11:24 a.m.
Hello,
I was alerted to this exploit, and was wondering if Keycloak, acting as an SP in a SAML
authentication workflow, is vulnerable to it.
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-im...
Briefly, if a comment is put into an XML value, some parsers seem to stop parsing during
canonicalization so that these two values are equivalent and equally valid for the same
dsig:
user@domain.comuser(a)domain.com<!--and this breaks parsing-->.hackers.net
Would it basically come down to if the parsers that Keycloak is using for SAML are
vulnerable? Which look to be the javax.xml.stream parsers. Is that correct?
Thanks,
Jason
1:54 a.m.
No, keycloak is not vulnerable to this exploit.
On Mon, Apr 16, 2018 at 6:24 PM, Jason Spittel <jasonspittel(a)yahoo.com>
wrote:
Hello,
I was alerted to this exploit, and was wondering if Keycloak, acting as an
SP in a SAML authentication workflow, is vulnerable to it.
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-
implementations
Briefly, if a comment is put into an XML value, some parsers seem to stop
parsing during canonicalization so that these two values are equivalent and
equally valid for the same dsig:
user@domain.comuser(a)domain.com<!--and this breaks parsing-->.hackers.net
Would it basically come down to if the parsers that Keycloak is using for
SAML are vulnerable? Which look to be the javax.xml.stream parsers. Is that
correct?
Thanks,
Jason
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
--Hynek
2425
days inactive
2433
days old
1 comments
2 participants
participants (2)
-
Hynek Mlnarik -
Jason Spittel