CVE-2009-3875
Last modified
CVE-2009-3875 is a vulnerability of currently unknown severity. The MessageDigest.isEqual function in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to spoof HMAC-based digital signatures, and possibly bypass authentication, via unspecified vectors related to "timing attack vulnerabilities," aka Bug Id 6863503.. EPSS estimates a 3.11% chance of exploitation in the next 30 days.
Description
The MessageDigest.isEqual function in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to spoof HMAC-based digital signatures, and possibly bypass authentication, via unspecified vectors related to "timing attack vulnerabilities," aka Bug Id 6863503.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Sun | Jdk | 1.5.0 | Update1 |
| Sun | Jdk | 1.6.0 | Update1 |
| Sun | Jre | 1.4.2_1 | — |
| Sun | Jre | 1.4.2_2 | — |
| Sun | Jre | 1.4.2_02 | — |
| Sun | Jre | 1.4.2_03 | — |
| Sun | Jre | 1.4.2_3 | — |
| Sun | Jre | 1.4.2_4 | — |
| Sun | Jre | 1.4.2_04 | — |
| Sun | Jre | 1.4.2_05 | — |
| Sun | Jre | 1.4.2_5 | — |
| Sun | Jre | 1.4.2_06 | — |
| Sun | Jre | 1.4.2_6 | — |
| Sun | Jre | 1.4.2_7 | — |
| Sun | Jre | 1.4.2_07 | — |
| Sun | Jre | 1.4.2_8 | — |
| Sun | Jre | 1.4.2_08 | — |
| Sun | Jre | 1.4.2_09 | — |
| Sun | Jre | 1.4.2_9 | — |
| Sun | Jre | 1.4.2_10 | — |
| Sun | Jre | 1.4.2_11 | — |
| Sun | Jre | 1.4.2_12 | — |
| Sun | Jre | 1.4.2_13 | — |
| Sun | Jre | 1.4.2_14 | — |
| Sun | Jre | 1.4.2_15 | — |
| Sun | Jre | 1.4.2_16 | — |
| Sun | Jre | 1.4.2_17 | — |
| Sun | Jre | 1.4.2_18 | — |
| Sun | Jre | 1.4.2_19 | — |
| Sun | Jre | 1.4.2_20 | — |
| Sun | Jre | 1.4.2_21 | — |
| Sun | Jre | 1.4.2_22 | — |
| Sun | Jre | 1.4.2_23 | — |
| Sun | Jre | 1.5.0 | Update1 |
| Sun | Jre | 1.6.0 | Update 1 |
| Sun | Sdk | 1.4.2_01 | — |
| Sun | Sdk | 1.4.2_1 | — |
| Sun | Sdk | 1.4.2_2 | — |
| Sun | Sdk | 1.4.2_02 | — |
| Sun | Sdk | 1.4.2_03 | — |
| Sun | Sdk | 1.4.2_3 | — |
| Sun | Sdk | 1.4.2_04 | — |
| Sun | Sdk | 1.4.2_4 | — |
| Sun | Sdk | 1.4.2_5 | — |
| Sun | Sdk | 1.4.2_05 | — |
| Sun | Sdk | 1.4.2_6 | — |
| Sun | Sdk | 1.4.2_06 | — |
| Sun | Sdk | 1.4.2_07 | — |
| Sun | Sdk | 1.4.2_7 | — |
| Sun | Sdk | 1.4.2_8 | — |
Showing 50 of 136 affected configurations. See NVD for the full list.
References
- http://secunia.com/advisories/37231Vendor Advisory
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-270475-1Patch, Vendor Advisory
- http://www.vupen.com/english/advisories/2009/3131Vendor Advisory
- http://secunia.com/advisories/37231Vendor Advisory
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-270475-1Patch, Vendor Advisory
- http://www.vupen.com/english/advisories/2009/3131Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2009-3875?
How severe is CVE-2009-3875?
How do I fix CVE-2009-3875?
Are you affected by CVE-2009-3875?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST