Uploaded image for project: 'WSO2 Identity Server'
  1. WSO2 Identity Server
  2. IDENTITY-3192

Possible XML External Entity (XEE) attack in the federated SAML2 SSO authentication flow

    Details

    • Type: Security Vulnerability
    • Status: Resolved
    • Priority: Highest
    • Resolution: Fixed
    • Affects Version/s: 5.0.0-GA
    • Fix Version/s: 5.0.0-GA
    • Labels:
      None
    • Severity:
      Blocker
    • Estimated Complexity:
      Moderate
    • Test cases added:
      Yes

      Description

      CVE-2015-0027

      OVERVIEW
      WSO2 Identity Server 5.0.0 is vulnerable to XML External Entity (XEE) attack in the federated SAML2 SSO authentication flow which can be carried out by modifying the SAMLRequest or SAMLResponse parameters

      Severity: CRITICAL - Patch Immediately.

      None of the Identity Server releases done prior to IS 5.0.0 or any other WSO2 products are vulnerable.

      IMPACT
      This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the machine where the parser is located, and other system impacts.

      SOLUTION
      Apply the following patches. Follow the instructions in the README file under the patch.

      Note:
      Make sure to apply IS 5.0.0 Service Pack 1 (WSO2-IS-5.0.0-SP01) before applying this security patch.

      1) WSO2-CARBON-PATCH-4.2.0-1194

      ACKNOWLEDGEMENT
      WSO2 thanks Wolfgang Ettlinger (discovery, analysis, coordination) from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/) for responsibly reporting the identified issues and working with us as we addressed them.

        Attachments

          Activity

            People

            • Assignee:
              johann@wso2.com Johann Nallathamby
              Reporter:
              johann@wso2.com Johann Nallathamby
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: