mdksa_2009_322.nasl
2009-11-11	Name : SLES11: Security update for IBM Java 1.6.0 File : nvt/sles11_java-1_6_0-ibm1.nasl
2009-10-19	Name : Mandrake Security Advisory MDVSA-2009:267 (xmlsec1) File : nvt/mdksa_2009_267.nasl
2009-10-19	Name : Mandrake Security Advisory MDVSA-2009:268 (mono) File : nvt/mdksa_2009_268.nasl
2009-10-19	Name : Mandrake Security Advisory MDVSA-2009:269 (mono) File : nvt/mdksa_2009_269.nasl
2009-09-15	Name : CentOS Security Advisory CESA-2009:1428 (xmlsec1) File : nvt/ovcesa2009_1428.nasl
2009-09-09	Name : RedHat Security Advisory RHSA-2009:1428 File : nvt/RHSA_2009_1428.nasl
2009-09-02	Name : Ubuntu USN-826-1 (mono) File : nvt/ubuntu_826_1.nasl
2009-09-02	Name : Mandrake Security Advisory MDVSA-2009:209 (java-1.6.0-openjdk) File : nvt/mdksa_2009_209.nasl
2009-08-17	Name : FreeBSD Ports: mono File : nvt/freebsd_mono0.nasl
2009-08-17	Name : Fedora Core 11 FEDORA-2009-8473 (xmlsec1) File : nvt/fcore_2009_8473.nasl
2009-08-17	Name : Fedora Core 10 FEDORA-2009-8456 (xmlsec1) File : nvt/fcore_2009_8456.nasl
2009-08-17	Name : Fedora Core 10 FEDORA-2009-8337 (java-1.6.0-openjdk) File : nvt/fcore_2009_8337.nasl
2009-08-17	Name : Fedora Core 11 FEDORA-2009-8329 (java-1.6.0-openjdk) File : nvt/fcore_2009_8329.nasl
2009-08-17	Name : CentOS Security Advisory CESA-2009:1201 (java-1.6.0-openjdk) File : nvt/ovcesa2009_1201.nasl
2009-08-17	Name : Fedora Core 11 FEDORA-2009-8157 (xml-security-c) File : nvt/fcore_2009_8157.nasl
2009-08-17	Name : Fedora Core 10 FEDORA-2009-8121 (xml-security-c) File : nvt/fcore_2009_8121.nasl
2009-08-17	Name : Debian Security Advisory DSA 1849-1 (xml-security-c) File : nvt/deb_1849_1.nasl
2009-08-17	Name : RedHat Security Advisory RHSA-2009:1201 File : nvt/RHSA_2009_1201.nasl
2009-08-17	Name : Ubuntu USN-814-1 (openjdk-6) File : nvt/ubuntu_814_1.nasl
2009-08-17	Name : RedHat Security Advisory RHSA-2009:1200 File : nvt/RHSA_2009_1200.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
75028	Mono on Moonlight DynamicThread Instance Use-after-free Remote DoS
75027	Mono on Moonlight metadata/icall.c Array.Copy Method FastCopy Race Condition ...
75026	Mono on Moonlight MonoThread Instance Use-after-free Remote Information Discl...
75025	Mono on Moonlight metadata/icall.c RuntimeHelpers.InitializeArray Method Craf...
70312	Mono ASP.NET mod_mono Module ASPX Script Source Disclosure Mono contains a flaw that may lead to an unauthorized information disclosure.Â The issue is triggered when an unspecified error within the 'mod_mono' module occurs, which will disclose ASPX script source code to a remote attacker.
69619	Mono on Moonlight Unspecified Generic Constraints Bypass Mono on Moonlight contains a flaw related to insufficient validation of arguments. The issue is triggered when remote attacker uses a crafted method call to bypass security policies or potentially execute arbitrary code.
69325	Mono metadata/loader.c Path Subversion Local Privilege Escalation
68795	mono-debugger Multiple Script LD_LIBRARY_PATH Zero-length Directory Name Path...
68127	Microsoft ASP.NET ViewState Cryptographic Padding Remote Information Disclosure Microsoft .NET Framework contains a flaw that may lead to an unauthorized information disclosure. Â The issue is triggered when the component provides detailed error codes during decryption attempts, which will disclose View State form data to a remote attacker via a padding oracle attack. This may also potentially allow for the forging of cookies or reading of application files.
56243	W3C XML Signature Syntax and Processing (XMLDsig) HMACOutputLength Signature ...
55907	Oracle BEA WebLogic Server Web Services Package HMACOutputLength Signature Sp...
55895	Oracle Application Server Security Developer Tools HMACOutputLength Signature...

