[IdP] Used SAML Libraries

[IdP] Used SAML Libraries

  
Forge Component
(26)
Published on 4 Jul by Telmo Martins
26 votes
Published on 4 Jul by Telmo Martins

Recently i received a mail with the following security alert:


Vulnerability Note VU#475445
Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalization and DOM traversal
https://www.kb.cert.org/vuls/id/475445


Can someone from the team confirm that the IDP module does not use a SAML library that is affected by this vulnerability?

I got the same alert and have same question. Can anyone answer this?


Solution

Hi,

This IdP component (on both stack, JAVA and .Net) is not affected by this vulnerability. The issue is regarding some XML parsers/APIs that do not "behave" as expected when we have xml comments inline on xml text values which is not the case.

To confirm had done some additional tests, and the "real" xml inner text value is correctly parsed and returned by the APIs used on the IdP component.


Regards.


Solution

Hello Telmo,

Thank you for the quick response and good to read the IDP module is not affected.

Thank you!

Best regards,

Ben van der Linden