https://www.kb.cert.org/vuls/id/475445 has just been disclosed.
Is this impacting Spring Security SAML2?
I can't see the XML parser used on Spring Security SAML2 on the list of affected APIs.
Let us know.
Asked
Active
Viewed 379 times
8
Mehraj Malik
- 14,872
- 15
- 58
- 85
Petras Butkevicius
- 93
- 1
- 4
-
I asked a similar question as a GitHub issue. [Link for reference.](https://github.com/spring-projects/spring-security/issues/5058) No response yet. – nicholas79171 Feb 28 '18 at 15:13
1 Answers
8
I am the Spring Security project lead and I have verified that the exploit does not work against Spring Security SAML with the default settings. This was verified by a colleague as well.
If you change the default settings (set ignoreComments = false), your application becomes vulnerable.
Update: See https://spring.io/blog/2018/03/01/spring-security-saml-and-this-week-s-saml-vulnerability
Rob Winch
- 21,440
- 2
- 59
- 76
-
1See also this GitHub issue in the spring-security-saml project: https://github.com/spring-projects/spring-security-saml/issues/228 – elmuerte Mar 01 '18 at 11:12