Information Assurance Vulnerability Management (IAVM)

Date	Description
2010-06-10	IAVM : 2010-B-0046 - Microsoft .NET Framework Data Tampering Vulnerability Severity : Category II - VMSKEY : V0024367

Snort® IPS/IDS

Date	Description
2014-01-10	Apache XML HMAC truncation authentication bypass attempt RuleID : 21337 - Revision : 4 - Type : SERVER-APACHE
2014-01-10	Microsoft Windows ASP.NET information disclosure attempt RuleID : 17429 - Revision : 16 - Type : OS-WINDOWS
2014-01-10	Microsoft Windows ASP.NET information disclosure attempt RuleID : 17428 - Revision : 17 - Type : OS-WINDOWS
2014-01-10	Microsoft Windows .NET framework XMLDsig data tampering attempt RuleID : 16636 - Revision : 14 - Type : OS-WINDOWS

Nessus® Vulnerability Scanner

Date	Description
2015-03-25	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-2547-1.nasl - Type : ACT_GATHER_INFO
2014-09-01	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201408-19.nasl - Type : ACT_GATHER_INFO
2014-06-13	Name : The remote openSUSE host is missing a security update. File : suse_11_4_libmoon-devel-110406.nasl - Type : ACT_GATHER_INFO
2014-06-13	Name : The remote openSUSE host is missing a security update. File : suse_11_3_libmoon-devel-110406.nasl - Type : ACT_GATHER_INFO
2014-06-13	Name : The remote openSUSE host is missing a security update. File : suse_11_3_libmoon-devel-101208.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2009-1428.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2009-1201.nasl - Type : ACT_GATHER_INFO
2013-02-22	Name : The remote Unix host contains a runtime environment that is affected by multi... File : sun_java_jre_263408_unix.nasl - Type : ACT_GATHER_INFO
2013-01-24	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1637.nasl - Type : ACT_GATHER_INFO
2013-01-24	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1636.nasl - Type : ACT_GATHER_INFO
2013-01-24	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1649.nasl - Type : ACT_GATHER_INFO
2013-01-24	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1650.nasl - Type : ACT_GATHER_INFO
2012-08-01	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20090806_java_1_6_0_openjdk_on_SL5_3.nasl - Type : ACT_GATHER_INFO
2012-08-01	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20090824_java__jdk_1_6_0__on_SL4_x.nasl - Type : ACT_GATHER_INFO
2012-08-01	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20090908_xmlsec1_on_SL4_x.nasl - Type : ACT_GATHER_INFO
2012-07-26	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1517-1.nasl - Type : ACT_GATHER_INFO
2012-06-22	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201206-13.nasl - Type : ACT_GATHER_INFO
2012-03-21	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_bytefx-data-mysql-8001.nasl - Type : ACT_GATHER_INFO
2012-01-24	Name : The remote web server may be affected by multiple vulnerabilities. File : oracle_application_server_pci.nasl - Type : ACT_GATHER_INFO
2011-12-13	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_bytefx-data-mysql-7479.nasl - Type : ACT_GATHER_INFO
2011-04-22	Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_bytefx-data-mysql-110331.nasl - Type : ACT_GATHER_INFO
2011-04-22	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_bytefx-data-mysql-7445.nasl - Type : ACT_GATHER_INFO
2011-04-07	Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libmoon-devel-110329.nasl - Type : ACT_GATHER_INFO
2011-04-01	Name : The remote Fedora host is missing one or more security updates. File : fedora_2011-3393.nasl - Type : ACT_GATHER_INFO
2011-01-27	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_OpenOffice_org-6884.nasl - Type : ACT_GATHER_INFO
2011-01-27	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_OpenOffice_org-6883.nasl - Type : ACT_GATHER_INFO
2011-01-21	Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_OpenOffice_org-100225.nasl - Type : ACT_GATHER_INFO
2011-01-21	Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libmoon-devel-101222.nasl - Type : ACT_GATHER_INFO
2011-01-21	Name : The remote SuSE 11 host is missing a security update. File : suse_11_moonlight-plugin-101130.nasl - Type : ACT_GATHER_INFO
2010-11-28	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-240.nasl - Type : ACT_GATHER_INFO
2010-10-29	Name : A web application hosted on the remote server is potentially prone to a paddi... File : padding_oracle.nasl - Type : ACT_MIXED_ATTACK
2010-10-08	Name : The version of the .NET framework installed on the remote host has an informa... File : padding_oracle_ms10-070.nasl - Type : ACT_ATTACK
2010-09-28	Name : The version of the .NET framework installed on the remote host has an informa... File : smb_nt_ms10-070.nasl - Type : ACT_GATHER_INFO
2010-07-30	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-269.nasl - Type : ACT_GATHER_INFO
2010-06-09	Name : It is possible to tamper with signed XML content without being detected on th... File : smb_nt_ms10-041.nasl - Type : ACT_GATHER_INFO
2010-03-17	Name : The remote openSUSE host is missing a security update. File : suse_11_0_OpenOffice_org-100211.nasl - Type : ACT_GATHER_INFO
2010-03-17	Name : The remote openSUSE host is missing a security update. File : suse_11_2_OpenOffice_org-base-drivers-postgresql-100216.nasl - Type : ACT_GATHER_INFO
2010-03-17	Name : The remote openSUSE host is missing a security update. File : suse_11_1_OpenOffice_org-base-drivers-postgresql-100211.nasl - Type : ACT_GATHER_INFO
2010-03-16	Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_OpenOffice_org-100226.nasl - Type : ACT_GATHER_INFO
2010-03-01	Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_c97d7a37223311df96dd001b2134ef46.nasl - Type : ACT_GATHER_INFO
2010-02-25	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-903-1.nasl - Type : ACT_GATHER_INFO
2010-02-24	Name : The remote Debian host is missing a security-related update. File : debian_DSA-1995.nasl - Type : ACT_GATHER_INFO
2010-02-24	Name : The remote Debian host is missing a security-related update. File : debian_DSA-1849.nasl - Type : ACT_GATHER_INFO
2010-02-12	Name : The remote Windows host has a program affected by multiple buffer overflows. File : openoffice_32.nasl - Type : ACT_GATHER_INFO
2010-01-15	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0043.nasl - Type : ACT_GATHER_INFO
2010-01-13	Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_java-1_6_0-ibm-100105.nasl - Type : ACT_GATHER_INFO
2010-01-06	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2009-1201.nasl - Type : ACT_GATHER_INFO
2009-12-27	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1694.nasl - Type : ACT_GATHER_INFO
2009-12-08	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-322.nasl - Type : ACT_GATHER_INFO
2009-12-07	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-318.nasl - Type : ACT_GATHER_INFO
2009-11-05	Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_java-1_6_0-ibm-091102.nasl - Type : ACT_GATHER_INFO
2009-10-13	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-268.nasl - Type : ACT_GATHER_INFO
2009-10-12	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-267.nasl - Type : ACT_GATHER_INFO
2009-09-09	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1428.nasl - Type : ACT_GATHER_INFO
2009-09-09	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2009-1428.nasl - Type : ACT_GATHER_INFO
2009-09-03	Name : The remote host has a version of Java that is affected by multiple vulnerabil... File : macosx_java_10_5_update5.nasl - Type : ACT_GATHER_INFO
2009-08-31	Name : The remote openSUSE host is missing a security update. File : suse_11_0_java-1_6_0-openjdk-090826.nasl - Type : ACT_GATHER_INFO
2009-08-31	Name : The remote openSUSE host is missing a security update. File : suse_11_1_java-1_6_0-openjdk-090827.nasl - Type : ACT_GATHER_INFO
