製品・ソフトウェアに関する情報

JVN脆弱性詳細

Internet2 Shibboleth Service Provider ソフトウェアにおける SSL サーバになりすまされる脆弱性

Title	Internet2 Shibboleth Service Provider ソフトウェアにおける SSL サーバになりすまされる脆弱性
Summary	Internet2 Shibboleth Service Provider ソフトウェアは、証明書の subject または subjectAltName フィールド内の '\0' 文字を適切に処理しないため、任意の SSL サーバになりすまされる脆弱性が存在します。本問題は、CVE-2009-2408 に関連する可能性があります。
Possible impacts	リモート攻撃者により、巧妙に細工された正規認証局発行の証明書を介して、任意の SSL サーバになりすまされる可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	Sept. 29, 2009, midnight
Registration Date	Sept. 25, 2012, 5:38 p.m.
Last Update	Sept. 25, 2012, 5:38 p.m.

Affected System

Internet2

shibboleth-sp 1.3.3 未満の 1.3.x, 2.2.1 未満の 2.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2009-3475	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3475
National Vulnerability Database (NVD)
2	CVE-2009-3475	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3475

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-310	https://jvndb.jvn.jp/ja/cwe/CWE-310.html

ベンダー情報

No	Name	URL
Internet2
1	Shibboleth	http://shibboleth.net/

Change Log

No	Changed Details	Date of change
0	[2012年09月25日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2009-3475

Summary	Internet2 Shibboleth Service Provider software 1.3.x before 1.3.3 and 2.x before 2.2.1, when using PKIX trust validation, does not properly handle a '\0' character in the subject or subjectAltName fields of a certificate, which allows remote man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Summary	El software Internet2 Shibboleth Service Provider v1.3.x anterior a v1.3.3 y v2.x anterior a v2.2.1, cuando se utiliza la validación de confianza PKIX, no controla correctamente un caracter '\0' en los campos subject o subjectAltName de un certificado, lo cual permite a atacantes remotos hombre-en-el-medio (man-in-the-middle) suplantar servidores SSL a su elección a través de certificados manipulados expedidos por una Autoridad de Certificación, un tema relacionado con CVE-2009-2408.
Publication Date	Sept. 30, 2009, 8:30 a.m.
Registration Date	Jan. 29, 2021, 1:23 p.m.
Last Update	April 23, 2026, 9:35 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:internet2:shibboleth-sp:1.3.1:::::::*
cpe:2.3:a:internet2:shibboleth-sp:1.3.2:::::::*
cpe:2.3:a:internet2:shibboleth-sp:1.3f:::::::*
cpe:2.3:a:internet2:shibboleth-sp:2.0:::::::*
cpe:2.3:a:internet2:shibboleth-sp:2.1:::::::*
cpe:2.3:a:internet2:shibboleth-sp:2.2:::::::*

Related information, measures and tools

No	URL	refsource
1	http://secunia.com/advisories/36855	cve@mitre.org
2	http://secunia.com/advisories/36861	cve@mitre.org
3	http://secunia.com/advisories/36876	cve@mitre.org
4	http://shibboleth.internet2.edu/secadv/secadv_20090817.txt	cve@mitre.org
5	http://www.debian.org/security/2009/dsa-1895	cve@mitre.org
6	http://www.debian.org/security/2009/dsa-1896	cve@mitre.org
7	http://secunia.com/advisories/36855	af854a3a-2127-422b-91ae-364da2661108
8	http://secunia.com/advisories/36861	af854a3a-2127-422b-91ae-364da2661108
9	http://secunia.com/advisories/36876	af854a3a-2127-422b-91ae-364da2661108
10	http://shibboleth.internet2.edu/secadv/secadv_20090817.txt	af854a3a-2127-422b-91ae-364da2661108
11	http://www.debian.org/security/2009/dsa-1895	af854a3a-2127-422b-91ae-364da2661108
12	http://www.debian.org/security/2009/dsa-1896	af854a3a-2127-422b-91ae-364da2661108

Common Vulnerabilities List

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:internet2:shibboleth-sp:1.3.1:::::::*
cpe:2.3:a:internet2:shibboleth-sp:1.3.2:::::::*
cpe:2.3:a:internet2:shibboleth-sp:1.3f:::::::*
cpe:2.3:a:internet2:shibboleth-sp:2.0:::::::*
cpe:2.3:a:internet2:shibboleth-sp:2.1:::::::*
cpe:2.3:a:internet2:shibboleth-sp:2.2:::::::*