[keycloak-user] Is KeyCloak SAML vulnerable to the c14n exploit?
Hynek Mlnarik
hmlnarik at redhat.com
Tue Apr 24 02:54:24 EDT 2018
No, keycloak is not vulnerable to this exploit.
On Mon, Apr 16, 2018 at 6:24 PM, Jason Spittel <jasonspittel at yahoo.com>
wrote:
> Hello,
> I was alerted to this exploit, and was wondering if Keycloak, acting as an
> SP in a SAML authentication workflow, is vulnerable to it.
> https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-
> implementations
>
>
> Briefly, if a comment is put into an XML value, some parsers seem to stop
> parsing during canonicalization so that these two values are equivalent and
> equally valid for the same dsig:
> user at domain.comuser@domain.com<!--and this breaks parsing-->.hackers.net
> Would it basically come down to if the parsers that Keycloak is using for
> SAML are vulnerable? Which look to be the javax.xml.stream parsers. Is that
> correct?
> Thanks,
> Jason
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
--Hynek
More information about the keycloak-user
mailing list