Note on SAML VU Vulnerability # 475445 - Is Spring a SAML2 Vulnerability?

Question

Note on SAML VU Vulnerability # 475445 - Is Spring a SAML2 Vulnerability?

https://www.kb.cert.org/vuls/id/475445 has just been disclosed.

SAML2 it affect Spring Security SAML2 ?

I do not see the XML parser used in Spring Security SAML2 in the list of affected APIs.

Let us know.

+7

spring-security spring-saml xml-parsing saml saml-2.0

Petras butkevicius Feb 27 '18 at 10:55

source share

1 answer

Rob winch · Accepted Answer · 2018-02-28T15:29:15+0000

I am leading the Spring Security project project and I have confirmed that the exploit does not work with Spring Security SAML with default settings. This was confirmed by a colleague.

If you change the default settings (set ignoreComments = false), your application will become vulnerable.

Update: see https://spring.io/blog/2018/03/01/spring-security-saml-and-this-week-s-saml-vulnerability

Note on SAML VU Vulnerability # 475445 - Is Spring a SAML2 Vulnerability?

More articles: