General

SAML XML Canonicalization vulnerability and ForgeRock products

Last updated Jul 9, 2018

The purpose of this article is to provide information on whether ForgeRock products (AM/OpenAM, DS/OpenDJ, IDM/OpenIDM and IG/OpenIG) are vulnerable to the SAML XML Canonicalization issue.


8 readers recommend this article

ForgeRock products

A vulnerability in some implementations of the SAML federation standard was recently publicly disclosed affecting multiple vendors (https://www.kb.cert.org/vuls/id/475445). Incorrect handling of XML canonicalization during verification of digital signatures on SAML assertions could potentially be used by an attacker to bypass authentication controls. This issue has been assigned multiple CVEs for different vendors:

  • CVE-2017-11427 - OneLogin’s "python-saml"
  • CVE-2017-11428 - OneLogin’s "ruby-saml"
  • CVE-2017-11429 - Clever’s "saml2-js"
  • CVE-2017-11430 - "OmniAuth-SAML"
  • CVE-2018-0489 - Shibboleth openSAML C++

ForgeRock has carefully assessed our implementations of SAML 1.x, SAML2, OAuth2 SAML2 Grant, WS-Federation and the Java Fedlet, and determined that we are not affected by this vulnerability.

More information about the vulnerability can be found on the security researchers' blog post: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations



Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.
Loading...