[keycloak-user] Is KeyCloak SAML vulnerable to the c14n exploit?

Jason Spittel jasonspittel at yahoo.com
Mon Apr 16 12:24:06 EDT 2018


Hello,
I was alerted to this exploit, and was wondering if Keycloak, acting as an SP in a SAML authentication workflow, is vulnerable to it.
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations


Briefly,  if a comment is put into an XML value, some parsers seem to stop parsing during canonicalization so that these two values are equivalent and equally valid for the same dsig:
user at domain.comuser@domain.com<!--and this breaks parsing-->.hackers.net
Would it basically come down to if the parsers that Keycloak is using for SAML are vulnerable? Which look to be the javax.xml.stream parsers. Is that correct?
Thanks,
Jason


More information about the keycloak-user mailing list