Comment Injection Vulnerability in SAML2

February 28, 2018


Marc Boorshtein

On February 27, 2018 DUO Labs released a paper finding that several SAML2 relying party services and libraries were susceptible to a comment injection attack.  The paper does a good job of explaining the vulnerability, so we will not re-state it here.  Once we read the paper we:

  1. Attempted to validate that the version of OpenSAML that Unison and OpenUnison relies on is not susceptible to this attack
  2. Add test cases to our test suite to try to reproduce this vulnerability

We found through our research and testing that the OpenSAML library is not vulnerable on its own, but that Unison and OpenUnison both showed to be vulnerable.  Once we discovered this vulnerability and had automated tests to check for it we implemented a fix for this issue by stripping out all comments from inbound SAML2 Response XML.  Prior to releasing this fix, we ran it through our extensive set of integration tests that includes testing against other products including Shiboleth,  Microsoft Active Directory Federation Services and Forgerock’s OpenAM.

While this vulnerability is relatively difficult to exploit, we recommend applying this patch as soon as possible.  If using Tremolo Security’s yum repository, simple run updates.  If using one of our containers (either from Docker Hub or from the Red Hat Catalog), please pull the latest versions.