Check your Spring Security SAML config - XXE security issue

Engineering | Rob Winch | August 24, 2016 | ...

It was brought to our attention that the spring-security-saml sample application contained an XML External Entity (XXE) vulnerability. This meant that a malicious user could view any file that the Spring Application’s process had access to.

The issue was a direct result of OpenSAML Java ParserPool and Decrypter Vulnerable To XML Attacks. The default behavior of the ParserPool implementations is fixed in OpenSAML 2.6.1+ (which Spring Security SAML uses). However, the vulnerability is still possible if users construct their own ParserPool without the proper settings.

Note

We did not consider this a CVE because the exploit was only found in the sample application which is not considered production code. However, we expect that our users may have copied this code to create their own applications. For this reason, we wanted to be transparent and communicate the issue and the fix.

The Fix

The sample application has been fixed in 925c892 by removing the customizations to the ParserPool.

Users should ensure that any applications using OpenSAML have been fixed according to the Recommendations section within the OpenSAML Security Advisory. Commit 925c892 can be used as a model of one way of conforming to the Recommendations section.

Additional Information

Credit

This issue was responsibly disclosed by Max Justicz and Nick Freeman of Bishop Fox (https://www.bishopfox.com).

Get the Spring newsletter

Stay connected with the Spring newsletter

Subscribe

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all