2009-08-27	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-826-1.nasl - Type : ACT_GATHER_INFO
2009-08-24	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1200.nasl - Type : ACT_GATHER_INFO
2009-08-24	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-209.nasl - Type : ACT_GATHER_INFO
2009-08-12	Name : The remote Fedora host is missing a security update. File : fedora_2009-8456.nasl - Type : ACT_GATHER_INFO
2009-08-12	Name : The remote Fedora host is missing a security update. File : fedora_2009-8473.nasl - Type : ACT_GATHER_INFO
2009-08-11	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-814-1.nasl - Type : ACT_GATHER_INFO
2009-08-10	Name : The remote Fedora host is missing a security update. File : fedora_2009-8337.nasl - Type : ACT_GATHER_INFO
2009-08-07	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1201.nasl - Type : ACT_GATHER_INFO
2009-08-07	Name : The remote Fedora host is missing a security update. File : fedora_2009-8329.nasl - Type : ACT_GATHER_INFO
2009-08-05	Name : The remote Windows host contains a runtime environment that is affected by mu... File : sun_java_jre_263408.nasl - Type : ACT_GATHER_INFO
2009-08-01	Name : The remote Fedora host is missing a security update. File : fedora_2009-8157.nasl - Type : ACT_GATHER_INFO
2009-08-01	Name : The remote Fedora host is missing a security update. File : fedora_2009-8121.nasl - Type : ACT_GATHER_INFO
2009-07-30	Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_708c65a57c5811dea9940030843d3802.nasl - Type : ACT_GATHER_INFO
2009-06-03	Name : The remote host is missing Sun Security Patch number 141709-03 File : solaris10_141709.nasl - Type : ACT_GATHER_INFO
2009-06-03	Name : The remote host is missing Sun Security Patch number 141710-03 File : solaris10_x86_141710.nasl - Type : ACT_GATHER_INFO
2009-06-03	Name : The remote host is missing Sun Security Patch number 141709-03 File : solaris9_141709.nasl - Type : ACT_GATHER_INFO
2009-06-03	Name : The remote host is missing Sun Security Patch number 141710-03 File : solaris9_x86_141710.nasl - Type : ACT_GATHER_INFO
2009-01-19	Name : The remote host is missing Sun Security Patch number 128641-30 File : solaris10_x86_128641.nasl - Type : ACT_GATHER_INFO
2009-01-19	Name : The remote host is missing Sun Security Patch number 128640-30 File : solaris9_128640.nasl - Type : ACT_GATHER_INFO
2009-01-19	Name : The remote host is missing Sun Security Patch number 128641-30 File : solaris9_x86_128641.nasl - Type : ACT_GATHER_INFO
2009-01-19	Name : The remote host is missing Sun Security Patch number 128640-30 File : solaris10_128640.nasl - Type : ACT_GATHER_INFO
2007-10-12	Name : The remote host is missing Sun Security Patch number 125136-97 File : solaris8_125136.nasl - Type : ACT_GATHER_INFO
2007-10-12	Name : The remote host is missing Sun Security Patch number 125136-97 File : solaris9_125136.nasl - Type : ACT_GATHER_INFO
2007-10-12	Name : The remote host is missing Sun Security Patch number 125136-97 File : solaris10_125136.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 11:37:23	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	7
Oval ID(s)	9
CPE ID(s)	186
osvdb(s)	12
Openvas Exploit(s)	36
IAVM(s)	1
Snort® Rule(s)	4
Nessus® Exploit(s)	82

	Related
7.5	CVE-2010-4254
6.9	CVE-2010-4159
6.9	CVE-2010-3369
6.8	CVE-2011-0991
6.4	CVE-2010-3332
5.8	CVE-2011-0992
5.8	CVE-2011-0990
5.8	CVE-2011-0989
5	CVE-2010-4225
5	CVE-2009-0217
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 10 more Alert(s)

7.5 - GLSA-201206-13

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

OVAL Definitions

CPE : Common Platform Enumeration

OpenVAS Exploits

Open Source Vulnerability Database (OSVDB)

Information Assurance Vulnerability Management (IAVM)

Snort® IPS/IDS

Nessus® Vulnerability Scanner

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU